feat(terraform): validate configuration if triggered by Dependabot #623
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hasn't been tested. |
|
Converting to draft until tested. |
|
@equinor/ops-actions-maintainers I've been unable to find a way to test this so far. I've tried to push commits as Dependabot (i.e. I've configured Git locally to commit as Dependabot), however in order to push to GitHub and trigger a workflow, you need to authenticate your account, so the commits are identified as mine anyway 🤷 I suggest we merge this PR, then either fix or revert this commit if it turns out to be broken. |
sefornes
approved these changes
Jan 16, 2025
hknutsen
deleted the
feat/terraform/validate-config-if-triggered-by-dependabot
branch
hknutsen
added a commit
that referenced
this pull request
Jan 16, 2025
…#623)" The Terraform workflow currently throws an error if triggered by Dependabot and Dependabot secrets `AZURE_CLIENT_ID`, `AZURE_SUBSCRIPTION_ID` and/or `AZURE_TENANT_ID` are not configured, as these secrets are required by the Terraform workflow. There are two possible solutions to this issue: 1. Set these secrets as not required in the Terraform workflow. The downside of this solution is that it can cause confusion regarding the usage of the Terraform workflow, as these secrets are still required for normal use, they're just not marked as required to prevent this error when triggered by Dependabot. 2. Add these Dependabot secrets to the relevant repository and set the values to empty strings. This adds an, in my opinion, unnecessary and confusing prerequisite for the Terraform workflow. 3. Revert the commit that broke the Terraform workflow. Going for solution 3 keeps the Terraform workflow as simple as possible, so that is the solution that I've gone for. This reverts commit 9d552d9.
hknutsen
added a commit
that referenced
this pull request
Feb 25, 2025
) Currently, if the Terraform workflow is triggered by Dependabot, both the `Terraform Plan` and `Terraform Apply` jobs are skipped, meaning the workflow does nothing. With thes changes, the workflow should run until at least the `Terraform Validate` step to catch obvious errors. If triggered by Dependabot, it's important that the Terraform backend is _not_ initialized when running `terraform init`, since that requires authentication to Azure, which Dependabot can't do.
hknutsen
added a commit
that referenced
this pull request
Feb 25, 2025
) Currently, if the Terraform workflow is triggered by Dependabot, both the `Terraform Plan` and `Terraform Apply` jobs are skipped, meaning the workflow does nothing. With thes changes, the workflow should run until at least the `Terraform Validate` step to catch obvious errors. If triggered by Dependabot, it's important that the Terraform backend is _not_ initialized when running `terraform init`, since that requires authentication to Azure, which Dependabot can't do.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, if the Terraform workflow is triggered by Dependabot, both the
Terraform PlanandTerraform Applyjobs are skipped, meaning the workflow does nothing 🤷 With the changes in this PR, the workflow should run until at least theTerraform Validatestep to catch obvious errors.If triggered by Dependabot, it's important that the Terraform backend is not initialized when running
terraform init, since that requires authentication to Azure, which Dependabot can't do.