Skip to content

use de system permission #286

use de system permission

use de system permission #286

Workflow file for this run

name: 'Validate PR'
on:
- pull_request_target
concurrency: terraform
permissions:
id-token: write
contents: read
pull-requests: read
jobs:
terraform:
name: 'Terraform'
runs-on: ubuntu-latest
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_USE_OIDC: true
GITHUB_TOKEN: ${{ secrets.GH_AUTOMATION_PAT }}
GITHUB_OWNER: kedacore
GRAFANA_CLOUD_API_KEY: ${{ secrets.GRAFANA_CLOUD_API_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Checkout Pull Request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
id: checkout
run: |
gh pr checkout ${{ github.event.number }}
- name: Log into Azure using OIDC
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Log into AWS using OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: eu-west-2
- name: Log into GCP using OIDC
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: Setup Terraform
uses: hashicorp/[email protected]
- name: Setup TFLint
uses: terraform-linters/setup-tflint@v4
- name: Terraform Format
id: fmt
run: terraform fmt -recursive -check
continue-on-error: true
working-directory: terraform
- name: Init TFLint
run: tflint --init
working-directory: terraform
- name: Run TFLint
run: tflint -f compact
id: lint
continue-on-error: true
working-directory: terraform
- name: Terraform Init
id: init
run: |
terraform init \
-backend-config=storage_account_name=${{ secrets.BACKEND_STORAGE_ACCOUNT_NAME}} \
-backend-config=container_name=${{ secrets.BACKEND_STORAGE_CONTAINER_NAME}} \
-backend-config=resource_group_name=${{ secrets.BACKEND_STORAGE_RESOURCE_GROUP_NAME}} \
-backend-config=subscription_id="$ARM_SUBSCRIPTION_ID"
working-directory: terraform
- name: Terraform Validate
id: validate
run: terraform validate -no-color
working-directory: terraform
- name: Terraform Plan
id: plan
run: terraform plan -no-color -input=false
continue-on-error: true
working-directory: terraform
- name: Create the plan summary
uses: actions/github-script@v7
if: always()
id: summary
env:
PLAN: '${{ steps.plan.outputs.stdout }}'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Prep the output
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}*`;
// 2. Set the output variable
const fs = require('fs');
fs.writeFileSync('summary.md', output);
core.setOutput('summary', output);
- name: Write the step summary
if: always()
run: cat summary.md >> $GITHUB_STEP_SUMMARY
- name: Terraform Format Status
if: steps.fmt.outcome == 'failure'
run: exit 1
- name: Terraform Lint Status
if: steps.lint.outcome == 'failure'
run: exit 1
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1