From 33e8bd619aafe7deee0c4f0c126f4a3136a39429 Mon Sep 17 00:00:00 2001 From: "T.J. Corrigan" Date: Wed, 24 Aug 2022 18:01:27 +0000 Subject: [PATCH 1/3] add improved terraform and bicep workflows --- .github/workflows/IAC-bicep-unit-tests.yml | 55 +++++++ .../workflows/IAC-bicep-whatif-deploy.yaml | 142 ++++++++++++++++ .github/workflows/IAC-terraform-drift-detect | 121 ++++++++++++++ .../workflows/IAC-terraform-plan-apply.yml | 155 ++++++++++++++++++ .../workflows/IAC-terraform-unit-tests.yml | 36 ++++ IaC/bicep/actions.md | 42 +++++ IaC/terraform/actions.md | 46 ++++++ 7 files changed, 597 insertions(+) create mode 100644 .github/workflows/IAC-bicep-unit-tests.yml create mode 100644 .github/workflows/IAC-bicep-whatif-deploy.yaml create mode 100644 .github/workflows/IAC-terraform-drift-detect create mode 100644 .github/workflows/IAC-terraform-plan-apply.yml create mode 100644 .github/workflows/IAC-terraform-unit-tests.yml create mode 100644 IaC/bicep/actions.md create mode 100644 IaC/terraform/actions.md diff --git a/.github/workflows/IAC-bicep-unit-tests.yml b/.github/workflows/IAC-bicep-unit-tests.yml new file mode 100644 index 00000000..84527a59 --- /dev/null +++ b/.github/workflows/IAC-bicep-unit-tests.yml @@ -0,0 +1,55 @@ +name: 'Bicep Unit Tests' + +# Uncomment the trigger conditions below to enable this workflow +on: + push: + +# Set the default working directory to point at the bicep folder +defaults: + run: + working-directory: IAC/bicep + +env: + LOCATION: "eastus" + +# Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + +jobs: + bicep-unit-tests: + name: 'Bicep Unit Tests' + runs-on: ubuntu-latest + # Bicep What-if / Validate functions also check if your role has permisisons to create the resources + # The account here actually needs to have read/write permisisons. + environment: production + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Authenticate to Az CLI using OIDC + - name: 'Az CLI login' + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Checks that all Bicep configuration files adhere to a canonical format + - name: Bicep Lint + uses: Azure/cli@v1 + with: + inlineScript: az bicep build --file main.bicep + + # Validate whether a template is valid at subscription scope + - name: Bicep Validate + uses: Azure/cli@v1 + with: + inlineScript: | + az deployment sub validate \ + --name validate-${{ github.run_id }} \ + --template-file main.bicep \ + --location $LOCATION \ No newline at end of file diff --git a/.github/workflows/IAC-bicep-whatif-deploy.yaml b/.github/workflows/IAC-bicep-whatif-deploy.yaml new file mode 100644 index 00000000..2b768af7 --- /dev/null +++ b/.github/workflows/IAC-bicep-whatif-deploy.yaml @@ -0,0 +1,142 @@ +name: 'Bicep Whatif / Deploy' + +# Uncomment the trigger conditions below to enable this workflow +# on: +# push: +# branches: +# - main +# pull_request: +# branches: +# - main + +# Set the default working directory to point at the bicep folder +defaults: + run: + working-directory: IAC/bicep + +# Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + pull-requests: write + +env: + LOCATION: "eastus" + +jobs: + bicep-whatif: + name: 'Bicep Whatif' + runs-on: ubuntu-latest + environment: production + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Authenticate to Az CLI using OIDC + - name: 'Az CLI login' + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Checks that all Bicep configuration files adhere to a canonical format + - name: Bicep Lint + uses: Azure/cli@v1 + with: + inlineScript: az bicep build --file main.bicep + + # Validate whether a template is valid at subscription scope + - name: Bicep Validate + uses: Azure/cli@v1 + with: + inlineScript: | + az deployment sub validate \ + --name validate-${{ github.run_id }} \ + --template-file main.bicep \ + --location $LOCATION + + # Preview changes + - name: "What-If" + uses: Azure/cli@v1 + with: + inlineScript: | + az deployment sub what-if \ + --name whatif-${{ github.run_id }} \ + --template-file main.bicep \ + --location $LOCATION > whatif + + # Create string output of Whatif + - name: Create String Output + id: whatif-string + run: | + WHATIF=$(cat whatif) + echo "## Whatif Output" >> whatif.string + echo "
Click to expand" >> whatif.string + echo "" >> whatif.string + echo '```' >> whatif.string + echo "$WHATIF" >> whatif.string + echo '```' >> whatif.string + echo "
