From 4f2fe67149f84e0135b28e91941555dd4df5685e Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 17:36:21 +0400 Subject: [PATCH 01/31] Use gcp credentials --- action.yml | 46 ++++++++++++++++++++++++++++++++++++++----- docs/github-action.md | 1 + 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 751f689c7..350b4b375 100644 --- a/action.yml +++ b/action.yml @@ -51,6 +51,9 @@ inputs: not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. default: ${{ github.server_url == 'https://github.com' && github.token || '' }} + gcp-credentials: + description: "Google Cloud service account key JSON" + required: false outputs: summary: description: "Summary" @@ -83,7 +86,9 @@ runs: echo "opentofu-version=$(atmos describe config -f json | jq -r '.integrations.github.gitops["opentofu-version"]')" >> $GITHUB_OUTPUT echo "terraform-version=$(atmos describe config -f json | jq -r '.integrations.github.gitops["terraform-version"]')" >> $GITHUB_OUTPUT echo "enable-infracost=$(atmos describe config -f json | jq -r '.integrations.github.gitops["infracost-enabled"]')" >> $GITHUB_OUTPUT + echo "backend=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].backend')" >> $GITHUB_OUTPUT echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT + echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].gcp-project-id')" >> $GITHUB_OUTPUT echo "terraform-state-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].role')" >> $GITHUB_OUTPUT echo "terraform-state-table=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].table')" >> $GITHUB_OUTPUT echo "terraform-state-bucket=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].bucket')" >> $GITHUB_OUTPUT @@ -108,6 +113,7 @@ runs: tag: v4.11.0 - name: Configure Plan AWS Credentials + if: ${{ steps.config.outputs.backend == 'aws' }} uses: aws-actions/configure-aws-credentials@v4.0.2 with: aws-region: ${{ steps.config.outputs.aws-region }} @@ -273,10 +279,10 @@ runs: role-session-name: "atmos-terraform-state-gitops" mask-aws-account-id: "no" - - name: Store New Plan - if: ${{ steps.atmos-plan.outputs.error == 'false' }} + - name: Store New Plan (AWS) + if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} uses: cloudposse/github-action-terraform-plan-storage@v1 - id: store-plan + id: store-plan-aws with: action: storePlan commitSHA: ${{ inputs.sha }} @@ -286,8 +292,24 @@ runs: tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - - name: Store Lockfile for New Plan - if: ${{ steps.atmos-plan.outputs.error == 'false' }} + - name: Store New Plan (Google) + if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend + id: store-plan-google + with: + action: storePlan + commitSHA: ${{ inputs.sha }} + planPath: ${{ steps.vars.outputs.plan_file }} + component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + planRepositoryType: gcs + gcpCredentials: ${{ inputs.gcp-credentials }} + gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} + metadataRepositoryType: firestore + firestoreCollectionName: ${{ steps.config.outputs.terraform-state-table }} + + - name: Store Lockfile for New Plan (AWS) + if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} uses: cloudposse/github-action-terraform-plan-storage@v1 with: action: storePlan @@ -298,6 +320,20 @@ runs: tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} + - name: Store Lockfile for New Plan (Google) + if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend + with: + action: storePlan + commitSHA: ${{ inputs.sha }} + planPath: ${{ steps.vars.outputs.lock_file }} + component: ${{ inputs.component }} + stack: ${{ inputs.stack }}-lockfile + planRepositoryType: gcs + gcpCredentials: ${{ inputs.gcp-credentials }} + gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} + metadataRepositoryType: firestore + - name: Setup Infracost if: ${{ steps.config.outputs.enable-infracost == 'true' && steps.atmos-plan.outputs.changes == 'true' }} uses: infracost/actions/setup@v3 diff --git a/docs/github-action.md b/docs/github-action.md index 26c44b7db..572948e3f 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -16,6 +16,7 @@ | sha | Commit SHA to plan. Default: github.sha | ${{ github.event.pull\_request.head.sha }} | true | | stack | The stack name for the given component. | N/A | true | | token | Used to pull node distributions for Atmos from Cloud Posse's GitHub repository. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | ${{ github.server\_url == 'https://github.com' && github.token \|\| '' }} | false | +| gcp-credentials | Google Cloud service account key JSON | N/A | false | ## Outputs From 62b7de807a07d2a2c3e62d0d599ba60ed6335fca Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 18:34:51 +0400 Subject: [PATCH 02/31] Fix parsing of gcp-project-id --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 350b4b375..7704966cc 100644 --- a/action.yml +++ b/action.yml @@ -88,7 +88,7 @@ runs: echo "enable-infracost=$(atmos describe config -f json | jq -r '.integrations.github.gitops["infracost-enabled"]')" >> $GITHUB_OUTPUT echo "backend=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].backend')" >> $GITHUB_OUTPUT echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT - echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].gcp-project-id')" >> $GITHUB_OUTPUT + echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."gcp-project-id"')" >> $GITHUB_OUTPUT echo "terraform-state-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].role')" >> $GITHUB_OUTPUT echo "terraform-state-table=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].table')" >> $GITHUB_OUTPUT echo "terraform-state-bucket=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].bucket')" >> $GITHUB_OUTPUT From 65a8d2918ed86e32e3c1970b66dac2aec4f757bb Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:09:16 +0400 Subject: [PATCH 03/31] Add credentials file for plan when running in google --- action.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/action.yml b/action.yml index 7704966cc..c8200bfb7 100644 --- a/action.yml +++ b/action.yml @@ -202,6 +202,12 @@ runs: run: | set +e + if [[ "${{ steps.config.outputs.backend }}" == "google" ]]; then + # Create credentials file and set environment variable + echo '${{ inputs.gcp-credentials }}' > /tmp/gcp-credentials.json + export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-credentials.json + fi + TERRAFORM_OUTPUT_FILE="./terraform-${GITHUB_RUN_ID}-output.txt" tfcmt \ From 75e616b4e89c7e6c36adbba8fbb86a7503da96d0 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:12:44 +0400 Subject: [PATCH 04/31] Do not run aws tasks when backend is google --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index c8200bfb7..16ee0b698 100644 --- a/action.yml +++ b/action.yml @@ -277,7 +277,7 @@ runs: rm -f ${TERRAFORM_OUTPUT_FILE} - name: Configure State AWS Credentials - if: ${{ steps.atmos-plan.outputs.error == 'false' }} + if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} uses: aws-actions/configure-aws-credentials@v4.0.2 with: aws-region: ${{ steps.config.outputs.aws-region }} From 0d8bdc0c09cf1ab2534b9d4dfbc317eb7d46aba7 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:15:39 +0400 Subject: [PATCH 05/31] Fix naming for firestore --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 16ee0b698..4d163261b 100644 --- a/action.yml +++ b/action.yml @@ -312,7 +312,7 @@ runs: gcpCredentials: ${{ inputs.gcp-credentials }} gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore - firestoreCollectionName: ${{ steps.config.outputs.terraform-state-table }} + tableName: ${{ steps.config.outputs.terraform-state-table }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} @@ -339,7 +339,7 @@ runs: gcpCredentials: ${{ inputs.gcp-credentials }} gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore - + tableName: ${{ steps.config.outputs.terraform-state-table }} - name: Setup Infracost if: ${{ steps.config.outputs.enable-infracost == 'true' && steps.atmos-plan.outputs.changes == 'true' }} uses: infracost/actions/setup@v3 From e9e07b3af7c6c12a1dbadc4c47485f761c2b0a81 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:45:04 +0400 Subject: [PATCH 06/31] Do not cache terraform-plan repo --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 4d163261b..ea40c2ff6 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend?v=1 id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend?v=1 with: action: storePlan commitSHA: ${{ inputs.sha }} From 4cf94d39e4f90a2ec39903510bb618433fac3964 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:49:19 +0400 Subject: [PATCH 07/31] Specify latest version via gitsha --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index ea40c2ff6..0af66c734 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend?v=1 + uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend?v=1 + uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e with: action: storePlan commitSHA: ${{ inputs.sha }} From 5e573e0243cf42414366c13adb11e37f1a36b255 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 19:51:59 +0400 Subject: [PATCH 08/31] Specify latest version via full gitsha --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 0af66c734..ddb07cb38 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e + uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e0fdb4f8ed21ebceec068a68117fb9114f id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e + uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e0fdb4f8ed21ebceec068a68117fb9114f with: action: storePlan commitSHA: ${{ inputs.sha }} From f6a2781596c16017299d2848c8c912f5dae32fa1 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 20:06:04 +0400 Subject: [PATCH 09/31] Bump latest sha --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index ddb07cb38..46c229f77 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e0fdb4f8ed21ebceec068a68117fb9114f + uses: shirkevich/github-action-terraform-plan-storage@935c724bfe991c8b12260981f37118063cd5f400 id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@c6f8f7e0fdb4f8ed21ebceec068a68117fb9114f + uses: shirkevich/github-action-terraform-plan-storage@935c724bfe991c8b12260981f37118063cd5f400 with: action: storePlan commitSHA: ${{ inputs.sha }} From c4ddd3c14c81f93a94da9f3ddea20557bd2ac5b2 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 20:16:44 +0400 Subject: [PATCH 10/31] Bump sha --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 46c229f77..062b6b25e 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@935c724bfe991c8b12260981f37118063cd5f400 + uses: shirkevich/github-action-terraform-plan-storage@8cc27bfcbf945d0e54ae90b9357462ac528f781a id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@935c724bfe991c8b12260981f37118063cd5f400 + uses: shirkevich/github-action-terraform-plan-storage@8cc27bfcbf945d0e54ae90b9357462ac528f781a with: action: storePlan commitSHA: ${{ inputs.sha }} From 59f12ccbcbeb6bc5b994a03c3b42d5c058dc28de Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 20:35:58 +0400 Subject: [PATCH 11/31] Bumping to latest --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 062b6b25e..4c9af89c8 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@8cc27bfcbf945d0e54ae90b9357462ac528f781a + uses: shirkevich/github-action-terraform-plan-storage@3005198d4d647872ca19dcb1734083db9758462a id: store-plan-google with: action: storePlan @@ -328,7 +328,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@8cc27bfcbf945d0e54ae90b9357462ac528f781a + uses: shirkevich/github-action-terraform-plan-storage@3005198d4d647872ca19dcb1734083db9758462a with: action: storePlan commitSHA: ${{ inputs.sha }} From 9022d6dc7ec88f07e0ba7047370aaee4835fd413 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 20:41:49 +0400 Subject: [PATCH 12/31] Pass proper bucket name --- action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.yml b/action.yml index 4c9af89c8..e989bbda9 100644 --- a/action.yml +++ b/action.yml @@ -313,6 +313,7 @@ runs: gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore tableName: ${{ steps.config.outputs.terraform-state-table }} + bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} @@ -340,6 +341,8 @@ runs: gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore tableName: ${{ steps.config.outputs.terraform-state-table }} + bucketName: ${{ steps.config.outputs.terraform-state-bucket }} + - name: Setup Infracost if: ${{ steps.config.outputs.enable-infracost == 'true' && steps.atmos-plan.outputs.changes == 'true' }} uses: infracost/actions/setup@v3 From fc2782f3afccb093059b7d274c950bb5e6aa3253 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 21:19:13 +0400 Subject: [PATCH 13/31] Bumping sha again --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index e989bbda9..cc3e33054 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@3005198d4d647872ca19dcb1734083db9758462a + uses: shirkevich/github-action-terraform-plan-storage@d044efc50beac1549e9a088ef7ec63e441ed56f6 id: store-plan-google with: action: storePlan @@ -329,7 +329,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@3005198d4d647872ca19dcb1734083db9758462a + uses: shirkevich/github-action-terraform-plan-storage@d044efc50beac1549e9a088ef7ec63e441ed56f6 with: action: storePlan commitSHA: ${{ inputs.sha }} From a24f5b6d2b7080c920a8b2631a717d83c9bf23e5 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 21:33:40 +0400 Subject: [PATCH 14/31] Trying to usr branch again --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index cc3e33054..20de663c1 100644 --- a/action.yml +++ b/action.yml @@ -300,7 +300,7 @@ runs: - name: Store New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@d044efc50beac1549e9a088ef7ec63e441ed56f6 + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend id: store-plan-google with: action: storePlan @@ -329,7 +329,7 @@ runs: - name: Store Lockfile for New Plan (Google) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'google' }} - uses: shirkevich/github-action-terraform-plan-storage@d044efc50beac1549e9a088ef7ec63e441ed56f6 + uses: shirkevich/github-action-terraform-plan-storage@google-cloud-backend with: action: storePlan commitSHA: ${{ inputs.sha }} From beaa6c85058f0be8bc3b024106e0d45b0af3c001 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 22:59:15 +0400 Subject: [PATCH 15/31] Use github oidc instead of credentials file --- action.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index 20de663c1..ef0e199a6 100644 --- a/action.yml +++ b/action.yml @@ -51,9 +51,7 @@ inputs: not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. default: ${{ github.server_url == 'https://github.com' && github.token || '' }} - gcp-credentials: - description: "Google Cloud service account key JSON" - required: false + outputs: summary: description: "Summary" @@ -89,6 +87,8 @@ runs: echo "backend=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].backend')" >> $GITHUB_OUTPUT echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."gcp-project-id"')" >> $GITHUB_OUTPUT + echo "google-workload-identity-provider=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-workload-identity-provider"')" >> $GITHUB_OUTPUT + echo "google-service-account=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-service-account"')" >> $GITHUB_OUTPUT echo "terraform-state-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].role')" >> $GITHUB_OUTPUT echo "terraform-state-table=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].table')" >> $GITHUB_OUTPUT echo "terraform-state-bucket=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].bucket')" >> $GITHUB_OUTPUT @@ -121,6 +121,13 @@ runs: role-session-name: "atmos-terraform-plan-gitops" mask-aws-account-id: "no" + - name: Configure Plan Google Credentials + if: ${{ fromJson(steps.component.outputs.settings).enabled && inputs.backend == 'google' }} + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: ${{ steps.config.outputs.google-workload-identity-provider }} + service_account: ${{ steps.config.outputs.google-service-account }} + - name: Get atmos settings uses: cloudposse/github-action-atmos-get-setting@v1 id: component @@ -202,12 +209,6 @@ runs: run: | set +e - if [[ "${{ steps.config.outputs.backend }}" == "google" ]]; then - # Create credentials file and set environment variable - echo '${{ inputs.gcp-credentials }}' > /tmp/gcp-credentials.json - export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-credentials.json - fi - TERRAFORM_OUTPUT_FILE="./terraform-${GITHUB_RUN_ID}-output.txt" tfcmt \ From d12ca5e1dafeb459c83bf7ee3352e48b5ee4c7f1 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 23:07:59 +0400 Subject: [PATCH 16/31] Fix condition for google backend --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index ef0e199a6..1db94d4e2 100644 --- a/action.yml +++ b/action.yml @@ -122,7 +122,7 @@ runs: mask-aws-account-id: "no" - name: Configure Plan Google Credentials - if: ${{ fromJson(steps.component.outputs.settings).enabled && inputs.backend == 'google' }} + if: ${{ fromJson(steps.component.outputs.settings).enabled && steps.config.outputs.backend == 'google' }} uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{ steps.config.outputs.google-workload-identity-provider }} From 44905e4e4ca0271d8bd696d5792609ef862bc3e6 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 23:40:48 +0400 Subject: [PATCH 17/31] Fixing whitespaces --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 1db94d4e2..86ba2eafb 100644 --- a/action.yml +++ b/action.yml @@ -106,11 +106,11 @@ runs: with: cache: true config: |- - opentofu/opentofu: + opentofu/opentofu: tag: ${{ startsWith(steps.config.outputs.opentofu-version, 'v') && steps.config.outputs.opentofu-version || format('v{0}', steps.config.outputs.opentofu-version) }} skip: ${{ steps.config.outputs.opentofu-version == '' || steps.config.outputs.opentofu-version == 'null' }} suzuki-shunsuke/tfcmt: - tag: v4.11.0 + tag: v4.11.0 - name: Configure Plan AWS Credentials if: ${{ steps.config.outputs.backend == 'aws' }} From 3f6f1f3332587b97a1d2656dcdf113eecca6521a Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 23:45:29 +0400 Subject: [PATCH 18/31] Debugging action steps --- action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.yml b/action.yml index 86ba2eafb..f351e1cb6 100644 --- a/action.yml +++ b/action.yml @@ -57,6 +57,9 @@ outputs: description: "Summary" value: "${{ steps.summary.outputs.result }}" +env: + ACTIONS_STEP_DEBUG: true + runs: using: "composite" steps: From 37789b95bd1ebd7e8e4fb8e0bc837c3d798203f7 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Tue, 19 Nov 2024 23:59:43 +0400 Subject: [PATCH 19/31] Fix condition for google auth --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f351e1cb6..fd60a15c7 100644 --- a/action.yml +++ b/action.yml @@ -125,7 +125,7 @@ runs: mask-aws-account-id: "no" - name: Configure Plan Google Credentials - if: ${{ fromJson(steps.component.outputs.settings).enabled && steps.config.outputs.backend == 'google' }} + if: ${{ steps.config.outputs.backend == 'google' }} uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{ steps.config.outputs.google-workload-identity-provider }} From 1860e7e315da97f40e22e15fbe377a078ceb9a63 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Wed, 20 Nov 2024 00:13:48 +0400 Subject: [PATCH 20/31] Specify firestore databaseId --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index fd60a15c7..a39cc0090 100644 --- a/action.yml +++ b/action.yml @@ -90,6 +90,7 @@ runs: echo "backend=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].backend')" >> $GITHUB_OUTPUT echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."gcp-project-id"')" >> $GITHUB_OUTPUT + echo "google-firestore-database-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-firestore-database-id"')" >> $GITHUB_OUTPUT echo "google-workload-identity-provider=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-workload-identity-provider"')" >> $GITHUB_OUTPUT echo "google-service-account=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-service-account"')" >> $GITHUB_OUTPUT echo "terraform-state-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].role')" >> $GITHUB_OUTPUT @@ -313,11 +314,11 @@ runs: component: ${{ inputs.component }} stack: ${{ inputs.stack }} planRepositoryType: gcs - gcpCredentials: ${{ inputs.gcp-credentials }} gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} + databaseId: ${{ steps.config.outputs.google-firestore-database-id }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} @@ -341,12 +342,11 @@ runs: component: ${{ inputs.component }} stack: ${{ inputs.stack }}-lockfile planRepositoryType: gcs - gcpCredentials: ${{ inputs.gcp-credentials }} gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - + databaseId: ${{ steps.config.outputs.google-firestore-database-id }} - name: Setup Infracost if: ${{ steps.config.outputs.enable-infracost == 'true' && steps.atmos-plan.outputs.changes == 'true' }} uses: infracost/actions/setup@v3 From ade96d3b4c0932596844b6776ff3f61a02ef3387 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Wed, 20 Nov 2024 16:38:24 +0400 Subject: [PATCH 21/31] Fix google params naming --- action.yml | 13 +++++++------ docs/github-action.md | 1 - 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index a39cc0090..e4662861e 100644 --- a/action.yml +++ b/action.yml @@ -314,11 +314,11 @@ runs: component: ${{ inputs.component }} stack: ${{ inputs.stack }} planRepositoryType: gcs - gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore - tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - databaseId: ${{ steps.config.outputs.google-firestore-database-id }} + gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} + gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} + gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} @@ -342,11 +342,12 @@ runs: component: ${{ inputs.component }} stack: ${{ inputs.stack }}-lockfile planRepositoryType: gcs - gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} metadataRepositoryType: firestore - tableName: ${{ steps.config.outputs.terraform-state-table }} bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - databaseId: ${{ steps.config.outputs.google-firestore-database-id }} + gcpProjectId: ${{ steps.config.outputs.google-project-id }} + gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} + gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} + - name: Setup Infracost if: ${{ steps.config.outputs.enable-infracost == 'true' && steps.atmos-plan.outputs.changes == 'true' }} uses: infracost/actions/setup@v3 diff --git a/docs/github-action.md b/docs/github-action.md index 572948e3f..26c44b7db 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -16,7 +16,6 @@ | sha | Commit SHA to plan. Default: github.sha | ${{ github.event.pull\_request.head.sha }} | true | | stack | The stack name for the given component. | N/A | true | | token | Used to pull node distributions for Atmos from Cloud Posse's GitHub repository. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | ${{ github.server\_url == 'https://github.com' && github.token \|\| '' }} | false | -| gcp-credentials | Google Cloud service account key JSON | N/A | false | ## Outputs From 2bd6eb0d90263e387cc95d37d49872d378395613 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Wed, 20 Nov 2024 16:54:43 +0400 Subject: [PATCH 22/31] Fix readme --- README.yaml | 35 ++++++++++++++++++++++++++++------- action.yml | 7 ++++--- 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/README.yaml b/README.yaml index f5ec6d6fe..e341dcf26 100644 --- a/README.yaml +++ b/README.yaml @@ -44,20 +44,24 @@ references: usage: |- ### Prerequisites - This GitHub Action requires AWS access for two different purposes. This action will attempt to first run `terraform plan` against a given component and - then will use another role to save that given Terraform Plan to an S3 Bucket with metadata in a DynamoDB table. We recommend configuring - [OpenID Connect with AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) - to allow GitHub to assume roles in AWS and then deploying both a Terraform Plan role and a Terraform State role. - For Cloud Posse documentation on setting up GitHub OIDC, see our [`github-oidc-provider` component](https://docs.cloudposse.com/components/library/aws/github-oidc-provider/). + This GitHub Action requires cloud provider access for two different purposes. This action will attempt to first run `terraform plan` against a given component and + then will use credentials to save that given Terraform Plan to cloud storage with metadata. - In order to store Terraform State, we configure an S3 Bucket to store plan files and a DynamoDB table to track plan metadata. Both will need to be deployed before running - this action. For more on setting up those components, see the `gitops` component (__documentation pending__). This action will then use the [github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage) action to update these resources. + For AWS, we recommend configuring [OpenID Connect with AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) + to allow GitHub to assume roles in AWS and then deploying both a Terraform Plan role and a Terraform State role. + For Cloud Posse documentation on setting up GitHub