PaloAltoNetworks · migara · Jan 8, 2024 · Dec 13, 2023
diff --git a/.github/workflows/apply-command.yml b/.github/workflows/apply-command.yml
@@ -0,0 +1,53 @@
+name: ChatOPS Apply
+run-name: "On demand Apply test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}"
+
+permissions:
+  contents: read
+
+concurrency: chatops-apply
+
+on:
+  workflow_dispatch:
+    inputs:
+      paths:
+        description: Space delimited list of module paths to test
+        type: string
+        required: true
+      tf_version:
+        description: Terraform versions to use for tests, comma-separated list
+        type: string
+      pr-id:
+        description: ID of the PR that triggered this workflow
+        type: string
+        required: true
+      pr-title: 
+        description: Title of the PR that triggered this workflow
+        type: string
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        type: string
+        required: true
+      branch:
+        description: Branch on which the tests should run
+        type: string
+        default: main
+
+jobs:
+  test:
+    name: Run apply test
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+    secrets: inherit
+    with:
+      cloud: azure
+      paths: ${{ inputs.paths }}
+      tf_version: ${{ inputs.tf_version }}
+      pr-id: ${{ inputs.pr-id }}
+      comment-id: ${{ inputs.comment-id }}
+      branch: ${{ inputs.branch }}
+      terratest_action: Apply
+      apply_timeout: 60
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
@@ -0,0 +1,87 @@
+name: ChatOPS dispatcher
+run-name: "ChatOPS bot for PR - (#${{ github.event.issue.number }}) ${{ github.event.issue.title }}"
+
+permissions:
+  contents: read
+
+on:
+  issue_comment:
+    types: [created]
+
+concurrency: 
+  group: chat-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
+jobs:
+  dispatch:
+    name: Dispatch a test job
+    if: ${{ github.event.issue.pull_request }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: get PR head branch
+        uses: actions/github-script@v6
+        id: pr
+        with:
+          result-encoding: string
+          script: |
+            let pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            })
+            console.log(pr.data.head.ref)
+            return pr.data.head.ref
+
+      - name: Generate GitHub token
+        id: generate-token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.CHATOPS_APP_ID }}
+          private_key: ${{ secrets.CHATOPS_APP_PRIVATE_KEY }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets.CHATOPS_APP_INSTALLATION_ID }}
+
+      - name: "dispatch test command on branch: ${{ steps.pr.outputs.result }}"
+        id: scd
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          issue-type: pull-request
+          dispatch-type: workflow
+          permission: maintain
+          commands: |
+            validate
+            plan
+            apply
+            idempotence
+            sca
+            help
+          static-args: |
+            comment-id=${{ github.event.comment.id }}
+            pr-id=${{ github.event.issue.number }}
+            pr-title=${{ github.event.issue.title }}
+            branch=${{ steps.pr.outputs.result }}
+
+      - name: Edit comment with error message
+        if: steps.scd.outputs.error-message
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          body: |
+            > ${{ steps.scd.outputs.error-message }}
+          reactions: '-1'
+          reactions-edit-mode: replace
+
+      - name: Concurency ratio fallback
+        if: cancelled()
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          body: |
+            > ChatOPS run cancelled.
+            > See [job run log](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details.
+          reactions: 'confused'
+          reactions-edit-mode: replace
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
@@ -0,0 +1,67 @@
+name: ChatOPS Help
+run-name: "Display ChatOPS help (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr-id:
+        description: ID of the PR that triggered this workflow
+        type: string
+        required: true
+      pr-title: 
+        description: Title of the PR that triggered this workflow
+        type: string
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        type: string
+        required: true
+      branch:
+        description: Branch on which the tests should run
+        type: string
+        default: main
+
+jobs:
+  help:
+    name: Add help comment to originating PR
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: add help comment
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ inputs.comment-id }}
+          issue-number: ${{ inputs.pr-id }}
+          body: |
+
+            ## ChatOPS built in help:
+
+            Currently supported commands include:
+
+            * `/sca` - run all SCA tests via `pre-commit`
+            * `/validate` - run `terraform validate`
+            * `/plan` - plan the infrastructure (only examples)
+            * `/apply` - deploy the infrastructure and destroy afterwards (only examples)
+            * `/idempotence` - test idempotence: deploy, plan and destroy afterwards (only examples).
