generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 2
137 lines (119 loc) · 4.3 KB
/
tf-plan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Terraform plan
on:
workflow_dispatch:
pull_request:
paths:
- "terragrunt/**"
- ".github/workflows/**"
env:
AWS_REGION: "ca-central-1"
TERRAFORM_VERSION: 1.7.2
TERRAGRUNT_VERSION: 0.55.1
CONFTEST_VERSION: 0.49.0
permissions:
id-token: write
contents: read
pull-requests: write
actions: write
checks: write
statuses: write
jobs:
terraform-plan-account:
strategy:
fail-fast: false
matrix:
include:
- account_folder: org_account
module: main
account: 659087519042
role: cds-aws-lz-plan
assume_role_name: "assume_plan"
la_customer_id: LA_CUSTOMER_ID
la_shared_key: LA_SHARED_KEY
- account_folder: org_account
module: spend_notifier
account: 659087519042
role: cds-aws-lz-plan
spend_notifier_hook: SPEND_NOTIFIER_HOOK
weekly_spend_notifier_hook: WEEKLY_SPEND_NOTIFIER_HOOK
- account_folder: org_account
module: roles
account: 659087519042
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: org_account
module: sentinel_oidc
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: billing_extract_tags
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: iam_identity_center
account: 659087519042
role: cds-aws-lz-plan
- account_folder: log_archive
module: main
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: legacy_archives
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: sre_bot
account: 274536870005
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: audit
module: main
account: 886481071419
role: cds-aws-lz-plan
- account_folder: audit
module: sre_bot
account: 886481071419
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: aft
module: main
account: 137554749751
role: cds-aws-lz-plan
lz_webhook_key: LZ_CHANNEL_WEBHOOK
- account_folder: aft
module: notifications
account: 137554749751
role: cds-aws-lz-plan
aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure aws credentials using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::${{ matrix.account }}:role/${{ matrix.role }}
role-session-name: ${{matrix.module}}-plan
aws-region: ${{ env.AWS_REGION }}
- name: Terraform Plan for ${{matrix.module }}/${{ matrix.module }}
# I have no idea if this will work.
# It does!
# I'll remove this later
env:
TF_VAR_aft_slack_webhook: ${{ secrets[matrix.lz_webhook_key] }}
TF_VAR_assume_role_name: ${{ matrix.assume_role_name }}
TF_VAR_lw_customer_id: ${{ secrets[matrix.la_customer_id] }}
TF_VAR_lw_shared_key: ${{ secrets[matrix.la_shared_key] }}
TF_VAR_daily_spend_notifier_hook: ${{ secrets[matrix.spend_notifier_hook] }}
TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
uses: cds-snc/terraform-plan@v3
with:
comment-delete: true
comment-title: Plan for ${{matrix.account_folder}}/${{ matrix.module }}
directory: ./terragrunt/${{ matrix.account_folder }}/${{ matrix.module }}
github-token: ${{ secrets.GITHUB_TOKEN }}
terragrunt: true