OIDC with AWS, see our [`github-oidc-provider` component](https://docs.cloudposse.com/components/library/aws/github-oidc-provider/). + + For Google Cloud, we recommend configuring [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-GitHub-actions) + to allow GitHub Actions to authenticate with Google Cloud services. This will enable access to Google Cloud Storage for plan files and Firestore for metadata storage. + + For AWS storage, we configure an S3 Bucket to store plan files and a DynamoDB table to track plan metadata. For Google Cloud storage, we use Google Cloud Storage buckets for plan files and Firestore for metadata. These resources will need to be deployed before running this action. For more on setting up those components, see the `gitops` component (__documentation pending__). This action will then use the [github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage) action to update these resources. ### Config The action expects the atmos configuration file `atmos.yaml` to be present in the repository. The config should have the following structure: + #### AWS ```yaml integrations: github: @@ -77,6 +81,23 @@ usage: |- sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") ``` + + #### Google Cloud + ```yaml + integrations: + github: + gitops: + ... + artifact-storage: + ... + bucket: cptest-core-ue2-auto-gitops + google-service-account: terraform@project-id.iam.gserviceaccount.com + google-workload-identity-provider: projects/project-id/locations/global/workloadIdentityPools/github-actions/providers/github-provider + google-project-id: cptest-core-ue2-auto-gitops + google-firestore-database-name: cptest-core-ue2-auto-gitops + google-firestore-collection-name: terraform-plan-storage + + ``` > [!IMPORTANT] > **Please note!** This GitHub Action only works with `atmos >= 1.63.0`. If you are using `atmos < 1.63.0` please use `v1` version of this action. diff --git a/action.yml b/action.yml index e4662861e..a1e9e867e 100644 --- a/action.yml +++ b/action.yml @@ -89,10 +89,11 @@ runs: echo "enable-infracost=$(atmos describe config -f json | jq -r '.integrations.github.gitops["infracost-enabled"]')" >> $GITHUB_OUTPUT echo "backend=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].backend')" >> $GITHUB_OUTPUT echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT - echo "gcp-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."gcp-project-id"')" >> $GITHUB_OUTPUT - echo "google-firestore-database-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-firestore-database-id"')" >> $GITHUB_OUTPUT + echo "google-project-id=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-project-id"')" >> $GITHUB_OUTPUT echo "google-workload-identity-provider=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-workload-identity-provider"')" >> $GITHUB_OUTPUT echo "google-service-account=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-service-account"')" >> $GITHUB_OUTPUT + echo "google-firestore-database-name=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-firestore-database-name"')" >> $GITHUB_OUTPUT + echo "google-firestore-collection-name=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"]."google-firestore-collection-name"')" >> $GITHUB_OUTPUT echo "terraform-state-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].role')" >> $GITHUB_OUTPUT echo "terraform-state-table=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].table')" >> $GITHUB_OUTPUT echo "terraform-state-bucket=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].bucket')" >> $GITHUB_OUTPUT @@ -316,7 +317,7 @@ runs: planRepositoryType: gcs metadataRepositoryType: firestore bucketName: ${{ steps.config.outputs.terraform-state-bucket }} - gcpProjectId: ${{ steps.config.outputs.gcp-project-id }} + gcpProjectId: ${{ steps.config.outputs.google-project-id }} gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} From e8ea0565243b748d9f51ec69e16f3dd6a2a58fa9 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Thu, 28 Nov 2024 17:05:15 +0400 Subject: [PATCH 23/31] Don not pass values if they are nulls, to use defaults --- action.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index a1e9e867e..60aaad5d6 100644 --- a/action.yml +++ b/action.yml @@ -126,7 +126,7 @@ runs: role-session-name: "atmos-terraform-plan-gitops" mask-aws-account-id: "no" - - name: Configure Plan Google Credentials + - name: Configure Google Credentials if: ${{ steps.config.outputs.backend == 'google' }} uses: google-github-actions/auth@v2 with: @@ -318,8 +318,10 @@ runs: metadataRepositoryType: firestore bucketName: ${{ steps.config.outputs.terraform-state-bucket }} gcpProjectId: ${{ steps.config.outputs.google-project-id }} - gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} - gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} + ${{ if steps.config.outputs.google-firestore-database-name != 'null' }}: + gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} + ${{ if steps.config.outputs.google-firestore-collection-name != 'null' }}: + gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} From 32b5821e1548c32a64196776c7507471fc381995 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Thu, 28 Nov 2024 17:30:16 +0400 Subject: [PATCH 24/31] Always passing Database and Collection name --- action.