github-workflow-parts/.github/workflows/reusable-terraform-deployment.yml at main · devpro/github-workflow-parts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Reusable - Terraform apply

on:
  workflow_call:
    inputs:
      job-name:
        description: "Job name"
        type: string
        required: false
        default: "Deploy"
      working-directory:
        description: "Working directory"
        type: string
        required: false
        default: "."
      operating-system:
        description: "Operating system executing the runner"
        type: string
        required: false
        default: "ubuntu-latest"
      environment:
        description: "GitHub environment"
        type: string
        required: true
      tfbackend-project:
        description: "Terraform backend project"
        type: string
        required: true
      custom-commands:
        description: "Optional shell commands to run before apply"
        type: string
        required: false
        default: ""
      terraform-var-flags:
        description: 'Extra -var "key=value" flags (space separated)'
        type: string
        required: false
        default: ""
      workflow-parts-version:
        description: "GitHub workflow parts version (branch/tag/SHA)"
        type: string
        required: false
        default: "main"
    secrets:
      atlas-publickey:
        description: "Atlas public key"
        required: true
      atlas-privatekey:
        description: "Atlas private key"
        required: true
      atlas-groupid:
        description: "Atlas group IP"
        required: true
      tfbackend-connstring:
        description: "Terraform backend connection string"
        required: true
      tfbackend-dbname:
        description: "Terraform backend database name"
        required: true
      tfbackend-tenant:
        description: "Terraform backend tenant"
        required: true
      tfbackend-username:
        description: "Terraform backend user name"
        required: true
      tfbackend-userpwd:
        description: "Terraform backend user password"
        required: true
      additional-vars:
        description: "Additional variables"
        required: false

jobs:
  terraform-apply:
    name: ${{ inputs.job-name }}
    runs-on: ${{ inputs.operating-system }}
    environment: ${{ inputs.environment }}
    defaults:
      run:
        working-directory: ${{ inputs.working-directory }}
    services:
      tfbackend:
        image: devprofr/terraform-backend-mongodb:latest
        env:
          Application__IsHttpsRedirectionEnabled: false
          ConnectionStrings__MongoDb: ${{ secrets.tfbackend-connstring }}
          MongoDb__ConnectionStringName: MongoDb
          MongoDb__DatabaseName: ${{ secrets.tfbackend-dbname }}
        ports:
          - 8080:8080
    steps:
      - name: Clone repository
        uses: actions/checkout@v6
      - name: Checkout workflow parts
        uses: actions/checkout@v6
        with:
          repository: devpro/github-workflow-parts
          ref: ${{ inputs.workflow-parts-version }}
          path: workflow-parts
      - name: Add runner ID to MongoDB Atlas
        uses: ./workflow-parts/actions/mongodb-atlas/add-runner-ip
        with:
          atlas-publickey: ${{ secrets.atlas-publickey }}
          atlas-privatekey: ${{ secrets.atlas-privatekey }}
          atlas-groupid: ${{ secrets.atlas-groupid }}
      - name: Set additional variables
        run: |
          if [[ -z "${{ secrets.additional-vars }}" ]]; then
            echo "No additional-vars bundle provided - skipping."
          else
            echo "${{ secrets.additional-vars }}" | while IFS='=' read -r key val; do
              if [[ -n "$val" ]]; then
                echo "::add-mask::$val"
              fi
            done
            echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV"
          fi
      - name: Run optional custom commands
        if: ${{ inputs.custom-commands != '' }}
        run: |
          ${{ inputs.custom-commands }}
      - name: Cache Terraform plugins
        uses: actions/cache@v5
        with:
          path: |
            ~/.terraform.d/plugin-cache
          key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
      - name: Install terraform
        uses: hashicorp/setup-terraform@v3
      - name: Terraform init
        run: terraform init
      - name: Terraform validate
        run: terraform validate
      - name: Terraform plan
        run: terraform plan -input=false -out=plan.tfplan ${{ inputs.terraform-var-flags }}
      - name: Terraform apply
        run: terraform apply -auto-approve plan.tfplan
    env:
      TF_HTTP_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}"
      TF_HTTP_LOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock"
      TF_HTTP_UNLOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock"
      TF_HTTP_USERNAME: "${{ secrets.tfbackend-username }}"
      TF_HTTP_PASSWORD: "${{ secrets.tfbackend-userpwd }}"