+
+            The 1<sup>st</sup> command does not take arguments, the remaining take two:
+
+            * `paths` - a space delimitied list of module paths
+            * `tf_version` - (optional, defaults to the latest available) a space delimited list of Terraform versions to test the infrastrucure against.
+
+            Examples:
+
+            ```bash
+            # run idempotence tests on listed modules with Terraform versions: 1.2 (latest patch available), 1.4 (latest patch available), 1.5.4.
+            /idempotence paths="examples/common_vmseries examples/panorama_standalone" tf_version="1.2 1.4 1.5.4"
+            ```
+
+            ```bash
+            # run validation tests with the latest available Terraform version on listed modules.
+            /validate paths="modules/vmseries modules/vnet examples/dedicated_vmseries"
+            ```
+
+          reactions: '+1'
+          reactions-edit-mode: replace
diff --git a/.github/workflows/idempotence-command.yml b/.github/workflows/idempotence-command.yml
@@ -0,0 +1,53 @@
+name: ChatOPS Idempotence
+run-name: "On demand Idempotence test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}"
+
+permissions:
+  contents: read
+
+concurrency: chatops-apply
+
+on:
+  workflow_dispatch:
+    inputs:
+      paths:
+        description: Space delimited list of module paths to test
+        type: string
+        required: true
+      tf_version:
+        description: Terraform versions to use for tests, comma-separated list
+        type: string
+      pr-id:
+        description: ID of the PR that triggered this workflow
+        type: string
+        required: true
+      pr-title: 
+        description: Title of the PR that triggered this workflow
+        type: string
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        type: string
+        required: true
+      branch:
+        description: Branch on which the tests should run
+        type: string
+        default: main
+
+jobs:
+  test:
+    name: Run idempotence test
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+    secrets: inherit
+    with:
+      cloud: azure
+      paths: ${{ inputs.paths }}
+      tf_version: ${{ inputs.tf_version }}
+      pr-id: ${{ inputs.pr-id }}
+      comment-id: ${{ inputs.comment-id }}
+      branch: ${{ inputs.branch }}
+      terratest_action: Idempotence
+      apply_timeout: 60
diff --git a/.github/workflows/plan-command.yml b/.github/workflows/plan-command.yml
@@ -0,0 +1,52 @@
+name: ChatOPS Plan
+run-name: "On demand Plan test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}"
+
+permissions:
+  contents: read
+
+concurrency: chatops-plan
+
+on:
+  workflow_dispatch:
+    inputs:
+      paths:
+        description: Space delimited list of module paths to test
+        type: string
+        required: true
+      tf_version:
+        description: Terraform versions to use for tests, comma-separated list
+        type: string
+      pr-id:
+        description: ID of the PR that triggered this workflow
+        type: string
+        required: true
+      pr-title: 
+        description: Title of the PR that triggered this workflow
+        type: string
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        type: string
+        required: true
+      branch:
+        description: Branch on which the tests should run
+        type: string
+        default: main
+
+jobs:
+  test:
+    name: Run plan test
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+    secrets: inherit
+    with:
+      cloud: azure
+      paths: ${{ inputs.paths }}
+      tf_version: ${{ inputs.tf_version }}
+      pr-id: ${{ inputs.pr-id }}
+      comment-id: ${{ inputs.comment-id }}
+      branch: ${{ inputs.branch }}
+      terratest_action: Plan
diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml
@@ -0,0 +1,34 @@
+name: Pre-Commit update
+run-name: "Update Pre-Commit dependencies"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 1 * *  # 1am of every 1st day of every month
+
+jobs:
+  update:
+    name: "Update Pre-Commit dependencies"
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+
+  pre-commit:
+    name: Run Pre-Commit with the udpated config
+    needs: [update]
+    if: needs.update.outputs.pr_operation == 'created' || needs.update.outputs.pr_operation == 'updated'
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+    with:
+      pre-commit-hooks: terraform_fmt terraform_docs terraform_tflint checkov
+      branch: pre-commit-dependencies-update
+
+  comment-pr:
+    name: Give comment on the PR if pre-commit failed
+    needs: [pre-commit, update]
+    if: always() && (needs.pre-commit.result == 'failure' || needs.pre-commit.result == 'success')
+    uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/[email protected]
+    with:
+      pr_number: ${{ needs.update.outputs.pr_number }}
+      job_result: ${{ needs.pre-commit.result }}