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index 60aaad5d6..c505a4404 100644 --- a/action.yml +++ b/action.yml @@ -318,10 +318,8 @@ runs: metadataRepositoryType: firestore bucketName: ${{ steps.config.outputs.terraform-state-bucket }} gcpProjectId: ${{ steps.config.outputs.google-project-id }} - ${{ if steps.config.outputs.google-firestore-database-name != 'null' }}: - gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} - ${{ if steps.config.outputs.google-firestore-collection-name != 'null' }}: - gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} + gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} + gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} - name: Store Lockfile for New Plan (AWS) if: ${{ steps.atmos-plan.outputs.error == 'false' && steps.config.outputs.backend == 'aws' }} From bcaf758235fc9bd58184649c8e50edf700fbd757 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Thu, 5 Dec 2024 21:20:48 +0400 Subject: [PATCH 25/31] passing service account and workload identity provider from config --- action.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/action.yml b/action.yml index 6b4fe4ecc..9a1b0e9e0 100644 --- a/action.yml +++ b/action.yml @@ -173,6 +173,14 @@ runs: stack: ${{ inputs.stack }} settingsPath: settings.integrations.github.gitops.artifact-storage.google-project-id outputPath: google-project-id + - component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + settingsPath: settings.integrations.github.gitops.artifact-storage.google-service-account + outputPath: google-service-account + - component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + settingsPath: settings.integrations.github.gitops.artifact-storage.google-workload-identity-provider + outputPath: google-workload-identity-provider - component: ${{ inputs.component }} stack: ${{ inputs.stack }} settingsPath: settings.integrations.github.gitops.artifact-storage.google-firestore-database-name From a69fb209cc485874e5b9d45bbf225cff2fc8af40 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Thu, 5 Dec 2024 22:33:26 +0400 Subject: [PATCH 26/31] Installing opentofu before get settings --- action.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/action.yml b/action.yml index 9a1b0e9e0..98f9c29a4 100644 --- a/action.yml +++ b/action.yml @@ -88,6 +88,13 @@ runs: token: ${{ inputs.token }} install-wrapper: false + - name: Install OpenTofu + uses: cloudposse-github-actions/install-gh-releases@v1 + with: + cache: true + config: |- + opentofu/opentofu: latest + - name: Get atmos settings id: atmos-settings uses: cloudposse/github-action-atmos-get-setting@v2 From 2a842cc76a490778ee90ef2790307ed3356e6eea Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Fri, 6 Dec 2024 15:27:11 +0400 Subject: [PATCH 27/31] Fix gcp params for lockfile creation --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 98f9c29a4..2c89a8fc3 100644 --- a/action.yml +++ b/action.yml @@ -445,9 +445,9 @@ runs: cosmosContainerName: ${{ fromJson(steps.atmos-settings.outputs.settings).cosmos-container-name }} cosmosDatabaseName: ${{ fromJson(steps.atmos-settings.outputs.settings).cosmos-database-name }} cosmosEndpoint: ${{ fromJson(steps.atmos-settings.outputs.settings).cosmos-endpoint }} - gcpProjectId: ${{ steps.config.outputs.google-project-id }} - gcpFirestoreDatabaseName: ${{ steps.config.outputs.google-firestore-database-name }} - gcpFirestoreCollectionName: ${{ steps.config.outputs.google-firestore-collection-name }} + gcpProjectId: ${{ fromJson(steps.atmos-settings.outputs.settings).google-project-id }} + gcpFirestoreDatabaseName: ${{ fromJson(steps.atmos-settings.outputs.settings).google-firestore-database-name }} + gcpFirestoreCollectionName: ${{ fromJson(steps.atmos-settings.outputs.settings).google-firestore-collection-name }} tableName: ${{ fromJson(steps.atmos-settings.outputs.settings).terraform-state-table }} bucketName: ${{ fromJson(steps.atmos-settings.outputs.settings).terraform-state-bucket }} From 6d394bebb21f013e859b93ba138013c94c9a497d Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Fri, 6 Dec 2024 15:30:04 +0400 Subject: [PATCH 28/31] Commenting tofu installation to check the error --- action.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/action.yml b/action.yml index 2c89a8fc3..99c67b600 100644 --- a/action.yml +++ b/action.yml @@ -88,12 +88,12 @@ runs: token: ${{ inputs.token }} install-wrapper: false - - name: Install OpenTofu - uses: cloudposse-github-actions/install-gh-releases@v1 - with: - cache: true - config: |- - opentofu/opentofu: latest + # - name: Install OpenTofu + # uses: cloudposse-github-actions/install-gh-releases@v1 + # with: + # cache: true + # config: |- + # opentofu/opentofu: latest - name: Get atmos settings id: atmos-settings From baddb263f466cd60f3d4ec8ee7b1ca7ccd4f9202 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Fri, 6 Dec 2024 15:32:44 +0400 Subject: [PATCH 29/31] Get settings now working without tofu installation --- action.