-
Notifications
You must be signed in to change notification settings - Fork 0
113 lines (101 loc) · 3.63 KB
/
terragrunt-apply-all.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Terragrunt Apply All
on:
workflow_call:
inputs:
load_env:
description: "Load environment variables from GitHub Variables and Secret context."
required: false
type: boolean
default: false
working_dir:
description: "Directory containing root terragrunt.hcl"
required: true
type: string
terraform_version:
description: "Terraform Version"
required: false
default: "1.6.0"
type: string
opentofu_version:
description: "Open Tofu Version"
required: false
default: "1.6.0"
type: string
terragrunt_version:
description: "Terragrunt Version"
required: false
default: "0.54.12"
type: string
aws-use-oidc:
description: "Prefer AWS OIDC auth"
default: "true"
type: string
aws_region:
description: "AWS Region"
required: false
default: "ap-south-1"
type: string
aws-access-key-id:
description: "AWS_ACCESS_KEY_ID required if not aws-use-oidc"
required: false
type: string
aws-secret-access-key:
description: "AWS_SECRET_ACCESS_KEY required if not aws-use-oidc"
required: false
type: string
env:
AWS_REGION: ${{ inputs.aws_region }}
tofu_version: ${{ inputs.opentofu_version }}
tf_version: ${{ inputs.terraform_version }}
tg_version: ${{ inputs.terragrunt_version }}
working_dir: ${{ inputs.working_dir }}
jobs:
plan:
name: Create Terragrunt Plan File
runs-on: "ubuntu-latest"
permissions:
id-token: write
contents: read
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Load Environment from GitHub variables & secrets.
shell: bash
env:
GIT_BRANCH: ${{ github.ref_name }}
VARS_CONTEXT: ${{ toJson(vars) }}
SECRETS_CONTEXT: ${{ toJson(secrets) }}
run: |
# Random delimeter string for security
delim=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
# Parse JSON with multiline strings, using delimeter (Github specific)
to_envs() { jq -r "to_entries[] | \"\(.key)<<$delim\n\(.value)\n$delim\n\""; }
# Set vars to env for next step
echo "GIT_BRANCH=${GIT_BRANCH}" >> $GITHUB_ENV
echo "TAG_OVERRIDE=${TAG_OVERRIDE}" >> $GITHUB_ENV
# Set VARS_CONTEXT if not null
if [ "${VARS_CONTEXT}" != "null" ]; then
echo "${VARS_CONTEXT}" | to_envs >> $GITHUB_ENV
fi
# Set SECRETS_CONTEXT if not null
if [ "${SECRETS_CONTEXT}" != "null" ]; then
echo "${SECRETS_CONTEXT}" | to_envs >> $GITHUB_ENV
fi
- name: Setup AWS Credentials
uses: naxa-developers/gh-workflows/.github/actions/configure_aws_credentials@master
with:
USE_OIDC_FOR_AWS: ${{inputs.aws-use-oidc }}
AWS_CONFIG_FILE_PATH: ${{ github.workspace }}/.aws/credentials
AWS_ACCESS_KEY_ID: ${{ inputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ inputs.aws-secret-access-key }}
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
- name: Terragrunt Plan
uses: gruntwork-io/terragrunt-action@v2
env:
AWS_SHARED_CREDENTIALS_FILE: ${{ github.workspace }}/.aws/credentials
INPUT_PRE_EXEC_1: export TERRAGRUNT_GIT_REPO_NAME=${{ github.event.repository.name }}
with:
tf_version: ${{ env.tf_version }}
tg_version: ${{ env.tg_version }}
tg_dir: ${{ env.working_dir }}
tg_command: run-all apply -auto-approve