Skip to content

Terraform CMMS

Terraform CMMS #88

# Copyright 2023 The Cross-Media Measurement Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Terraform CMMS
on:
workflow_call:
inputs:
environment:
type: string
required: true
apply:
description: "Apply the new configuration"
type: boolean
required: true
workflow_dispatch:
inputs:
environment:
description: "GitHub-managed environment"
required: true
type: choice
options:
- dev
- qa
- head
apply:
description: "Apply the new configuration"
type: boolean
default: false
permissions:
id-token: write
jobs:
terraform:
runs-on: ubuntu-22.04
environment: ${{ inputs.environment }}
env:
GCLOUD_MODULE_PATH: src/main/terraform/gcloud/cmms
GCLOUD_REGION: ${{ vars.GCLOUD_REGION }}
GCLOUD_ZONE: ${{ vars.GCLOUD_ZONE }}
AWS_MODULE_PATH: src/main/terraform/aws/cmms
steps:
- uses: actions/checkout@v4
# Authenticate to Google Cloud. This will export some environment
# variables, including GCLOUD_PROJECT.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.TF_SERVICE_ACCOUNT }}
- name: terraform init - gcloud
env:
TF_STORAGE_BUCKET: ${{ vars.TF_STORAGE_BUCKET }}
working-directory: ${{ env.GCLOUD_MODULE_PATH }}
run: >
terraform init
-input=false
-lockfile=readonly
-backend-config="bucket=$TF_STORAGE_BUCKET"
- name: terraform plan - gcloud
env:
KEY_RING: ${{ vars.KEY_RING }}
SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
SPANNER_PROCESSING_UNITS: ${{ vars.SPANNER_PROCESSING_UNITS }}
STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
POSTGRES_INSTANCE: ${{ vars.POSTGRES_INSTANCE }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
working-directory: ${{ env.GCLOUD_MODULE_PATH }}
run: >
terraform plan
-input=false
-var="key_ring_name=$KEY_RING"
-var="spanner_instance_name=$SPANNER_INSTANCE"
-var="spanner_processing_units=$SPANNER_PROCESSING_UNITS"
-var="storage_bucket_name=$STORAGE_BUCKET"
-var="postgres_instance_name=$POSTGRES_INSTANCE"
-var="postgres_password=$POSTGRES_PASSWORD"
-out=tfplan
- name: terraform apply - gcloud
if: ${{ inputs.apply }}
working-directory: ${{ env.GCLOUD_MODULE_PATH }}
run: terraform apply -input=false tfplan
# Authenticate to AWS Cloud. This will export some environment
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.AWS_GHA_ROLE }}
role-session-name: GitHubAction
- name: terraform init - aws
env:
TF_STORAGE_BUCKET: ${{ vars.AWS_TF_STORAGE_BUCKET }}
working-directory: ${{ env.AWS_MODULE_PATH }}
run: >
terraform init
-input=false
-lockfile=readonly
-backend-config="bucket=$TF_STORAGE_BUCKET"
-backend-config="region=$AWS_REGION"
- name: terraform plan - aws
env:
POSTGRES_INSTANCE: ${{ vars.POSTGRES_INSTANCE }}
AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
ENVIRONMENT: ${{ inputs.environment }}
working-directory: ${{ env.AWS_MODULE_PATH }}
run: >
terraform plan
-input=false
-var="aws_region=$AWS_REGION"
-var="postgres_instance_name=$POSTGRES_INSTANCE"
-var="aws_project_env=halo-cmm-$ENVIRONMENT"
-var="aws_s3_bucket=$AWS_S3_BUCKET"
-out=tfplan
- name: terraform apply - aws
if: ${{ inputs.apply }}
working-directory: ${{ env.AWS_MODULE_PATH }}
run: terraform apply -input=false tfplan