From ce71369cdd7f62b2f056591863fc25100b6d312e Mon Sep 17 00:00:00 2001 From: Mykhailo Nikiforov Date: Sun, 26 May 2024 15:46:38 +0300 Subject: [PATCH] feat(ci): add tofu templates --- .gitea/workflows/otf-apply.yml | 98 ++++++++++++++++++++++++++++++++++ .gitea/workflows/otf-plan.yml | 92 +++++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 .gitea/workflows/otf-apply.yml create mode 100644 .gitea/workflows/otf-plan.yml diff --git a/.gitea/workflows/otf-apply.yml b/.gitea/workflows/otf-apply.yml new file mode 100644 index 0000000..eb793f1 --- /dev/null +++ b/.gitea/workflows/otf-apply.yml @@ -0,0 +1,98 @@ +name: tf-apply +on: + workflow_call: + secrets: + gpg-key: + required: true + type: string + tf-api-token: + required: true + type: string + ssh-private-key: + required: true + type: string + ssh-known-hosts: + required: true + type: string + +jobs: + otf-apply: + name: Tofu Apply + runs-on: ubuntu-latest + + steps: + - name: Clone repo + uses: actions/checkout@v4 + - name: Retrieve artifacts + id: download + uses: actions/download-artifact@v3 + with: + name: artifacts + - name: Check if job errored + shell: bash + id: check + run: | + echo "code=$(cat ${{steps.download.outputs.download-path}}/exitcode)" >> $GITHUB_OUTPUT + if [ "$(cat ${{steps.download.outputs.download-path}}/exitcode)" -lt 2 ]; then + exit "$(cat exitcode)"; + fi + - name: Clone blackbox repo + uses: actions/checkout@v4 + if: ${{ steps.check.outputs.code == 2 }} + with: + repository: xaked/blackbox + path: blackbox + ref: master + - name: Install blackbox + shell: bash + if: ${{ steps.check.outputs.code == 2 }} + run: | + cd blackbox || exit 1; + make copy-install; + cd ${{ github.workspace }}; + rm -rf blackbox; + - uses: opentofu/setup-opentofu@v1 + if: ${{ steps.check.outputs.code == 2 }} + with: + tofu_version: 1.7.1 + cli_config_credentials_token: ${{ secrets.tf-api-token }} + - name: Decrypt secrets + if: ${{ steps.check.outputs.code == 2 }} + shell: bash + run: | + echo ${{ secrets.gpg-key }} | base64 -d | gpg --import; + blackbox_decrypt_all_files; + - name: Setup SSH key + if: ${{ steps.check.outputs.code == 2 }} + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.ssh-private-key }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.ssh-known-hosts }} + - name: Restore tofu cache + if: ${{ steps.check.outputs.code == 2 }} + uses: actions/cache@v4 + id: cache-tofu-restore + with: + path: .terraform + key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-otf + - name: Run tofu init + if: ${{ steps.check.outputs.code == 2 }} + shell: bash + run: tofu init + - name: Run tofu validate + if: ${{ steps.check.outputs.code == 2 }} + shell: bash + run: tofu validate + - name: Run tofu apply + if: ${{ steps.check.outputs.code == 2 }} + id: tfplan + shell: bash + run: tofu apply -input=false -auto-approve tfplan.binary; + - name: Save tofu cache + if: ${{ steps.check.outputs.code == 2 }} + uses: actions/cache/save@v4 + id: cache-tofu-save + with: + path: .terraform + key: ${{ steps.cache-tofu-restore.outputs.cache-primary-key }} diff --git a/.gitea/workflows/otf-plan.yml b/.gitea/workflows/otf-plan.yml new file mode 100644 index 0000000..dde5d56 --- /dev/null +++ b/.gitea/workflows/otf-plan.yml @@ -0,0 +1,92 @@ +name: tf-plan +on: + workflow_call: + secrets: + gpg-key: + required: true + type: string + tf-api-token: + required: true + type: string + ssh-private-key: + required: true + type: string + ssh-known-hosts: + required: true + type: string + +jobs: + otf-plan: + name: Tofu Plan + runs-on: ubuntu-latest + + steps: + - uses: opentofu/setup-opentofu@v1 + with: + tofu_version: 1.7.1 + cli_config_credentials_token: ${{ secrets.tf-api-token }} + - name: Clone repo + uses: actions/checkout@v4 + - name: Clone blackbox repo + uses: actions/checkout@v4 + with: + repository: xaked/blackbox + path: blackbox + ref: master + - name: Install blackbox + shell: bash + run: | + cd blackbox || exit 1; + make copy-install; + cd ${{ github.workspace }}; + rm -rf blackbox; + - name: Decrypt secrets + shell: bash + run: | + echo ${{ secrets.gpg-key }} | base64 -d | gpg --import; + blackbox_decrypt_all_files; + - name: Setup SSH key + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.ssh-private-key }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.ssh-known-hosts }} + - name: Restore tofu cache + uses: actions/cache@v4 + id: cache-tofu-restore + with: + path: .terraform + key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-otf + - name: Run tofu init + shell: bash + run: tofu init + - name: Run tofu validate + shell: bash + run: tofu validate + - name: Run tofu plan + id: tfplan + shell: bash + run: tofu plan -detailed-exitcode -out=tfplan.binary -input=false; + continue-on-error: true + - name: Save exitcode to the artifacts + shell: bash + run: printf "${{ steps.tfplan.outputs.exitcode }}" > exitcode; + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: artifacts + path: | + tfplan.binary + exitcode + - name: Check if job errored + shell: bash + run: | + if [ "$(cat exitcode)" == "1" ]; then + exit 1; + fi + - name: Save tofu cache + uses: actions/cache/save@v4 + id: cache-tofu-save + with: + path: .terraform + key: ${{ steps.cache-tofu-restore.outputs.cache-primary-key }}