Add terraform check, plan workflows.

CDCgov · Feb 20, 2024 · 3aa22ed · 3aa22ed
1 parent 6605746
commit 3aa22ed
Show file tree

Hide file tree

Showing 3 changed files with 150 additions and 0 deletions.
diff --git a/.github/workflows/terraformChecks.yml b/.github/workflows/terraformChecks.yml
@@ -0,0 +1,79 @@
+name: Terraform Checks
+
+on:
+  workflow_dispatch: # because sometimes you just want to force a branch to have tests run
+  pull_request:
+    branches:
+      - "**"
+  merge_group:
+    types:
+      - checks_requested
+
+defaults:
+  run:
+    working-directory: ./ops
+
+jobs:
+  check-terraform-formatting:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/[email protected]
+        with:
+          terraform_version: 1.7.3
+      - name: Terraform fmt
+        run: terraform fmt -check -recursive
+
+  check-terraform-validity:
+    runs-on: ubuntu-latest
+    env:
+      TERRAFORM_DIRS: |
+          dev dev/persistent
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/[email protected]
+        with:
+          terraform_version: 1.7.3
+      - name: Terraform Init
+        run: |
+          for d in $TERRAFORM_DIRS
+          do
+            echo "Initializing $d";
+            (cd $d && terraform init -backend=false)
+          done
+      - name: Terraform Validate
+        run: |
+          for d in $TERRAFORM_DIRS
+          do
+            echo "Validating $d";
+            (cd $d && terraform validate)
+          done
+
+  terraform-plan:
+    runs-on: ubuntu-latest
+    needs: [check-terraform-validity]
+    env: # all Azure interaction is through terraform
+      ARM_CLIENT_ID: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Dependabot bypass
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        run: |
+          true
+      - uses: azure/login@v1
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+      - uses: hashicorp/[email protected]
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        with:
+          terraform_version: 1.7.3
+      - name: Terraform Init Prod
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        run: make init-prod
+      - name: Terraform Plan Prod
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        run: make plan-prod
diff --git a/.github/workflows/terraformPlan.yml b/.github/workflows/terraformPlan.yml
@@ -0,0 +1,33 @@
+name: Ad-hoc Terraform Plan
+
+on:
+  workflow_dispatch:
+    inputs:
+      env:
+        description: "Environment target"
+        required: true
+        default: "prod" 
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./ops
+    env: # all Azure interaction is through Terraform
+      ARM_CLIENT_ID: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+      - uses: hashicorp/[email protected]
+        with:
+          terraform_version: 1.7.3
+      - name: Terraform Init
+        run: make init-${{ github.event.inputs.env }}
+      - name: Terraform plan
+        run: make plan-${{ github.event.inputs.env }}
diff --git a/ops/Makefile b/ops/Makefile
@@ -0,0 +1,38 @@
+# Makefile for az cli shortcuts
+
+SHELL:=/bin/bash
+
+# Overrideable arguments
+DEPLOYED_COMMIT?=$(shell git show --abbrev=7 -s --pretty=%h)
+RELEASE_TAG?=$(subst refs/tags/,,$(GITHUB_REF))
+CURL_TIMEOUT?=20
+
+# Internal target: check if we are currently logged in, so we get a friendly error if not
+.be-logged-in:
+	@if ! az account show >& /dev/null ; then echo "You must be logged in to the az command line"; exit 1; fi
+
+# Internal target: check if the passed-in wildcard is a known environment name. Hard-coding them because let's be real here.
+.valid-env-%:
+	@case $* in dev|prod) ;; *) echo "$* is not a valid environment"; exit 1;; esac
+
+api.tfvars: /dev/null
+	echo "acr_image_tag=\"$(DEPLOYED_COMMIT)\"" > $@; \
+	echo "deploy_workflow=\"${GITHUB_WORKFLOW}\"" >> $@; \
+	if [[ "release" == "$(GITHUB_EVENT_NAME)" ]]; \
+		then echo "deploy_tag=\"$(RELEASE_TAG)\"" >> $@;\
+	fi; \
+	echo "deploy_runnumber=${GITHUB_RUN_NUMBER}" >> $@; \
+	echo "deploy_timestamp=\"$(shell date +%Y-%m-%dT%H:%M:%S%z) \"" >> $@; \
+	echo "deploy_actor=\"$(GITHUB_ACTOR)\"" >> $@;
+
+init-%: .valid-env-%
+	terraform -chdir=$*/persistent init
+	terraform -chdir=$* init
+
+plan-%: .valid-env-% api.tfvars
+	terraform -chdir=$*/persistent plan -lock-timeout=30m
+	terraform -chdir=$* plan -var-file=../api.tfvars -lock-timeout=30m
+
+deploy-%: .valid-env-% api.tfvars
+	terraform -chdir=$*/persistent apply -auto-approve -lock-timeout=30m
+	terraform -chdir=$* apply -auto-approve -var-file=../api.tfvars -lock-timeout=30m