From fdc3c93f9a4979319797e52cd24a2da68957e02e Mon Sep 17 00:00:00 2001 From: Wheeler Law Date: Tue, 24 Oct 2023 14:48:52 -0500 Subject: [PATCH 1/5] feat: initial implementation --- .github/scripts/get-state-file.sh | 24 +++++++++ .github/workflows/ci.yaml | 84 +++++++++++++++++++++++++++++++ .gitignore | 5 ++ main.tf | 31 ++++++++++++ 4 files changed, 144 insertions(+) create mode 100755 .github/scripts/get-state-file.sh create mode 100644 .github/workflows/ci.yaml create mode 100644 .gitignore create mode 100644 main.tf diff --git a/.github/scripts/get-state-file.sh b/.github/scripts/get-state-file.sh new file mode 100755 index 0000000..2324a00 --- /dev/null +++ b/.github/scripts/get-state-file.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $RUNNER_DEBUG || $DEBUG ]] && set -x + +set +e +state_file_url="$(gh api /repos/:owner/:repo/releases/latest --jq '.assets[] | select(.name == "terraform.tfstate.gpg") | .url')" +rc=$?; set -e + +if [[ $rc != 0 ]]; then + error_message="$(jq -r .message <<< "$state_file_url")" + if [[ $error_message == "Not Found" ]]; then + >&2 echo "No state file found, exiting" + exit 0 + else + >&2 echo "Other error occurred while trying to obtain the state file:" + >&2 echo "$error_message" + exit 1 + fi +fi + +gpg --import <<< "$TFSTATE_PGP_KEY" +gh api -H 'Accept: application/octet-stream' "$state_file_url" | gpg --out terraform.tfstate --decrypt + + diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..0f37a06 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,84 @@ +#name: CI +# +#on: +# pull_request: +# branches: [main] +# push: +# branches: [main] +# +#concurrency: +# group: ${{ github.workflow }}-${{ github.ref }} +# cancel-in-progress: ${{ github.event_name == 'pull_request' }} +# +#jobs: +# plan: +# name: Plan +# runs-on: ubuntu-latest +# if: github.event_name == 'pull_request' +# steps: +# - name: Checkout repo +# uses: actions/checkout@v3 +# - name: Download state file +# run: ./.github/scripts/get-state-file.sh +# env: +# TFSTATE_GPG_KEY=${{ secrets.TFSTATE_GPG_KEY }} +# - name: Terraform Plan +# run: terraform plan +# - name: Terraform Apply +# run: terraform apply -auto-approve + +name: CI +on: + push: + branches: [main] + pull_request: {} +jobs: + plan: + name: TF Plan + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v3 + - name: Generate app token + id: generate-app-token + uses: tibdex/github-app-token@v1.9.0 + with: + app_id: ${{ vars.GH_APP_STEELECO_SYSTEMS_APP_ID }} + private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }} + - name: Download and decrypt statefile + env: + TFSTATE_PGP_KEY: ${{ secrets.TFSTATE_PGP_KEY }} + run: | + # step script + set -x + ./.github/scripts/get-state-file.sh + - name: Terraform plan + run: | + tf init + tf plan | tee >(ansi2txt > terraform.tfplan.log) + - uses: actions/upload-artifact@v3 + with: + name: terraform.tfplan.log + path: terraform.tfplan.log + + apply: + name: TF Apply + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v3 + - name: Generate app token + id: generate-app-token + uses: tibdex/github-app-token@v1.9.0 + with: + app_id: ${{ vars.GH_APP_STEELECO_SYSTEMS_APP_ID }} + private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }} + - name: Terraform apply + env: + GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} + run: terraform apply -auto-approve + + + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a23b381 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +terraform.tfstate +terraform.tfplan +terraform.tfplan.log +.terraform.lock.hcl +.terraform diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..a093da1 --- /dev/null +++ b/main.tf @@ -0,0 +1,31 @@ +terraform { + required_providers { + github = { + source = "integrations/github" + version = "~> 5.38" + } + } +} + +# Configure the GitHub Provider +provider "github" { + +# app_auth { +# id = "371766" +# installation_id = "40392571" +# pem_file = file("~/Downloads/steelecosystems.2023-09-24.private-key.pem") +# } +# owner = "SteelecoSystems" +} + +resource "github_actions_organization_variable" "test_variable" { + variable_name = "test_variable" + visibility = "private" + value = "hello world" +} + +resource "github_actions_organization_secret" "test_secret" { + secret_name = "test_secret" + visibility = "private" + plaintext_value = "asd" +} From 8b1a6502a5e1bc7f47fc5a95eacd8b981d970677 Mon Sep 17 00:00:00 2001 From: Wheeler Law Date: Tue, 24 Oct 2023 14:50:26 -0500 Subject: [PATCH 2/5] Forgot to set token value --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0f37a06..de5e75f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -48,6 +48,7 @@ jobs: private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }} - name: Download and decrypt statefile env: + GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} TFSTATE_PGP_KEY: ${{ secrets.TFSTATE_PGP_KEY }} run: | # step script From fe73f3acb70b8b9a102a3943918ea53781e04bce Mon Sep 17 00:00:00 2001 From: Wheeler Law Date: Tue, 24 Oct 2023 14:52:04 -0500 Subject: [PATCH 3/5] Try the default token --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index de5e75f..81cf5f7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -48,7 +48,8 @@ jobs: private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }} - name: Download and decrypt statefile env: - GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} + #GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.token }} TFSTATE_PGP_KEY: ${{ secrets.TFSTATE_PGP_KEY }} run: | # step script From 5082e8e594631f77cf3d7b0fe84da2ae816b40db Mon Sep 17 00:00:00 2001 From: Wheeler Law Date: Tue, 24 Oct 2023 14:52:56 -0500 Subject: [PATCH 4/5] Try this? --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 81cf5f7..e58fbca 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -49,7 +49,7 @@ jobs: - name: Download and decrypt statefile env: #GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} - GITHUB_TOKEN: ${{ secrets.token }} + GH_TOKEN: ${{ secrets.token }} TFSTATE_PGP_KEY: ${{ secrets.TFSTATE_PGP_KEY }} run: | # step script From a867c71d5c89f24713f6d0088d10168944935912 Mon Sep 17 00:00:00 2001 From: Wheeler Law Date: Tue, 24 Oct 2023 14:53:34 -0500 Subject: [PATCH 5/5] Wrong --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e58fbca..66d89e4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -49,7 +49,7 @@ jobs: - name: Download and decrypt statefile env: #GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }} - GH_TOKEN: ${{ secrets.token }} + GITHUB_TOKEN: ${{ github.token }} TFSTATE_PGP_KEY: ${{ secrets.TFSTATE_PGP_KEY }} run: | # step script