Merge pull request #4 from arvatoaws-labs/cr/new-pipeline-aspects

New pipeline aspects

Author: Marta-Panfilova-ASL

.github/workflows/githubaction-comment-apply.yml

@@ -9,8 +9,9 @@ on:
         required: true
         type: string
       terraform_version:
-        required: true
+        required: false
         type: string
+        default: latest
       roleArn:
         required: true
         type: string
@@ -20,15 +21,16 @@ on:
       github_event_number:
         required: true
         type: string
-      github_event_issue_url:
-        required: true
-        type: string
       github_event_issue_comments_url:
         required: true
         type: string
       github_event_repository_url:
         required: true
         type: string
+      stack:
+        required: false
+        type: string
+        default: "."
 
 
 jobs:
@@ -81,6 +83,8 @@ jobs:
       uses: actions/checkout@v4
       with:
         ref: refs/pull/${{ inputs.github_event_number }}/merge
+    - run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+      shell: bash
 
     # Install the latest version of Terraform CLI
     - name: Setup Terraform
@@ -90,38 +94,63 @@ jobs:
 
     # Initialize Terraform
     - name: Terraform Init
-      run: terraform init -upgrade
+      run: |
+        cd ${{ inputs.stack }}
+        terraform init -upgrade
 
-    # Checks that all Terraform configuration files adhere to a canonical format
-    - name: Terraform Format LandingZone
-      run: terraform fmt -check
+    # Terraform Validation Steps
+    - name: terraform validate ${{ inputs.stack }}
+      uses: dflook/terraform-validate@v1
+      with:
+        path: ${{ inputs.stack }}
+      env:
+        TERRAFORM_HTTP_CREDENTIALS: |
+          github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }}
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }}
+        GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }}
+    - name: terraform fmt ${{ inputs.stack }}
+      uses: dflook/terraform-fmt-check@v1
+      with:
+        path: ${{ inputs.stack }}
+      env:
+        TERRAFORM_HTTP_CREDENTIALS: |
+          github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }}
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }}
+        GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }}
 
     # Download the plan from S3
     - name: Download Plan from S3
       run: |
-        aws s3 cp s3://${{ inputs.s3bucketName }}/plans/tfplan ./tfplan
+        cd ${{ inputs.stack }}
+        aws s3 cp s3://${{ inputs.s3bucketName }}/plans/${{ github.repository }}/${{ inputs.stack }}/${{ inputs.github_event_number }}/tfplan ./tfplan
 
     # Build or change infrastructure according to Terraform configuration files
     - name: Terraform Apply
       id: apply
       continue-on-error: true
       run: |
+        cd ${{ inputs.stack }}
         terraform apply -input=false -no-color tfplan
     # Upload the plan to S3
     - name: Upload Plan to S3
       run: |
-        aws s3 cp ./tfplan s3://${{ inputs.s3bucketName }}/plans/
+        cd ${{ inputs.stack }}
+        aws s3 cp ./tfplan s3://${{ inputs.s3bucketName }}/plans/${{ github.repository }}/${{ inputs.stack }}/${{ inputs.github_event_number }}/
 
     # CONCLUDE
     # If the apply was successful, post a comment with the applied output
     - name: Post Plan and Apply to GitHub PR
       if: steps.apply.outcome == 'success'
       env:
         URL: ${{ inputs.github_event_issue_comments_url }}
-        LABEL: ${{ inputs.github_event_issue_url }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        (printf "Mode1 Apply\n\n\`\`\`" && echo -n '${{ steps.apply.outputs.stdout }}' && printf "\`\`\`\n\n") > comment.txt
+        cd ${{ inputs.stack }}
+        (printf "Terraform Apply\n\n\`\`\`" && echo -n '${{ steps.apply.outputs.stdout }}' && printf "\`\`\`\n\n") > comment.txt
         jq -R -s '.' < comment.txt > comment2.txt
         truncate -s -1 comment2.txt
         (echo -n '{ "body": ' && cat comment2.txt && echo -n ' }') > comment3.txt
@@ -133,7 +162,7 @@ jobs:
           -d @comment3.txt
         curl \
           -X POST \
-          $LABEL/labels \
+          https://api.github.com/repos/${{ github.repository }}/issues/${{ inputs.github_event_number }}/labels \
           -H "Content-Type: application/json" \
           -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
           -d '["applied"]'
@@ -145,6 +174,7 @@ jobs:
         URL: ${{ inputs.github_event_repository_url }}/pulls/${{ inputs.github_event_number }}/merge
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
+        cd ${{ inputs.stack }}
         curl \
         -X PUT \
         $URL \
@@ -155,7 +185,8 @@ jobs:
     # remove the organization plan from S3 whether successful or not
     - name: Delete Plan from S3
       run: |
-        aws s3 rm s3://${{ inputs.s3bucketName }}/plans/tfplan
+        cd ${{ inputs.stack }}
+        aws s3 rm --recursive s3://${{ inputs.s3bucketName }}/plans/${{ github.repository }}/${{ inputs.stack }}/${{ inputs.github_event_number }}
 
     # If the apply failed, post the errors
     - name: Post Organization Apply Failure
@@ -164,7 +195,8 @@ jobs:
         URL: ${{ inputs.github_event_issue_comments_url }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        (printf "Apply failed for Mode1:\n\nMode1\n\n\`\`\`" && echo -n '${{ steps.apply.outputs.stderr }}' && printf "\`\`\`\n\n") > comment.txt
+        cd ${{ inputs.stack }}
+        (printf "Apply failed for:\n\n\`\`\`" && echo -n '${{ steps.apply.outputs.stderr }}' && printf "\`\`\`\n\n") > comment.txt
         jq -R -s '.' < comment.txt > comment2.txt
         truncate -s -1 comment2.txt
         (echo -n '{ "body": ' && cat comment2.txt && echo -n ' }') > comment3.txt

.github/workflows/githubaction-comment-plan.yml

@@ -9,8 +9,9 @@ on:
         required: true
         type: string
       terraform_version:
-        required: true
+        required: false
         type: string
+        default: latest
       roleArn:
         required: true
         type: string
@@ -20,13 +21,13 @@ on:
       github_event_number:
         required: true
         type: string
-      github_event_issue_url:
-        required: true
-        type: string
       github_event_issue_comments_url:
         required: true
         type: string
-
+      stack:
+        required: false
+        type: string
+        default: "."
 
 jobs:
   terraform:
@@ -44,6 +45,9 @@ jobs:
         shell: bash
 
     steps:
+    - name: Get PR number
+      run: echo ${{ inputs.github_event_number }}
+      
     # Expose and capture the job ID of the current job
     - uses: ReeganExE/[email protected]
     - name: Job ID output
@@ -78,6 +82,8 @@ jobs:
       uses: actions/checkout@v4
       with:
         ref: refs/pull/${{ inputs.github_event_number }}/merge
+    - run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+      shell: bash
 
     # Install the latest version of Terraform CLI
     - name: Setup Terraform
@@ -86,18 +92,41 @@ jobs:
         terraform_version: ${{ inputs.terraform_version }}
 
     # Initialize Terraform
-    - name: Terraform Init
-      run: terraform init -upgrade
+    - name: Terraform Init ${{ inputs.stack }}
+      run: |
+        cd ${{ inputs.stack }}
+        terraform init -upgrade
 
-    # Check that all Terraform configuration files adhere to a canonical format
-    - name: Terraform Format
-      run: terraform fmt -check -diff -recursive
+    # Terraform Validation Steps
+    - name: terraform validate ${{ inputs.stack }}
+      uses: dflook/terraform-validate@v1
+      with:
+        path: ${{ inputs.stack }}
+      env:
+        TERRAFORM_HTTP_CREDENTIALS: |
+          github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }}
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }}
+        GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }}
+    - name: terraform fmt ${{ inputs.stack }}
+      uses: dflook/terraform-fmt-check@v1
+      with:
+        path: ${{ inputs.stack }}
+      env:
+        TERRAFORM_HTTP_CREDENTIALS: |
+          github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }}
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }}
+        GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }}
 
     # Generate terraform plan
-    - name: Terraform Plan
+    - name: Terraform Plan ${{ inputs.stack }}
       id: tfplan
       continue-on-error: true
       run: |
+        cd ${{ inputs.stack }}
         # Bash script to build terraform plan command dynamically
         COMMAND="terraform plan -input=false -no-color -out=tfplan"
         SECRETS_JSON='${{ toJson(secrets) }}'
@@ -115,19 +144,21 @@ jobs:
         eval $COMMAND && terraform show -no-color tfplan | sed 's/\x27/ /g' | sed -E 's/^([[:space:]]+)([-+])/\2\1/g' > plan.txt
 
     # Upload the plan to S3
-    - name: Upload Plan to S3
+    - name: Upload ${{ inputs.stack }} Plan to S3
       run: |
-        aws s3 cp ./tfplan s3://${{ inputs.s3bucketName }}/plans/
+        cd ${{ inputs.stack }}
+        aws s3 cp ./tfplan s3://${{ inputs.s3bucketName }}/plans/${{ github.repository }}/${{ inputs.stack }}/${{ inputs.github_event_number }}/
 
     # CONCLUDE
     # Post a comment with the plan outputs and add the 'planned' label
     - name: Post Plan to GitHub PR
       env:
         COMMENT: ${{ inputs.github_event_issue_comments_url }}
-        LABEL: ${{ inputs.github_event_issue_url }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        (printf "Mode1 Plan\n\n\`\`\`diff" && sed '/^::/d' plan.txt) > comment.txt
+        set -x
+        cd ${{ inputs.stack }}
+        (printf "Terraform Plan\n\n\`\`\`diff" && sed '/^::/d' plan.txt) > comment.txt
         jq -R -s '.' < comment.txt > comment2.txt
         truncate -s -1 comment2.txt
         (echo -n '{ "body": ' && cat comment2.txt && echo -n ' }') > comment3.txt
@@ -139,7 +170,7 @@ jobs:
           -d @comment3.txt
         curl \
           -X POST \
-          $LABEL/labels \
+          https://api.github.com/repos/${{ github.repository }}/issues/${{ inputs.github_event_number }}/labels \
           -H "Content-Type: application/json" \
           -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
           -d '["planned"]'

.github/workflows/githubaction-mergeblock.yml

@@ -0,0 +1,24 @@
+name: 'BlockMerge'
+
+on:
+  pull_request:
+  workflow_call:
+
+jobs:
+  terraform:
+    name: 'Block Merge'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    environment:
+      name: production
+    defaults:
+      run:
+        shell: bash
+    steps:
+    - name: Block Merge
+      run: |
+        echo "Merge is still blocked, please review the PR comments. Plan & apply has to happen first. If they have, some issue in plan or apply must have occurred and needs to be fixed first."
+        exit 1