forked from aws-ia/terraform-aws-eks-blueprints
-
Notifications
You must be signed in to change notification settings - Fork 1
103 lines (88 loc) · 3.54 KB
/
plan-examples.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: plan-examples
on:
# Review https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ and better understand the risks of using pull_request_target before making major changes to this workflow.
pull_request_target:
branches:
- main
workflow_dispatch:
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
getExampleDirectories:
name: Get example directories
runs-on: ubuntu-latest
# Do not remove environment setup without considering changes to pull_request_target and checkout of PR, as it may lead to checks running automatically against malicious code in PRs.
environment: EKS Blueprints Test
# Skip running on forks since it won't have access to secrets
if: github.repository == 'aws-ia/terraform-aws-eks-blueprints'
outputs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
# Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
- name: Checkout
uses: actions/checkout@v3
- name: Get Terraform directories for evaluation
id: dirs
run: |
DIRS=$(python3 .github/scripts/plan-examples.py)
echo "directories=$DIRS" >> $GITHUB_OUTPUT
plan:
name: Plan examples
needs: getExampleDirectories
runs-on: ubuntu-latest
# Skip running on forks since it won't have access to secrets
if: github.repository == 'aws-ia/terraform-aws-eks-blueprints'
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
matrix:
directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }}
steps:
- name: Remove default Terraform
run: rm -rf $(which terraform)
- name: checkout-merge
if: "contains(github.event_name, 'pull_request')"
uses: actions/checkout@v3
with:
ref: refs/pull/${{github.event.pull_request.number}}/merge
- name: checkout
if: "!contains(github.event_name, 'pull_request')"
uses: actions/checkout@v3
- uses: dorny/paths-filter@v2
id: changes
with:
# Need to check not only the example directory
# but also the supporting module(s) code
# for plans (not for pre-commit)
filters: |
src:
- '${{ matrix.directory }}/**/*.(tf|yml|yaml)'
- 'modules/**/*.(tf|yml|yaml)'
- '*.tf'
- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@v1-node16
if: steps.changes.outputs.src== 'true'
with:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
aws-region: us-west-2
role-duration-seconds: 3600
role-session-name: GithubActions-Session
- name: Terraform Job
uses: hashicorp/setup-terraform@v2
if: steps.changes.outputs.src== 'true'
with:
terraform_version: 1.0.0
- if: steps.changes.outputs.src== 'true'
run: terraform version
- name: Terraform Init
if: steps.changes.outputs.src== 'true'
run: terraform init -reconfigure
working-directory: ${{ matrix.directory }}
- name: Terraform Plan
if: steps.changes.outputs.src== 'true'
working-directory: ${{ matrix.directory }}
run: terraform plan -no-color