-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
121 lines (106 loc) · 5.36 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: "terraform-state"
description: "Store Terraform state for your GitHub Actions as an encrypted artifact or repository file."
author: "Andrew Riggs"
inputs:
encryption_key:
description: "AES-256 Encryption key used to encrypt/decrypt the Terraform state file."
required: false
operation:
description: "Specifies if the operation is to download or upload the Terraform state file. [Options: download/upload]"
required: true
location:
description: "Specifies the storage location of the Terraform state file. [Options: repository/artifact]"
required: true
directory:
description: "Directory of the Terraform state file."
required: false
default: "."
github_token:
description: "GitHub Access Token used to retrieve latest artifact."
required: false
runs:
using: "composite"
steps:
- name: Configure Git User
shell: bash
run: |
git config --global user.name "terraform-state"
git config --global user.email "[email protected]"
# Artifact
- name: Download Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'download' && inputs.encryption_key == '' }}"
shell: bash
run: |
REPO="${{ github.repository }}"
ARTIFACT_URI="https://api.github.com/repos/$REPO/actions/artifacts"
TOKEN="${{ inputs.github_token }}"
RESPONSE=$(curl -H "Authorization: token $TOKEN" -s $ARTIFACT_URI | jq -r '.artifacts[]')
if [ "$RESPONSE" ] ; then
LATEST_ARTIFACT_URI=$(echo $RESPONSE | jq -r 'select(.name=="Terraform State") | .archive_download_url' | sort -r | head -n 1)
if [ "$LATEST_ARTIFACT_URI" ] ; then
curl -L -H "Authorization: token $TOKEN" -o ${{ inputs.directory }}/terraform.tfstate.zip $LATEST_ARTIFACT_URI
unzip -o ${{ inputs.directory }}/terraform.tfstate.zip -d ${{ inputs.directory }}
fi
fi
- name: Upload Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'upload' && inputs.encryption_key == '' }}"
uses: actions/upload-artifact@v4
with:
name: Terraform State
path: "${{ inputs.directory }}/terraform.tfstate"
overwrite: true
# Encrypted Artifact
- name: Download Encrypted Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'download' && inputs.encryption_key != '' }}"
shell: bash
run: |
REPO="${{ github.repository }}"
ARTIFACT_URI="https://api.github.com/repos/$REPO/actions/artifacts"
TOKEN="${{ inputs.github_token }}"
RESPONSE=$(curl -H "Authorization: token $TOKEN" -s $ARTIFACT_URI | jq -r '.artifacts[]')
if [ "$RESPONSE" ] ; then
LATEST_ARTIFACT_URI=$(echo $RESPONSE | jq -r 'select(.name=="Encrypted Terraform State") | .archive_download_url' | sort -r | head -n 1)
if [ "$LATEST_ARTIFACT_URI" ] ; then
curl -L -H "Authorization: token $TOKEN" -o ${{ inputs.directory }}/terraform.tfstate.encrypted.zip $LATEST_ARTIFACT_URI
unzip -o ${{ inputs.directory }}/terraform.tfstate.encrypted.zip -d ${{ inputs.directory }}
fi
fi
- name: Decrypt Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'download' && inputs.encryption_key != '' }}"
shell: bash
run: |
openssl enc -d -aes256 -in ${{ inputs.directory }}/terraform.tfstate.encrypted -out ${{ inputs.directory }}/terraform.tfstate -k ${{ inputs.encryption_key }}
- name: Encrypt Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'upload' && inputs.encryption_key != '' }}"
shell: bash
run: |
openssl enc -e -aes256 -in ${{ inputs.directory }}/terraform.tfstate -out ${{ inputs.directory }}/terraform.tfstate.encrypted -k ${{ inputs.encryption_key }}
- name: Upload Encrypted Artifact
if: "${{ inputs.location == 'artifact' && inputs.operation == 'upload' && inputs.encryption_key != '' }}"
uses: actions/upload-artifact@v4
with:
name: Encrypted Terraform State
path: "${{ inputs.directory }}/terraform.tfstate.encrypted"
overwrite: true
# Repository File
- name: Commit Repository File
if: "${{ inputs.location == 'repository' && inputs.operation == 'upload' && inputs.encryption_key == '' }}"
shell: bash
run: |
git add ${{ inputs.directory }}/terraform.tfstate
git commit -m "🏗️ Automatically Updated Terraform State."
git push
# Encrypted Repository File
- name: Decrypt Repository File
if: "${{ inputs.location == 'repository' && inputs.operation == 'download' && inputs.encryption_key != '' }}"
shell: bash
run: |
openssl enc -d -aes256 -in ${{ inputs.directory }}/terraform.tfstate.encrypted -out ${{ inputs.directory }}/terraform.tfstate -k ${{ inputs.encryption_key }}
- name: Encrypt and Commit Repository File
if: "${{ inputs.location == 'repository' && inputs.operation == 'upload' && inputs.encryption_key != '' }}"
shell: bash
run: |
openssl enc -e -aes256 -in ${{ inputs.directory }}/terraform.tfstate -out ${{ inputs.directory }}/terraform.tfstate.encrypted -k ${{ inputs.encryption_key }}
git add ${{ inputs.directory }}/terraform.tfstate.encrypted
git commit -m "🏗️ Automatically Updated Encrypted Terraform State."
git push