" >> whatif.string + + SUMMARY=$(cat whatif.string) + SUMMARY="${SUMMARY//'%'/'%25'}" + SUMMARY="${SUMMARY//$'\n'/'%0A'}" + SUMMARY="${SUMMARY//$'\r'/'%0D'}" + + echo "::set-output name=summary::$SUMMARY" + + # Publish What-If output as a task summary + - name: Publish Whatif to Task Summary + run: | + cat whatif.string >> $GITHUB_STEP_SUMMARY + + # If this is a PR post the changes + - name: Push Whatif Output to PR + if: github.ref != 'refs/heads/main' + uses: actions/github-script@v2 + env: + SUMMARY: "${{ steps.whatif-string.outputs.summary }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const body = `${process.env.SUMMARY}`; + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: body + }) + + bicep-deploy: + name: 'Bicep Deploy' + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + environment: production-approval + needs: [bicep-whatif] + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Authenticate to Az CLI using OIDC + - name: 'Az CLI login' + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Deploy + - name: "Bicep Deployment" + uses: Azure/cli@v1 + with: + inlineScript: | + az deployment sub create \ + --name deploy-${{ github.run_id }} \ + --template-file main.bicep \ + --location $LOCATION + \ No newline at end of file diff --git a/.github/workflows/IAC-terraform-drift-detect b/.github/workflows/IAC-terraform-drift-detect new file mode 100644 index 00000000..318999e9 --- /dev/null +++ b/.github/workflows/IAC-terraform-drift-detect @@ -0,0 +1,121 @@ +name: 'Terraform Drift Dectection' + +# Uncomment the trigger conditions below to enable this workflow +# on: +# schedule: +# # runs nightly at 4:23 am UTC +# - cron: '23 4 * * *' + +# Set the default working directory to point at the terraform folder +defaults: + run: + working-directory: IAC/terraform + +#Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + issues: write + +# These environment variables are used by the terraform azure provider to setup OIDD authenticate. +env: + ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" + ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" + +jobs: + terraform-plan: + name: 'Terraform Plan' + runs-on: ubuntu-latest + environment: production-readonly + env: + # This is needed since we are running terraform with read-only permissions + ARM_SKIP_PROVIDER_REGISTRATION: true + outputs: + tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Install the latest version of the Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_wrapper: false + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Generates an execution plan for Terraform + # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. + - name: Terraform Plan + id: tf-plan + run: | + export exitcode=0 + terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? + + echo "::set-output name=exitcode::$exitcode" + + if [ $exitcode -eq 1 ]; then + echo Terraform Plan Failed! + exit 1 + else + exit 0 + fi + + # Save plan to artifacts + - name: Publish Terraform Plan + uses: actions/upload-artifact@v2 + with: + name: tfplan + path: tfplan + + # Create string output of Terraform Plan + - name: Create String Output + id: tf-plan-string + run: | + TERRAFORM_PLAN=$(terraform show -no-color tfplan) + echo "## Terraform Plan Output" >> tf.string + echo "
Click to expand" >> tf.string + echo "" >> tf.string + echo '```terraform' >> tf.string + echo "$TERRAFORM_PLAN" >> tf.string + echo '```' >> tf.string + echo "
" >> tf.string + + SUMMARY=$(cat tf.string) + SUMMARY="${SUMMARY//'%'/'%25'}" + SUMMARY="${SUMMARY//$'\n'/'%0A'}" + SUMMARY="${SUMMARY//$'\r'/'%0D'}" + + echo "::set-output name=summary::$SUMMARY" + + # Publish Terraform Plan as task summary + - name: Publish Terraform Plan to Task Summary + run: | + cat tf.string >> $GITHUB_STEP_SUMMARY + + # If changes are detected, create a new issue + - name: Publish Drift Report + if: steps.tf-plan.outputs.exitcode == 2 + uses: actions/github-script@v2 + env: + SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const body = `${process.env.SUMMARY}`; + github.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: "Terraform Configuration Drift Detected", + body: body + }) + + # Mark the workflow as failed if drift detected + - name: Error on Failure + if: steps.tf-plan.outputs.exitcode == 2 + run: exit 1 \ No newline at end of file diff --git a/.github/workflows/IAC-terraform-plan-apply.yml b/.github/workflows/IAC-terraform-plan-apply.yml new file mode 100644 index 00000000..0ccd4180 --- /dev/null +++ b/.github/workflows/IAC-terraform-plan-apply.yml @@ -0,0 +1,155 @@ +name: 'Terraform Plan/Apply' + +# Uncomment the trigger conditions below to enable this workflow +# on: +# push: +# branches: +# - main +# pull_request: +# branches: +# - main + +# Set the default working directory to point at the terraform folder +defaults: + run: + working-directory: IAC/terraform + +# Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + pull-requests: write + +# These environment variables are used by the terraform azure provider to setup OIDD authenticate. +env: + ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" + ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" + +jobs: + terraform-plan: + name: 'Terraform Plan' + runs-on: ubuntu-latest + environment: production-readonly + env: + # This is needed since we are running terraform with read-only permissions + ARM_SKIP_PROVIDER_REGISTRATION: true + outputs: + tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Install the latest version of the Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_wrapper: false + + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + run: terraform fmt -check + + # Generates an execution plan for Terraform + # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. + - name: Terraform Plan + id: tf-plan + run: | + export exitcode=0 + terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? + + echo "::set-output name=exitcode::$exitcode" + + if [ $exitcode -eq 1 ]; then + echo Terraform Plan Failed! + exit 1 + else + exit 0 + fi + + # Save plan to artifacts + - name: Publish Terraform Plan + uses: actions/upload-artifact@v2 + with: + name: tfplan + path: tfplan + + # Create string output of Terraform Plan + - name: Create String Output + id: tf-plan-string + run: | + TERRAFORM_PLAN=$(terraform show -no-color tfplan) + echo "## Terraform Plan Output" >> tf.string + echo "
Click to expand" >> tf.string + echo "" >> tf.string + echo '```terraform' >> tf.string + echo "$TERRAFORM_PLAN" >> tf.string + echo '```' >> tf.string + echo "
" >> tf.string + + SUMMARY=$(cat tf.string) + SUMMARY="${SUMMARY//'%'/'%25'}" + SUMMARY="${SUMMARY//$'\n'/'%0A'}" + SUMMARY="${SUMMARY//$'\r'/'%0D'}" + + echo "::set-output name=summary::$SUMMARY" + + # Publish Terraform Plan as task summary + - name: Publish Terraform Plan to Task Summary + run: | + cat tf.string >> $GITHUB_STEP_SUMMARY + + # If this is a PR post the changes as a comment + - name: Push Terraform Output to PR + if: github.ref != 'refs/heads/main' + uses: actions/github-script@v2 + env: + SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const body = `${process.env.SUMMARY}`; + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: body + }) + + terraform-apply: + name: 'Terraform Apply' + # Only run this job if this is a commit to master and there are changes detected + if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 + runs-on: ubuntu-latest + environment: production-readwrite + needs: [terraform-plan] + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Download saved plan from artifacts + - name: Download Terraform Plan + uses: actions/download-artifact@v2 + with: + name: tfplan + + # Terraform Apply + - name: Terraform Apply + run: terraform apply -auto-approve tfplan diff --git a/.github/workflows/IAC-terraform-unit-tests.yml b/.github/workflows/IAC-terraform-unit-tests.yml new file mode 100644 index 00000000..5f71f66b --- /dev/null +++ b/.github/workflows/IAC-terraform-unit-tests.yml @@ -0,0 +1,36 @@ +name: 'Terraform Unit Tests' + +# Uncomment the trigger conditions below to enable this workflow +# on: +# push: + +# Set the default working directory to point at the terraform folder +defaults: + run: + working-directory: IAC/terraform + +jobs: + terraform-unit-tests: + name: 'Terraform Unit Tests' + runs-on: ubuntu-latest + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Install the latest version of Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init -backend=false + + # Validate terraform files (see https://www.terraform.io/cli/commands/validate) + - name: Terraform Validate + run: terraform validate + + # Checks that all Terraform configuration files adhere to a canonical format (see https://www.terraform.io/cli/commands/fmt) + - name: Terraform Format + run: terraform fmt -check -recursive diff --git a/IaC/bicep/actions.md b/IaC/bicep/actions.md new file mode 100644 index 00000000..43f6d3c7 --- /dev/null +++ b/IaC/bicep/actions.md @@ -0,0 +1,42 @@ +# GitHub Actions Workflows for Bicep + +## Workflows + +1. [**Bicep Unit Tests**](../../.github/workflows/IAC-bicep-unit-tests.yml) + + This workflow is designed to be run on every commit and is composed of a set of unit tests on the infrastructure code. It runs [bicep build](https://docs.microsoft.com/cli/azure/bicep#az-bicep-build) to compile the bicep to an ARM template. This ensure there are no formatting errors. Next it performs a [validate](https://docs.microsoft.com/cli/azure/deployment/sub#az-deployment-sub-validate) to ensure the template is able to be deployed. + +2. [**Bicep What-If / Deploy**](../../.github/workflows/IAC-bicep-whatif-deploy.yaml) + + This workflow runs on every pull request and on each commit to the main branch. The what-if stage of the workflow is used to understand the impact of the IaC changes on the Azure environment by running [whatif](https://docs.microsoft.com/cli/azure/deployment/sub#az-deployment-sub-what-if). This report is then attached to the PR for easy review. The deploy stage runs after the what-if analysis when the workflow is triggered by a push to the main branch. This stage will [deploy](https://docs.microsoft.com/cli/azure/deployment/sub#az-deployment-sub-create) the template to Azure after a manual review has signed off. + +## Getting Started + +To use these workflows in your environment several prerequiste steps are required: + +1. **Create GitHub Environments** + + The workflows utilizes GitHub Environments to store the azure identity information and setup an appoval process for deployments. Create 2 environments: `production` and `production-approval` by following these [insturctions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production-approval` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). + +2. **Setup Azure Identity**: + + An Azure Active Directory application is required that has permissions to deploy within your Azure subscription. Create a single application and give it the appropriate permissions in your Azure subscription. Next setup 2 federated credentials to allow the GitHub environements to utilize the identity using OIDC. See the [Azure documentation](https://docs.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect) for detailed instructions. Make sure to set the Enitity Type to `Environment` and use the appropriate environment name for the GitHub name. + + +3. **Add GitHub Secrets** + + For each GitHub Environment create the following secrets for the respective Azure Identity: + + - _AZURE_CLIENT_ID_ : The application (client) ID of the app registration in Azure + - _AZURE_TENANT_ID_ : The tenant ID of Azure Active Directory where the app registration is defined. + - _AZURE_SUBSCRIPTION_ID_ : The subscription ID where the app registration is defined. + + Instuructions to add the secrets to the environment can be found [here](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment). Since we are usig the same Azure identity for both environments these secrets will have the same value in both GitHub environment. + +4. **Activate the Workflows** + + In each workflow file uncomment the top trigger section to enable the workflows to run automatically. + +## Additional Resources + +Additional information on how to use GitHub Actions to deploy AKS can be found on the [Azure Architecture Center](...). `TODO`: add the link diff --git a/IaC/terraform/actions.md b/IaC/terraform/actions.md new file mode 100644 index 00000000..b5dfe57a --- /dev/null +++ b/IaC/terraform/actions.md @@ -0,0 +1,46 @@ +# GitHub Actions Workflows for Terraform + +## Workflows + +1. [**Terraform Unit Test**](../../.github/workflows/IAC-terraform-unit-tests.yml) + + This workflow is designed to be run on every commit and is composed of a set of unit tests on the infrastructure code. It runs [terraform fmt]( https://www.terraform.io/cli/commands/fmt) to ensure the code is properly linted and follows terraform best practices. Next it performs [terraform validate](https://www.terraform.io/cli/commands/validate) to check that the code is syntactically correct and internally consistent. + +2. [**Terraform Plan / Apply**](../../.github/workflows/IAC-terraform-plan-apply.yml) + + This workflow runs on every pull request and on each commit to the main branch. The plan stage of the workflow is used to understand the impact of the IaC changes on the Azure environment by running [terraform plan](https://www.terraform.io/cli/commands/plan). This report is then attached to the PR for easy review. The apply stage runs after the plan when the workflow is triggered by a push to the main branch. This stage will take the plan document and [apply](https://www.terraform.io/cli/commands/apply) the changes after a manual review has signed off if there are any pending changes to the environment. + +3. [**Terraform Drift Detection**](../../.github/workflows/IAC-terraform-drift-detect) + + This workflow runs on a periodic basis to scan your environment for any configuration drift (i.e. changes made outside of terraform). If any drift is detected a GitHub Issue is raised to alert the maintainers of the project. + +## Getting Started + +To use these workflows in your environment several prerequiste steps are required: + +1. **Create GitHub Environments** + + The workflows utilizes GitHub Environments to store the azure identity information and setup an appoval process for deployments. Create 2 environments: `production-readonly` and `production-readwrite` by following these [insturctions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production-readwrite` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). + +2. **Setup Azure Identity**: + + An Azure Active Directory application is required that has permissions to deploy within your Azure subscription. Create a separate application for the `production-readonly` and `production-readwrite` environments and give them the appropriate permissions in your Azure subscription. Next setup the federated credentials to allow the GitHub environments to utilize the identity using OIDC. See the [Azure documentation](https://docs.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect) for detailed instructions. Make sure to set the Enitity Type to `Environment` and use the appropriate environment name for the GitHub name. + + +3. **Add GitHub Secrets** + + For each GitHub Environment create the following secrets for the respective Azure Identity: + + - _AZURE_CLIENT_ID_ : The application (client) ID of the app registration in Azure + - _AZURE_TENANT_ID_ : The tenant ID of Azure Active Directory where the app registration is defined. + - _AZURE_SUBSCRIPTION_ID_ : The subscription ID where the app registration is defined. + + Instuructions to add the secrets to the environment can be found [here](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment). + +4. **Activate the Workflows** + + In each workflow file uncomment the top trigger section to enable the workflows to run automatically. + +## Additional Resources + +Additional information on how to use GitHub Actions to deploy AKS can be found on the [Azure Architecture Center](...). `TODO`: add the link From 6873af36e1a19965b508cf8b06e4322e6cd632a0 Mon Sep 17 00:00:00 2001 From: "T.J. Corrigan" Date: Wed, 24 Aug 2022 20:01:38 +0000 Subject: [PATCH 2/3] comment out the triggers for a workflow --- .github/workflows/IAC-bicep-unit-tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/IAC-bicep-unit-tests.yml b/.github/workflows/IAC-bicep-unit-tests.yml index 84527a59..3e404097 100644 --- a/.github/workflows/IAC-bicep-unit-tests.yml +++ b/.github/workflows/IAC-bicep-unit-tests.yml @@ -1,8 +1,8 @@ name: 'Bicep Unit Tests' # Uncomment the trigger conditions below to enable this workflow -on: - push: +# on: +# push: # Set the default working directory to point at the bicep folder defaults: From ce0945155db9a8a0d2f028f58f57f8388a79cef2 Mon Sep 17 00:00:00 2001 From: "T.J. Corrigan" Date: Thu, 6 Oct 2022 12:37:07 -0500 Subject: [PATCH 3/3] Update actions.md --- IaC/terraform/actions.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/IaC/terraform/actions.md b/IaC/terraform/actions.md index b5dfe57a..131e1b25 100644 --- a/IaC/terraform/actions.md +++ b/IaC/terraform/actions.md @@ -37,7 +37,11 @@ To use these workflows in your environment several prerequiste steps are require Instuructions to add the secrets to the environment can be found [here](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment). -4. **Activate the Workflows** +4. **Configure Terraform State Location** + + Terraform utilizes a [state file](https://www.terraform.io/language/state) to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similiar remote backend. The [Terraform backend block](https://github.com/tjcorr/tf-pipeline-demo/blob/main/main.tf#L9-L15) will need to be configured to point to an appropriate location where your workflow has permissions. Normally this location would be created manually or via a separate workflow. + +5. **Activate the Workflows** In each workflow file uncomment the top trigger section to enable the workflows to run automatically.