Add CICD to run OpenTofu

stwalkerster · stwalkerster · commit 70624dd7de97 · 2024-12-02T20:50:12.000Z
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,60 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+
+jobs:
+  apply:
+    environment: Production
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+      
+      # - name: OpenTofu apply
+      #   env:
+      #     OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+      #     OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+      #     # Legacy, pending new provider version
+      #     TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+      #     TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+      #   run: tofu apply tfplan
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -0,0 +1,76 @@
+name: Run plan for PR
+
+on:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+  pull-requests: write # required for writing the PR comment
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+
+      - name: Get plan output for PR comment
+        id: plan
+        run: tofu show -no-color tfplan
+
+      - name: Update Pull Request
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `<details><summary>Show OpenTofu Plan</summary>
+      
+            \`\`\`\n
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+      
+            </details>
+      
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+      
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
diff --git a/oauth.tf b/oauth.tf
@@ -26,8 +26,7 @@ resource "openstack_dns_recordset_v2" "prod_instance" {
 }
 
 module "bluegreen" {
-  source  = "app.terraform.io/enwikipedia-acc/bluegreen/openstack"
-  version = "0.2.0"
+  source  = "github.com/enwikipedia-acc/terraform-openstack-bluegreen?ref=0.2.0"
 
   blue_dns_name       = "${local.blue_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
   green_dns_name      = "${local.green_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
@@ -36,10 +35,8 @@ module "bluegreen" {
 }
 
 module "oauth-server-blue" {
-  source  = "app.terraform.io/enwikipedia-acc/mediawiki-oauth/openstack"
-  version = "0.13.0"
-  #source = "github.com/enwikipedia-acc/terraform-openstack-mediawiki-oauth"
-
+  source = "github.com/enwikipedia-acc/terraform-openstack-mediawiki-oauth?ref=0.13.0"
+  
   environment = "b"
   count       = module.bluegreen.blue_count
 
@@ -64,9 +61,7 @@ module "oauth-server-blue" {
 }
 
 module "oauth-server-green" {
-  source  = "app.terraform.io/enwikipedia-acc/mediawiki-oauth/openstack"
-  version = "0.15.0"
-  #source = "github.com/enwikipedia-acc/terraform-openstack-mediawiki-oauth"
+  source = "github.com/enwikipedia-acc/terraform-openstack-mediawiki-oauth?ref=0.15.0"
 
   environment = "g"
   count       = module.bluegreen.green_count
