|
9 | 9 | default: "false" |
10 | 10 | type: string |
11 | 11 | push: |
| 12 | + branches: |
| 13 | + - main # Trigger only on pushes to the main branch |
12 | 14 | paths: |
13 | | - - baselines/** |
| 15 | + - baselines/** # Limit to specific file paths |
| 16 | + |
| 17 | +permissions: |
| 18 | + id-token: write |
| 19 | + contents: read |
14 | 20 |
|
15 | 21 | jobs: |
16 | | - terraform: |
| 22 | + baselines: |
17 | 23 | runs-on: ubuntu-latest |
18 | 24 |
|
19 | 25 | steps: |
20 | 26 | - name: Checkout code |
21 | | - uses: actions/checkout@v3 |
| 27 | + uses: actions/checkout@v4 |
22 | 28 |
|
23 | 29 | - name: Setup Terraform |
24 | | - uses: hashicorp/setup-terraform@v2 |
| 30 | + uses: hashicorp/setup-terraform@v3 |
25 | 31 | # with: |
26 | | - # terraform_version: 1.4.6 |
27 | | - |
28 | | - - name: Set Turbot credentials |
29 | | - run: | |
30 | | - echo "TURBOT_WORKSPACE=${{ secrets.TURBOT_WORKSPACE }}" >> $GITHUB_ENV |
31 | | - echo "TURBOT_ACCESS_KEY=${{ secrets.TURBOT_ACCESS_KEY }}" >> $GITHUB_ENV |
32 | | - echo "TURBOT_SECRET_KEY=${{ secrets.TURBOT_SECRET_KEY }}" >> $GITHUB_ENV |
| 32 | + # terraform_version: 1.6.6 |
33 | 33 |
|
34 | | - - name: Find all Terraform folders |
35 | | - id: find_folders |
36 | | - run: | |
37 | | - folders=$(find baselines -type d -name "*.tf" -exec dirname {} \; | sort -u) |
38 | | - echo "folders=$folders" >> $GITHUB_ENV |
39 | | - echo "::set-output name=folders::$folders" |
| 34 | + - name: "Configure AWS credentials for Remote State" |
| 35 | + id: configure-aws-creds |
| 36 | + uses: aws-actions/configure-aws-credentials@v4 |
| 37 | + with: |
| 38 | + aws-region: ${{ secrets.BASELINES_AWS_REGION }} |
| 39 | + role-to-assume: ${{ secrets.BASELINES_IAM_ROLE_TO_ASSUME }} |
| 40 | + role-session-name: "baselines-role-for-ga" |
| 41 | + role-duration-seconds: 1200 # 20min |
40 | 42 |
|
41 | 43 | - name: Run Terraform |
| 44 | + env: |
| 45 | + TURBOT_WORKSPACE: ${{ secrets.BASELINES_TURBOT_WORKSPACE }} |
| 46 | + TURBOT_ACCESS_KEY: ${{ secrets.BASELINES_TURBOT_ACCESS_KEY }} |
| 47 | + TURBOT_SECRET_KEY: ${{ secrets.BASELINES_TURBOT_SECRET_KEY }} |
| 48 | + S3_BUCKET: ${{ secrets.BASELINES_S3_BUCKET }} |
| 49 | + DYNAMODB_TABLE: ${{ secrets.BASELINES_DYNAMODB_TABLE }} |
| 50 | + AWS_REGION: ${{ secrets.BASELINES_AWS_REGION }} |
| 51 | + USER_PROFILE: ${{ secrets.BASELINES_USER_PROFILE }} |
| 52 | + |
42 | 53 | run: | |
43 | | - for folder in ${{ steps.find_folders.outputs.folders }}; do |
44 | | - cd $folder |
| 54 | +
|
| 55 | + # Store the root directory |
| 56 | + root_dir=$(pwd) |
| 57 | +
|
| 58 | + # # Detect changes between the current branch and the main branch |
| 59 | + # if git rev-parse origin/main >/dev/null 2>&1; then |
| 60 | + # # Compare the current branch with the main branch |
| 61 | + # echo "Running git diff between the current branch and origin/main for baselines/*..." |
| 62 | + # changed_folders=$(git diff --name-only origin/main HEAD -- 'baselines/*' | xargs -n1 dirname | sort -u) |
| 63 | + # else |
| 64 | + # # If origin/main doesn't exist, it's likely the first commit |
| 65 | + # echo "Running git diff against empty tree for baselines/*..." |
| 66 | + # changed_folders=$(git diff --name-only $(git hash-object -t tree /dev/null) HEAD -- 'baselines/*' | xargs -n1 dirname | sort -u) |
| 67 | + # fi |
| 68 | +
|
| 69 | + # # Debug output: Show what was detected as changed folders |
| 70 | + # echo "Detected changed folders: $changed_folders" |
| 71 | +
|
| 72 | + # For the initial run, bypass git diff and force processing all folders |
| 73 | + echo "Processing all folders in baselines/* for the initial run..." |
| 74 | + changed_folders=$(find baselines -type d | sort -u) |
| 75 | +
|
| 76 | + # Debug output: Show what was detected as changed folders |
| 77 | + echo "Detected folders: $changed_folders" |
| 78 | +
|
