Created
May 21, 2025 19:11
-
-
Save viggy28/131ce59072be81754eee8e2eef8e4baf to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Plan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - staging | |
| - prod | |
| pull_request: | |
| branches: | |
| - main | |
| - staging | |
| - prod | |
| env: | |
| AWS_REGION : "us-east-1" | |
| TF_VAR_FILE: "" # Will be set dynamically | |
| TF_WORKSPACE: "" # Will be set dynamically | |
| permissions: | |
| id-token: write # For OIDC | |
| contents: read # For checkout | |
| pull-requests: write # Optional: Needed for adding plan comments to PRs | |
| jobs: | |
| plan: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: ${{ github.ref == 'refs/heads/main' && 'production' || github.ref == 'refs/heads/staging' && 'staging' || 'pr_check' }} | |
| url: ${{ github.ref == 'refs/heads/main' && 'https://app.buildrappo.com' || github.ref == 'refs/heads/staging' && 'https://app.staging.buildrappo.com' || '' }} | |
| steps: | |
| - name: Dump GitHub context | |
| run: | | |
| echo "Event Name: ${{ github.event_name }}" | |
| echo "Ref: ${{ github.ref }}" | |
| echo "Ref Type: ${{ github.ref_type }}" | |
| echo "Base Ref: ${{ github.base_ref }}" | |
| echo "Head Ref: ${{ github.head_ref }}" | |
| echo "SHA: ${{ github.sha }}" | |
| echo "Repository: ${{ github.repository }}" | |
| echo "Run ID: ${{ github.run_id }}" | |
| echo "Run Attempt: ${{ github.run_attempt }}" | |
| - name: Git clone the repository | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::211125474860:role/GitHubAction-AssumeRoleWithAction | |
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Determine Environment and Workspace | |
| run: | | |
| echo "GITHUB_REF=$GITHUB_REF" | |
| BRANCH_NAME="${GITHUB_REF#refs/heads/}" | |
| if [[ "$BRANCH_NAME" == "main" ]] || [[ "$BRANCH_NAME" == "prod" ]]; then | |
| echo "Setting environment for PRODUCTION Plan" | |
| echo "TF_VAR_FILE=production.tfvars" >> $GITHUB_ENV | |
| echo "TF_WORKSPACE=default" >> $GITHUB_ENV | |
| elif [[ "$BRANCH_NAME" == "staging" ]]; then | |
| echo "Setting environment for STAGING Plan" | |
| echo "TF_VAR_FILE=staging.tfvars" >> $GITHUB_ENV | |
| echo "TF_WORKSPACE=staging" >> $GITHUB_ENV | |
| else | |
| echo "Unknown branch. Defaulting to STAGING Plan environment." | |
| echo "TF_VAR_FILE=staging.tfvars" >> $GITHUB_ENV | |
| echo "TF_WORKSPACE=staging" >> $GITHUB_ENV | |
| fi | |
| env: | |
| GITHUB_REF: ${{ github.ref }} | |
| - name: Terraform Init | |
| run: terraform init | |
| - name: Terraform Format Check | |
| run: terraform fmt -check | |
| - name: Terraform Validate | |
| run: terraform validate -no-color | |
| - name: Terraform Plan | |
| id: plan | |
| run: terraform plan -var-file=${{ env.TF_VAR_FILE }} -out=tfplan -no-color | |
| - name: Upload Terraform Plan Artifact | |
| if: success() && (github.event_name == 'push' || github.event_name == 'pull_request') | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-plan-${{ github.run_id }}-${{ env.TF_WORKSPACE }} | |
| path: tfplan | |
| retention-days: 7 | |
| name: Terraform Apply Staging | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| plan_run_id: | |
| description: 'Run ID of the Terraform Plan workflow that generated the tfplan artifact for staging.' | |
| required: true | |
| type: string | |
| commit_sha: | |
| description: 'Full Commit SHA the plan was generated against (for checkout consistency).' | |
| required: true | |
| type: string | |
| env: | |
| AWS_REGION : "us-east-1" | |
| TF_WORKSPACE: "staging" # Staging always uses 'staging' workspace | |
| permissions: | |
| id-token: write # For OIDC | |
| contents: read # For checkout | |
| jobs: | |
| apply_staging: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| url: https://app.staging.buildrappo.com | |
| steps: | |
| - name: Log Inputs | |
| run: | | |
| echo "Applying Staging Plan from original Plan Workflow Run ID: ${{ github.event.inputs.plan_run_id }}" | |
| echo "Commit SHA for checkout: ${{ github.event.inputs.commit_sha }}" | |
| echo "Target Terraform Workspace: ${{ env.TF_WORKSPACE }}" | |
| - name: Git clone the repository at specific commit | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.inputs.commit_sha }} | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::211125474860:role/GitHubAction-AssumeRoleWithAction | |
| role-session-name: GitHub_ApplyStaging_OIDC | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Download Terraform Plan Artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: terraform-plan-${{ github.event.inputs.plan_run_id }}-${{ env.TF_WORKSPACE }} | |
| path: . # Download tfplan to current directory | |
| run-id: ${{ github.event.inputs.plan_run_id }} | |
| - name: Terraform Init | |
| run: terraform init # Init is required before apply, even with an existing plan file | |
| - name: Terraform Apply (Staging - From Plan) | |
| run: terraform apply -no-color tfplan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment