chore: Merge pull request #2 from rcwbr/1-define-initial-opentofu-module

1 define initial opentofu module
rcwbr · Oct 8, 2024 · b987750 · b987750
2 parents d3b7d0f + b6f4a89
commit b987750
Show file tree

Hide file tree

Showing 14 changed files with 586 additions and 1 deletion.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @rcwbr
diff --git a/.github/settings.yml b/.github/settings.yml
@@ -0,0 +1,47 @@
+repository:
+  name: gha-gcp-opentofu
+  description: State bucket and access resources for managing OpenTofu IaC via GitHub Actions
+  default_branch: main
+
+  # Prevent strategies other than basic merge, as they interfere with conventional changelog version inference
+  allow_squash_merge: false
+  allow_rebase_merge: false
+  # Instead, merge by merge commit
+  allow_merge_commit: true
+  # Clean up branches when PRs merge
+  delete_branch_on_merge: true
+
+rulesets:
+  - name: Tags rules
+    target: tags
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "*"
+        exclude: []
+    rules:
+      - type: creation
+      - type: deletion
+      - type: update
+
+branches:
+  - name: main
+    protection:
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        dismiss_stale_reviews: true
+        require_code_owner_reviews: true
+        bypass_pull_request_allowances:
+          users: [rcwbr]
+      required_linear_history: true
+      required_conversation_resolution: true
+      required_status_checks:
+        strict: true
+        checks:
+          # Require a passing check from GitHub Actions
+          - context: "GitHub Actions"
+            id: 15368
+      enforce_admins: true
+
+collaborators: [] # No collaborators defined
diff --git a/.github/workflows/push-workflow.yaml b/.github/workflows/push-workflow.yaml
@@ -0,0 +1,84 @@
+name: Push workflow
+on: [push]
+
+env:
+  tofu_version: 1.8.2
+  tg_version: 0.67.10
+  working_dir: .infra/gcp-gha-gcp-opentofu
+
+jobs:
+  check-hcl:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - name: Check terragrunt HCL
+        uses: gruntwork-io/[email protected]
+        with:
+          tofu_version: ${{ env.tofu_version }}
+          tg_version: ${{ env.tg_version }}
+          tg_dir: .
+          tg_command: 'hclfmt --terragrunt-check --terragrunt-diff'
+
+  check-tf:
+    runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/opentofu/opentofu:1.8.2
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - name: Check OpenTofu .TF
+        run: tofu fmt -diff -check
+
+  plan:
+    runs-on: ubuntu-24.04
+    needs: [ check-hcl, check-tf ]
+    permissions:
+      id-token: 'write' # Needed for the google-github-actions/auth step
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - id: auth
+        name: GCP auth
+        uses: google-github-actions/[email protected]
+        with:
+          export_environment_variables: false
+          create_credentials_file: false
+          token_format: access_token
+          workload_identity_provider: projects/918666231212/locations/global/workloadIdentityPools/github-actions/providers/github-actions
+          service_account: [email protected]
+      - name: Terragrunt plan
+        uses: gruntwork-io/[email protected]
+        with:
+          tofu_version: ${{ env.tofu_version }}
+          tg_version: ${{ env.tg_version }}
+          tg_dir: ${{ env.working_dir }}
+          tg_command: plan
+        env:
+          GOOGLE_OAUTH_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
+
+  apply:
+    runs-on: ubuntu-24.04
+    if: github.ref == 'refs/heads/main'
+    needs: [ plan ]
+    permissions:
+      id-token: 'write' # Needed for the google-github-actions/auth step
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - id: auth
+        name: GCP auth
+        uses: google-github-actions/[email protected]
+        with:
+          export_environment_variables: false
+          create_credentials_file: false
+          token_format: access_token
+          workload_identity_provider: projects/918666231212/locations/global/workloadIdentityPools/github-actions/providers/github-actions
+          service_account: [email protected]
+      - name: Apply
+        uses: gruntwork-io/[email protected]
+        with:
+          tofu_version: ${{ env.tofu_version }}
+          tg_version: ${{ env.tg_version }}
+          tg_dir: ${{ env.working_dir }}
+          tg_command: 'apply'
diff --git a/.infra/.gitignore b/.infra/.gitignore
@@ -0,0 +1 @@
+backend.tf
diff --git a/.infra/gcp-gha-gcp-opentofu/.gitignore b/.infra/gcp-gha-gcp-opentofu/.gitignore
@@ -0,0 +1,4 @@
+.terraform
+.terraform.lock.hcl
+.terragrunt-cache
+provider.tf
diff --git a/.infra/gcp-gha-gcp-opentofu/terragrunt.hcl b/.infra/gcp-gha-gcp-opentofu/terragrunt.hcl
@@ -0,0 +1,29 @@
+include {
+  path = find_in_parent_folders()
+}
+
+locals {
+  gcp_project = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl")).locals.gcp_project
+  gcp_region  = lower(read_terragrunt_config(find_in_parent_folders("terragrunt.hcl")).locals.gcp_region)
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "google" {
+  project       = "${local.gcp_project}"
+  region        = "${local.gcp_region}"
+  // Token comes from GOOGLE_OAUTH_ACCESS_TOKEN env var
+}
+EOF
+}
+
+terraform {
+  source = "../../" // Path to the repository root
+}
+
+inputs = {
+  gcp_project = local.gcp_project
+  gcp_region  = local.gcp_region
+}
diff --git a/.infra/terragrunt.hcl b/.infra/terragrunt.hcl
@@ -0,0 +1,26 @@
+locals {
+  state_bucket_name = "rcwbr-gha-gcp-opentofu-7-opentofu-state"
+  gcp_project       = "gha-gcp-opentofu-7"
+  gcp_region        = "US-WEST1"
+  github_repo       = "rcwbr/gha-gcp-opentofu"
+}
+
+remote_state {
+  backend = "gcs"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket       = local.state_bucket_name
+    prefix       = "${path_relative_to_include()}"
+    project      = local.gcp_project
+    location     = local.gcp_region
+    access_token = get_env("GOOGLE_OAUTH_ACCESS_TOKEN", "")
+  }
+}
+
+inputs = {
+  github_repo       = local.github_repo
+  state_bucket_name = local.state_bucket_name
+}
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Eric Weber
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.