Terraform plan & apply by @shanice-skylight #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Plan & Terraform Apply | |
| run-name: Terraform plan & apply ${{ inputs.workspace }} by @${{ github.actor }} | |
| on: | |
| workflow_run: | |
| workflows: [CD, Build Keycloak] | |
| types: | |
| - completed | |
| merge_group: | |
| types: | |
| - checks_requested | |
| workflow_dispatch: | |
| inputs: | |
| workspace: | |
| description: "Choose terraform workspace for deployment" | |
| required: true | |
| type: choice | |
| options: | |
| - dev | |
| - demo | |
| default: dev | |
| concurrency: | |
| group: ${{ github.event.inputs.workspace }}-terraform | |
| cancel-in-progress: false | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| workspace: ${{ github.event.inputs.workspace }} | |
| jobs: | |
| check-dependencies: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| source_a_status: ${{ steps.check_a_status.outputs.status }} | |
| source_b_status: ${{ steps.check_b_status.outputs.status }} | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@v4 | |
| - name: Check CD Status | |
| id: check_a_status | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| echo "Checking if CD has ran." | |
| response=$(gh run list --workflow "CD" --branch $GITHUB_REF_NAME --json status --jq '.[0]') | |
| if [ "$response" = "failure" ] || [ "$response" = "cancelled" ]; then | |
| echo "CD workflow failed or was cancelled." | |
| exit 1 | |
| fi | |
| echo "CD workflow completed successfully." | |
| - name: Check Keycloak Status | |
| id: check_b_status | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| echo "Checking if Keycloak has ran." | |
| response=$(gh run list --workflow "Build Keycloak" --branch $GITHUB_REF_NAME --json status --jq '.[0]') | |
| if [ "$response" = "failure" ] || [ "$response" = "cancelled" ]; then | |
| echo "Building Keycloak workflow failed or was cancelled." | |
| exit 1 | |
| fi | |
| echo "Building Keycloak workflow status is $response." | |
| terraform: | |
| needs: check-dependencies | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| # this may need to be updated if you change the directory you are working with | |
| # ./terraform/implementation/dev || ./terraform/implementation/prod for example | |
| # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts | |
| working-directory: ./terraform/implementation/ecs | |
| if: needs.check-dependencies.outputs.source_a_status != 'failure' && needs.check-dependencies.outputs.source_b_status != 'failure' | |
| steps: | |
| - name: Check Out Changes | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/[email protected] | |
| with: | |
| terraform_version: "1.9.8" | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Terraform | |
| env: | |
| BUCKET: ${{ secrets.TFSTATE_BUCKET }} | |
| DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} | |
| REGION: ${{ vars.region }} | |
| WORKSPACE: ${{ env.workspace }} | |
| UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }} | |
| ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}} | |
| TLS_CERT: ${{ secrets.TLS_CERT}} | |
| TLS_KEY: ${{ secrets.TLS_KEY}} | |
| AUTH_SECRET: ${{ secrets.AUTH_SECRET }} | |
| KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }} | |
| KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }} | |
| AUTH_KEYCLOAK_ISSUER: ${{ env.workspace == 'dev' && format('https://{0}/keycloak', secrets.ECS_HOSTNAME) || format('https://{0}.{1}/keycloak', env.workspace, secrets.ECS_HOSTNAME) }} | |
| AUTH_URL: ${{ env.workspace == 'dev' && format('https://{0}', secrets.ECS_HOSTNAME) || format('https://{0}.{1}', env.workspace, secrets.ECS_HOSTNAME) }} | |
| shell: bash | |
| run: | | |
| rm -rf .terraform .terraform.lock.hcl | |
| terraform init \ | |
| -var-file="$WORKSPACE.tfvars" \ | |
| -backend-config "bucket=$BUCKET" \ | |
| -backend-config "dynamodb_table=$DYNAMODB_TABLE" \ | |
| -backend-config "region=$REGION" \ | |
| || (echo "terraform init failed, exiting..." && exit 1) | |
| terraform workspace select "$WORKSPACE" | |
| terraform apply -auto-approve -target=aws_acm_certificate.cloudflare_cert \ | |
| -var-file="$WORKSPACE.tfvars" \ | |
| -var "umls_api_key=${UMLS_API_KEY}" \ | |
| -var "ersd_api_key=${ERSD_API_KEY}" \ | |
| -var "qc_tls_key=${TLS_KEY}" \ | |
| -var "qc_tls_cert=${TLS_CERT}" \ | |
| -var "auth_secret=${AUTH_SECRET}" \ | |
| -var "keycloak_client_id=${KEYCLOAK_CLIENT_ID}" \ | |
| -var "keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}" \ | |
| -var "auth_keycloak_issuer=${AUTH_KEYCLOAK_ISSUER}" \ | |
| -var "auth_url=${AUTH_URL}" | |
| terraform plan \ | |
| -var-file="$WORKSPACE.tfvars" \ | |
| -var "umls_api_key=${UMLS_API_KEY}" \ | |
| -var "ersd_api_key=${ERSD_API_KEY}" \ | |
| -var "qc_tls_key=${TLS_KEY}" \ | |
| -var "qc_tls_cert=${TLS_CERT}" \ | |
| -var "auth_secret=${AUTH_SECRET}" \ | |
| -var "keycloak_client_id=${KEYCLOAK_CLIENT_ID}" \ | |
| -var "keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}" \ | |
| -var "auth_keycloak_issuer=${AUTH_KEYCLOAK_ISSUER}" \ | |
| -var "auth_url=${AUTH_URL}" | |
| terraform apply -auto-approve \ | |
| -replace="module.ecs.dockerless_remote_image.dibbs[\"query-connector\"]" \ | |
| -replace="module.ecs.dockerless_remote_image.dibbs[\"keycloak\"]" \ | |
| -var-file="$WORKSPACE.tfvars" \ | |
| -var "umls_api_key=${UMLS_API_KEY}" \ | |
| -var "ersd_api_key=${ERSD_API_KEY}" \ | |
| -var "qc_tls_key=${TLS_KEY}" \ | |
| -var "qc_tls_cert=${TLS_CERT}" \ | |
| -var "auth_secret=${AUTH_SECRET}" \ | |
| -var "keycloak_client_id=${KEYCLOAK_CLIENT_ID}" \ | |
| -var "keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}" \ | |
| -var "auth_keycloak_issuer=${AUTH_KEYCLOAK_ISSUER}" \ | |
| -var "auth_url=${AUTH_URL}" |