| 79 | + # Check if changed_folders is truly empty or contains valid paths |
| 80 | + if [ -z "$(echo "$changed_folders" | xargs)" ]; then |
| 81 | + echo "No changes detected in baselines/* folders." |
| 82 | + exit 0 |
| 83 | + fi |
| 84 | +
|
| 85 | + # Function to process Terraform commands for a given folder |
| 86 | + process_folder() { |
| 87 | + folder_path=$1 |
| 88 | + var_flag=$2 |
| 89 | + var_value=$3 |
| 90 | + |
| 91 | + echo "Processing folder $folder_path..." |
| 92 | + cd "$folder_path" || exit 1 # Exits if the cd command fails |
| 93 | +
|
| 94 | + # Generate dynamic key from the folder path (replace '/' with '-') |
| 95 | + key=$(echo "$folder_path")/terraform.tfstate |
| 96 | +
|
| 97 | + echo "Using S3 Key $key" |
| 98 | +
|
| 99 | + # Create backend.tf dynamically with S3 backend configuration |
| 100 | + cat <<-EOF > backend.tf |
| 101 | + terraform { |
| 102 | + backend "s3" { |
| 103 | + bucket = "$S3_BUCKET" |
| 104 | + key = "$key" |
| 105 | + region = "$AWS_REGION" |
| 106 | + dynamodb_table = "$DYNAMODB_TABLE" |
| 107 | + encrypt = true |
| 108 | + } |
| 109 | + } |
| 110 | + EOF |
| 111 | +
|
45 | 112 | terraform init |
46 | | - if [[ "$folder" == *"mods"* ]]; then |
47 | | - terraform apply -auto-approve -parallelism=1 |
| 113 | + |
| 114 | + # Check if the folder name ends with _mods |
| 115 | + if [[ "$folder_path" == *"_mods" ]]; then |
| 116 | + parallelism_flag="-parallelism=1" |
48 | 117 | else |
49 | | - terraform apply -auto-approve |
| 118 | + parallelism_flag="" |
| 119 | + fi |
| 120 | +
|
| 121 | + # Check if var_value is provided |
| 122 | + if [ -n "$var_value" ]; then |
| 123 | + # If var_value ends with .tfvars, use --var-file, otherwise use -var |
| 124 | + if [[ "$var_value" == *.tfvars ]]; then |
| 125 | + terraform apply --var-file="$var_value" --auto-approve $parallelism_flag |
| 126 | + else |
| 127 | + terraform apply -var "$var_flag=$var_value" --auto-approve $parallelism_flag |
| 128 | + fi |
| 129 | + else |
| 130 | + terraform apply --auto-approve $parallelism_flag |
| 131 | + fi |
| 132 | +
|
| 133 | + # Return to the root directory |
| 134 | + cd "$root_dir" || exit 1 |
| 135 | + } |
| 136 | +
|
| 137 | + # Process the guardrails folder first |
| 138 | + echo "Processing guardrails folders first..." |
| 139 | + process_folder "baselines/guardrails/folder_hierarchy" "base_folder_name" "SandBox" |
| 140 | + process_folder "baselines/guardrails/turbot_profiles" "user_profile" "$USER_PROFILE" |
| 141 | +
|
| 142 | + # Process _mods folders if they had changes |
| 143 | + echo "Processing changed _mods folders first..." |
| 144 | + for folder_path in $(echo "$changed_folders" | grep '_mods'); do |
| 145 | + if ls "$folder_path"/*.tf >/dev/null 2>&1; then |
| 146 | + if [ -f "$folder_path/default.tfvars" ]; then |
| 147 | + process_folder "$folder_path" "" "default.tfvars" |
| 148 | + else |
| 149 | + process_folder "$folder_path" |
| 150 | + fi |
| 151 | + fi |
| 152 | + done |
| 153 | +
|
| 154 | + # Process remaining folders |
| 155 | + echo "Processing remaining changed folders..." |
| 156 | + for folder_path in $changed_folders; do |
| 157 | + # Skip already processed _mods folders and specific guardrails folders |
| 158 | + if [[ "$folder_path" == "baselines/guardrails/folder_hierarchy" || "$folder_path" == "baselines/guardrails/turbot_profiles" || "$folder_path" == *"_mods" ]]; then |
| 159 | + continue |
| 160 | + fi |
| 161 | +
|
| 162 | + # Check if the folder contains .tf files (meaning it's a Terraform folder) |
| 163 | + if ls "$folder_path"/*.tf >/dev/null 2>&1; then |
| 164 | + if [ -f "$folder_path/default.tfvars" ]; then |
| 165 | + process_folder "$folder_path" "" "default.tfvars" |
| 166 | + else |
| 167 | + process_folder "$folder_path" |
| 168 | + fi |
50 | 169 | fi |
51 | | - cd - > /dev/null |
52 | 170 | done |
0 commit comments