Merge pull request #50 from gruntwork-io/39-permissions-set

Action workspace permissions fixes
gruntwork-io · Feb 16, 2024 · acfff27 · acfff27
2 parents 145aff1 + 54dd127
commit acfff27
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -6,13 +6,14 @@ A GitHub Action for installing and running Terragrunt
 
 Supported GitHub action inputs:
 
-| Input Name | Description                                       | Required | Example values |
-|:-----------|:--------------------------------------------------|:--------:|:--------------:|
-| tf_version | Terraform version to be used in Action execution  |  `true`  |     1.4.6      | 
-| tg_version | Terragrunt version to be user in Action execution |  `true`  |     0.50.8     |
-| tg_dir     | Directory in which Terragrunt will be invoked     |  `true`  |      work      |
-| tg_command | Terragrunt command to execute                     |  `true`  |   plan/apply   |
-| tg_comment | Add comment to Pull request with execution output | `false`  |      0/1       |
+| Input Name     | Description                                                       | Required | Example values |
+|:---------------|:------------------------------------------------------------------|:--------:|:--------------:|
+| tf_version     | Terraform version to be used in Action execution                  |  `true`  |     1.4.6      | 
+| tg_version     | Terragrunt version to be user in Action execution                 |  `true`  |     0.50.8     |
+| tg_dir         | Directory in which Terragrunt will be invoked                     |  `true`  |      work      |
+| tg_command     | Terragrunt command to execute                                     |  `true`  |   plan/apply   |
+| tg_comment     | Add comment to Pull request with execution output                 | `false`  |      0/1       |
+| tg_add_approve | Automatically add "-auto-approve" to commands, enabled by default | `false`  |      0/1       |
 
 ## Environment Variables
 

diff --git a/action.yml b/action.yml
@@ -23,6 +23,10 @@ inputs:
     description: 'Include execution output as comment'
     default: '0'
     required: false
+  tg_add_approve:
+    description: 'Add -auto-approve to commands which require changes to be applied'
+    default: '1'
+    required: false
 outputs:
   tg_action_output:
     description: 'Terragrunt execution output'

diff --git a/src/main.sh b/src/main.sh
@@ -83,9 +83,25 @@ function comment {
 
 function setup_git {
   # Avoid git permissions warnings
-  git config --global --add safe.directory /github/workspace
+  sudo git config --global --add safe.directory /github/workspace
   # Also trust any subfolder within workspace
-  git config --global --add safe.directory "*"
+  sudo git config --global --add safe.directory "*"
+}
+
+function setup_permissions {
+  local -r dir="${1}"
+  sudo chown -R $(whoami) /github/workspace
+  # Set permissions for the working directory
+  if [[ -f "${dir}" ]]; then
+    sudo chown -R $(whoami) "${dir}"
+    sudo chmod -R o+rw "${dir}"
+  fi
+  # Set permissions for the output file
+  if [[ -f "${GITHUB_OUTPUT}" ]]; then
+    sudo chown -R $(whoami) "${GITHUB_OUTPUT}"
+  fi
+  # set permissions for .terraform directories, if any
+  sudo find /github/workspace -name ".terraform*" -exec chmod -R 777 {} \;
 }
 
 # Run INPUT_PRE_EXEC_* environment variables as Bash code
@@ -125,6 +141,7 @@ function main {
   local -r tg_version=${INPUT_TG_VERSION}
   local -r tg_command=${INPUT_TG_COMMAND}
   local -r tg_comment=${INPUT_TG_COMMENT:-0}
+  local -r tg_add_approve=${INPUT_TG_ADD_APPROVE:-1}
   local -r tg_dir=${INPUT_TG_DIR:-.}
 
   if [[ -z "${tf_version}" ]]; then
@@ -142,19 +159,33 @@ function main {
     exit 1
   fi
   setup_git
+  setup_permissions "${tg_dir}"
+  trap 'setup_permissions $tg_dir ' EXIT
   setup_pre_exec
 
   install_terraform "${tf_version}"
   install_terragrunt "${tg_version}"
 
   # add auto approve for apply and destroy commands
+  local tg_arg_and_commands="${tg_command}"
   if [[ "$tg_command" == "apply"* || "$tg_command" == "destroy"* || "$tg_command" == "run-all apply"* || "$tg_command" == "run-all destroy"* ]]; then
     export TERRAGRUNT_NON_INTERACTIVE=true
     export TF_INPUT=false
     export TF_IN_AUTOMATION=1
-  fi
-  run_terragrunt "${tg_dir}" "${tg_command}"
 
+    if [[ "${tg_add_approve}" == "1" ]]; then
+      local approvePattern="^(apply|destroy|run-all apply|run-all destroy)"
+      # split command and arguments to insert -auto-approve
+      if [[ $tg_arg_and_commands =~ $approvePattern ]]; then
+          local matchedCommand="${BASH_REMATCH[0]}"
+          local remainingArgs="${tg_arg_and_commands#$matchedCommand}"
+          tg_arg_and_commands="${matchedCommand} -auto-approve ${remainingArgs}"
+      fi
+    fi
+  fi
+  run_terragrunt "${tg_dir}" "${tg_arg_and_commands}"
+  setup_permissions "${tg_dir}"
+  # setup permissions for the output files
   setup_post_exec
 
   local -r log_file="${terragrunt_log_file}"

diff --git a/test/action_run_test.go b/test/action_run_test.go
@@ -32,6 +32,41 @@ func TestOutputPlanIsUsedInApply(t *testing.T) {
 	assert.Contains(t, output, "1 added, 0 changed, 0 destroyed")
 }
 
+func TestRunAllIsExecuted(t *testing.T) {
+	t.Parallel()
+	tag := buildActionImage(t)
+	fixturePath := prepareFixture(t, "fixture-dependencies-project")
+
+	output := runAction(t, tag, fixturePath, "run-all plan")
+	assert.Contains(t, output, "1 to add, 0 to change, 0 to destroy")
+
+	output = runAction(t, tag, fixturePath, "run-all apply")
+	assert.Contains(t, output, "1 to add, 0 to change, 0 to destroy")
+
+	output = runAction(t, tag, fixturePath, "run-all destroy")
+	assert.Contains(t, output, "0 to add, 0 to change, 1 to destroy")
+	assert.Contains(t, output, "Destroy complete! Resources: 1 destroyed")
+}
+
+func TestAutoApproveDelete(t *testing.T) {
+	t.Parallel()
+	tag := buildActionImage(t)
+	fixturePath := prepareFixture(t, "fixture-dependencies-project")
+
+	output := runAction(t, tag, fixturePath, "run-all plan -out=plan.out")
+	assert.Contains(t, output, "1 to add, 0 to change, 0 to destroy")
+
+	output = runAction(t, tag, fixturePath, "run-all apply plan.out")
+	assert.Contains(t, output, "1 added, 0 changed, 0 destroyed")
+
+	// run destroy with auto-approve
+	output = runAction(t, tag, fixturePath, "run-all plan -destroy -out=destroy.out")
+	assert.Contains(t, output, "0 to add, 0 to change, 1 to destroy")
+
+	output = runAction(t, tag, fixturePath, "run-all apply -destroy destroy.out")
+	assert.Contains(t, output, "Resources: 0 added, 0 changed, 1 destroyed")
+}
+
 func runAction(t *testing.T, tag, fixturePath, command string) string {
 	opts := &docker.RunOptions{
 		EnvironmentVariables: []string{