-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (141 loc) · 5.11 KB
/
bootstrap.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
---
name: Bootstrap infrastructure
on: # yamllint disable-line rule:truthy
workflow_dispatch:
inputs:
apply:
type: string
default: ""
description: 'Provide "apply!" if you actually want to apply the terraform plan on the selected environment.'
environment:
type: choice
default: dev
description: 'Which environment to target?'
required: true
options:
- dev
scope:
type: choice
default: application_infrastructure
description: 'Which infrastructure scope to apply?'
required: true
options:
- github
- gke_and_state_bucket
- application_infrastructure
run-name: Bootstrapping ${{ inputs.scope }} for @${{ inputs.environment }}
defaults:
run:
# This sets the default shell to bash with some debugging related options.
# - noprofile: do not source the profile files
# - norc: do not source rc files
# - e/errexit: exit on error status codes
# - u/nounset: exit on unset variables
# - o pipefail: pipes inherit error exit codes
shell: bash --noprofile --norc -euo pipefail {0}
jobs:
plan-apply-github:
name: Plan and potentially apply for scope github
if: ${{ github.event.inputs.environment == 'dev' && github.event.inputs.scope == 'github'}}
runs-on:
- ubuntu-latest
env:
TF_WORK_DIR: ./scopes/github_and_co
#TF_STATE_FILE: '-> Handled by bucket backend prefix'
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ vars.GOOGLE_PROJECT_ID }}
credentials_json: ${{ secrets.AUTOMATION_SA_KEY_JSON }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: terraform init
run: terraform -chdir="$TF_WORK_DIR" init
- name: terraform plan
env:
PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID }}
GH_API_TOKEN: ${{ secrets.API_ACCESS_TOKEN }}
run: |
terraform -chdir="$TF_WORK_DIR" plan -input=false -out=tfplan \
-var-file "../../environments/dev.tfvars" \
-var "github_token=$GH_API_TOKEN" \
-var "project_id=$PROJECT_ID"
- name: terraform apply
if: ${{ github.event.inputs.apply == 'apply!' }}
run: |
terraform -chdir="$TF_WORK_DIR" apply -input=false tfplan
terraform output
plan-apply-gke:
name: Plan and potentially apply for scope github
if: ${{ github.event.inputs.environment == 'dev' && github.event.inputs.scope == 'gke_and_state_bucket'}}
runs-on:
- ubuntu-latest
env:
TF_WORK_DIR: ./scopes/gke_and_state_bucket
#TF_STATE_FILE: '-> Handled by bucket backend prefix'
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ vars.GOOGLE_PROJECT_ID }}
credentials_json: ${{ secrets.AUTOMATION_SA_KEY_JSON }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: terraform init
run: terraform -chdir="$TF_WORK_DIR" init
- name: terraform plan
env:
PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID }}
GH_API_TOKEN: ${{ secrets.API_ACCESS_TOKEN }}
run: |
terraform -chdir="$TF_WORK_DIR" plan -input=false -out=tfplan \
-var-file "../../environments/dev.tfvars" \
-var "github_token=$GH_API_TOKEN" \
-var "project_id=$PROJECT_ID"
- name: terraform apply
if: ${{ github.event.inputs.apply == 'apply!' }}
run: |
terraform -chdir="$TF_WORK_DIR" apply -input=false tfplan
terraform output
plan-apply-application:
name: Plan and potentially apply for scope github
if: ${{ github.event.inputs.environment == 'dev' && github.event.inputs.scope == 'application_infrastructure'}}
runs-on:
- ubuntu-latest
env:
TF_WORK_DIR: ./scopes/application
#TF_STATE_FILE: '-> Handled by bucket backend prefix'
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ vars.GOOGLE_PROJECT_ID }}
credentials_json: ${{ secrets.AUTOMATION_SA_KEY_JSON }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: terraform init
run: terraform -chdir="$TF_WORK_DIR" init
- name: terraform plan
env:
PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID }}
GH_API_TOKEN: ${{ secrets.API_ACCESS_TOKEN }}
run: |
terraform -chdir="$TF_WORK_DIR" plan -input=false -out=tfplan \
-var-file "../../environments/dev.tfvars" \
-var "github_token=$GH_API_TOKEN" \
-var "project_id=$PROJECT_ID"
- name: terraform apply
if: ${{ github.event.inputs.apply == 'apply!' }}
run: |
terraform -chdir="$TF_WORK_DIR" apply -input=false tfplan
terraform output