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/action.yml b/action.yml index 99c67b600..55c12a886 100644 --- a/action.yml +++ b/action.yml @@ -64,9 +64,6 @@ outputs: description: "Summary" value: "${{ steps.summary.outputs.result }}" -env: - ACTIONS_STEP_DEBUG: true - runs: using: "composite" steps: @@ -88,13 +85,6 @@ runs: token: ${{ inputs.token }} install-wrapper: false - # - name: Install OpenTofu - # uses: cloudposse-github-actions/install-gh-releases@v1 - # with: - # cache: true - # config: |- - # opentofu/opentofu: latest - - name: Get atmos settings id: atmos-settings uses: cloudposse/github-action-atmos-get-setting@v2 From 0c3d187a147c92b51cdac72ebf1ccf5503110a6c Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Thu, 19 Dec 2024 23:58:42 +0400 Subject: [PATCH 30/31] Install terraform and opentofu before get all settings --- action.yml | 52 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/action.yml b/action.yml index 55c12a886..42b338104 100644 --- a/action.yml +++ b/action.yml @@ -85,6 +85,40 @@ runs: token: ${{ inputs.token }} install-wrapper: false + - name: Get terraform and opentofu versions + id: terraform-versions + uses: cloudposse/github-action-atmos-get-setting@v2 + with: + process-templates: false + settings: | + - component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + settingsPath: settings.integrations.github.gitops.opentofu-version + outputPath: opentofu-version + - component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + settingsPath: settings.integrations.github.gitops.terraform-version + outputPath: terraform-version + + - name: Install Terraform + if: ${{ fromJson(steps.terraform-versions.outputs.settings).terraform-version != '' && fromJson(steps.terraform-versions.outputs.settings).terraform-version != 'null' }} + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ fromJson(steps.terraform-versions.outputs.settings).terraform-version }} + terraform_wrapper: false + + - name: Install Dependencies + uses: cloudposse-github-actions/install-gh-releases@v1 + with: + cache: true + config: |- + opentofu/opentofu: + tag: ${{ startsWith(fromJson(steps.terraform-versions.outputs.settings).opentofu-version, 'v') && fromJson(steps.terraform-versions.outputs.settings).opentofu-version || format('v{0}', fromJson(steps.terraform-versions.outputs.settings).opentofu-version) }} + skip: ${{ fromJson(steps.terraform-versions.outputs.settings).opentofu-version == '' || fromJson(steps.terraform-versions.outputs.settings).opentofu-version == 'null' }} + suzuki-shunsuke/tfcmt: + tag: v4.14.0 + + - name: Get atmos settings id: atmos-settings uses: cloudposse/github-action-atmos-get-setting@v2 @@ -187,24 +221,6 @@ runs: settingsPath: settings.integrations.github.gitops.artifact-storage.google-firestore-collection-name outputPath: google-firestore-collection-name - - name: Install Terraform - if: ${{ fromJson(steps.atmos-settings.outputs.settings).terraform-version != '' && fromJson(steps.atmos-settings.outputs.settings).terraform-version != 'null' }} - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ fromJson(steps.atmos-settings.outputs.settings).terraform-version }} - terraform_wrapper: false - - - name: Install Dependencies - uses: cloudposse-github-actions/install-gh-releases@v1 - with: - cache: true - config: |- - opentofu/opentofu: - tag: ${{ startsWith(fromJson(steps.atmos-settings.outputs.settings).opentofu-version, 'v') && fromJson(steps.atmos-settings.outputs.settings).opentofu-version || format('v{0}', fromJson(steps.atmos-settings.outputs.settings).opentofu-version) }} - skip: ${{ fromJson(steps.atmos-settings.outputs.settings).opentofu-version == '' || fromJson(steps.atmos-settings.outputs.settings).opentofu-version == 'null' }} - suzuki-shunsuke/tfcmt: - tag: v4.14.0 - - name: Configure Plan AWS Credentials uses: aws-actions/configure-aws-credentials@v4 if: ${{ fromJson(steps.atmos-settings.outputs.settings).aws-region != '' && From 55271772a71517fddd583442f078d39d59b35011 Mon Sep 17 00:00:00 2001 From: Mikhail Shirkov Date: Fri, 20 Dec 2024 00:41:14 +0400 Subject: [PATCH 31/31] Do not get opentofu/terraform versions again --- action.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/action.yml b/action.yml index 43fb791fe..73ee27289 100644 --- a/action.yml +++ b/action.yml @@ -146,14 +146,6 @@ runs: stack: ${{ inputs.stack }} settingsPath: command outputPath: command - - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - settingsPath: settings.integrations.github.gitops.opentofu-version - outputPath: opentofu-version - - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - settingsPath: settings.integrations.github.gitops.terraform-version - outputPath: terraform-version - component: ${{ inputs.component }} stack: ${{ inputs.stack }} settingsPath: settings.integrations.github.gitops.infracost-enabled