generated from divnix/digga
-
Notifications
You must be signed in to change notification settings - Fork 2
135 lines (131 loc) · 4.1 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: "Terraform"
on:
push:
branches:
- 'main'
pull_request:
branches:
- 'main'
workflow_dispatch:
concurrency: push-to-main
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
jobs:
plan:
runs-on: ubuntu-latest
outputs:
diff: ${{ steps.plan.outputs.diff }}
steps:
- name: Checkout
uses: actions/checkout@main
- name: Install nix
uses: cachix/install-nix-action@master
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
experimental-features = nix-command flakes
- name: Setup cachix
uses: cachix/cachix-action@master
with:
name: linyinfeng
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
- name: Cache terraform
uses: actions/cache@main
with:
path: terraform/.terraform/providers
key: ${{ runner.os }}-terraform-providers-${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Terraform init
run: |
nix develop --command terraform-init
- name: Terraform plan
id: plan
run: |
set +e
nix develop --command terraform-wrapper plan -out="$PWD/terraform/terraform.plan" -detailed-exitcode
exit_code=$?
set -e
if [ "$exit_code" -eq 0 ]; then
# success, empty diff
echo "diff=false" >> $GITHUB_OUTPUT
elif [ "$exit_code" -eq 2 ]; then
# success, non-empty diff
echo "diff=true" >> $GITHUB_OUTPUT
else
exit "$exit_code"
fi
- name: Import GPG key
if: steps.plan.outputs.diff == 'true'
run: |
gpg --import nixos/profiles/users/yinfeng/_pgp/pub.asc
- name: Encrypt plan
if: steps.plan.outputs.diff == 'true'
run: |
nix develop --command bash -c "sops --encrypt terraform/terraform.plan > secrets/terraform.plan"
- name: Upload plan
if: steps.plan.outputs.diff == 'true'
uses: actions/upload-artifact@main
with:
name: plan
path: secrets/terraform.plan
apply:
runs-on: ubuntu-latest
environment: infrastructure
needs: [ plan ]
if: |
needs.plan.outputs.diff == 'true' &&
github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@main
- name: Install nix
uses: cachix/install-nix-action@master
with:
install_url: https://github.com/numtide/nix-unstable-installer/releases/latest/download/install
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
experimental-features = nix-command flakes
- name: Setup cachix
uses: cachix/cachix-action@master
with:
name: linyinfeng
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
- name: Cache terraform
uses: actions/cache@main
with:
path: terraform/.terraform/providers
key: ${{ runner.os }}-terraform-providers-${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Terraform init
run: |
nix develop --command terraform-init
- name: Download plan
uses: actions/download-artifact@main
with:
name: plan
path: secrets # secrets/terraform.plan
- name: Decrypt plan
run: |
nix develop --command sops --decrypt secrets/terraform.plan > terraform/terraform.plan
- name: Terraform apply
run: |
nix develop --command terraform-wrapper apply "$PWD/terraform/terraform.plan"
- name: Terraform update outputs
run: |
nix develop --command terraform-update-outputs
- name: Terraform extract secret and data
run: |
nix develop --command terraform-outputs-extract-secrets
nix develop --command terraform-outputs-extract-data
- name: Format
run: |
nix fmt
- name: Commit and push
run: |
if [ -z "$(git status --porcelain)" ]; then
echo "repository is clean, skip commit and push"
else
git config --global user.email "[email protected]"
git config --global user.name "Nano"
git add --all
git commit --message "Terraform apply"
git push
fi