Skip to content

build

build #1028

Workflow file for this run

# build - github workflow
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: build
# name of GitHub event that triggers workflow
# https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch
on:
# trigger via webhook
# https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28
repository_dispatch:
types: [build]
# enable manual workflow
# https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow
workflow_dispatch:
inputs: {}
# permissions for oidc login
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# global environment variables
# https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables
env:
# prefix: used for some globally unique name requirements
PREFIX: arshz
# debug
CI_DEBUG: true
# azure creds (used with OIDC auth)
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# other
# prod or staging.
# "" disables cert-manager annotations (use if you already have an existing TLS secret)
CERT_API_ENVIRONMENT: ""
DNS_RG_NAME: rg-dns
EMAIL_ADDRESS: [email protected]
ENABLE_TLS_INGRESS: true
FORCE_TEST_FAIL: false
K8S_TLS_SECRET_NAME: tls-secret
KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk
KEY_VAULT_NAME: kv-rush-aqy2
KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot
# NOTE: "eastus" is cheaper than "uksouth"
LOCATION: eastus
NEXUS_USER_USERNAME: demo_user
ROOT_DOMAIN_NAME: thehypepipe.co.uk
# STORAGE_KEY: 'env var set by Get-StorageKey.ps1'
VELERO_ENABLED: true
WEAVE_SCOPE_ENABLED: false
# terraform
TF_IN_AUTOMATION: "true"
TF_INPUT: "false"
# https://developer.hashicorp.com/terraform/internals/debugging
TF_LOG: "ERROR" # TRACE, DEBUG, INFO, WARN or ERROR
TF_PLAN: "tfplan"
# https://github.com/hashicorp/terraform/releases
TF_VERSION: "1.7.3"
TF_WORKING_DIR: ./terraform-vf
# azurerm provider oidc
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
# https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token
ARM_USE_OIDC: "true"
# Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
# https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
jobs:
build-and-deploy:
# always pin versions
# view installed software: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
# https://github.com/actions/runner-images?tab=readme-ov-file#available-images
runs-on: ubuntu-22.04
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment
environment:
name: dev
url: "https://argocd.${{ env.ROOT_DOMAIN_NAME }}"
# only run if owner triggered action
if: github.actor == github.event.repository.owner.login
steps:
# Checkout
# https://github.com/marketplace/actions/checkout
- uses: actions/checkout@v4
# specify different branch
# NOT required as I've changed the default branch to develop
# with:
# ref: develop
# Init tasks - inc Env var concatenation
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files
- name: Init tasks - inc Env var concatenation (Workaround)
run: |
chmod -R +x ./scripts/
echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV
echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV
echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV
echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV
# Login
# https://github.com/Azure/login
- name: Login via OIDC to Azure Public Cloud (az cli and az powershell)
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# Prereqs
- name: Create Storage Account for Terraform state
run: ./scripts/storage_create.sh
- name: Replace tokens in Terraform config files
run: pwsh -command "./scripts/Replace-Tokens.ps1"
env:
ARGOCD_ADMIN_PASSWORD: ${{ secrets.ARGOCD_ADMIN_PASSWORD }}
HELM_CHART_REPO_DEPLOY_PRIVATE_KEY: ${{ secrets.HELM_CHART_REPO_DEPLOY_PRIVATE_KEY }}
IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }}
# Terraform
# https://github.com/hashicorp/setup-terraform
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Terraform Init / Validate
run: |
echo 'Running terraform init...'
terraform init \
-backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \
-backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT"
# validate
echo 'Running terraform validate...'
terraform validate
working-directory: ${{ env.TF_WORKING_DIR }}
# https://github.com/aquasecurity/tfsec-action
- name: Run tfsec security scan
uses: aquasecurity/[email protected]
with:
working_directory: ${{ env.TF_WORKING_DIR }}
soft_fail: true
# https://github.com/bridgecrewio/checkov-action
- name: Run Checkov security scan
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ${{ env.TF_WORKING_DIR }}
# check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
# optional: skip a specific check_id. can be comma separated list
skip_check: CKV2_AZURE_1,CKV_AZURE_4,CKV_AZURE_6,CKV2_AZURE_8,CKV2_AZURE_21,CKV_AZURE_33,CKV_AZURE_35,CKV_AZURE_117,CKV_AZURE_141
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
# log_level: DEBUG # optional: set log level. Default WARNING
# config_file: path/this_file
- name: 👀 Terraform Plan
id: plan
run: terraform plan -out=${{ env.TF_PLAN }}
working-directory: ${{ env.TF_WORKING_DIR }}
- name: 🚀 Terraform Apply
run: ./scripts/terraform_apply.sh
# only apply if changes are present
# https://www.terraform.io/docs/commands/plan.html#detailed-exitcode
# if: steps.plan.outputs.exitcode == 2
env:
TF_PLAN: ${{ env.TF_PLAN }}
# Notify
- name: Notify slack
continue-on-error: true
env:
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
run: ./scripts/send_slack_message.sh "[devops-lab] Build complete"