Updates to github workflows

awslabs · Oct 17, 2022 · b3ab27c · b3ab27c
1 parent 171d63d
commit b3ab27c
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 1 deletion.
diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml
@@ -49,6 +49,9 @@ jobs:
         directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }}
 
     steps:
+      - name: Remove default Terraform
+        run: rm -rf $(which terraform)
+
       - name: checkout-merge
         if: "contains(github.event_name, 'pull_request')"
         uses: actions/checkout@v3
@@ -86,6 +89,9 @@ jobs:
         with:
           terraform_version: 1.0.0
 
+      - if: steps.changes.outputs.src== 'true'
+        run: terraform version
+
       - name: Terraform Init
         if: steps.changes.outputs.src== 'true'
         run: terraform init -reconfigure
@@ -94,4 +100,4 @@ jobs:
       - name: Terraform Plan
         if: steps.changes.outputs.src== 'true'
         working-directory: ${{ matrix.directory }}
-        run: terraform plan -no-color
+        run: terraform plan -no-color
diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml
@@ -0,0 +1,103 @@
+name: plan-examples
+
+on:
+  # Review https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ and better understand the risks of using pull_request_target before making major changes to this workflow.
+  pull_request_target:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  getExampleDirectories:
+    name: Get example directories
+    runs-on: ubuntu-latest
+    # Do not remove environment setup without considering changes to pull_request_target and checkout of PR, as it may lead to checks running automatically against malicious code in PRs.
+    environment: EKS Blueprints Test
+    # Skip running on forks since it won't have access to secrets
+    if: github.repository == 'aws-ia/terraform-aws-eks-blueprints'
+    outputs:
+      directories: ${{ steps.dirs.outputs.directories }}
+    steps:
+      # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get Terraform directories for evaluation
+        id: dirs
+        run: |
+          DIRS=$(python3 .github/workflows/plan-examples.py)
+          echo "::set-output name=directories::$DIRS"
+
+  plan:
+    name: Plan examples
+    needs: getExampleDirectories
+    runs-on: ubuntu-latest
+    # Skip running on forks since it won't have access to secrets
+    if: github.repository == 'aws-ia/terraform-aws-eks-blueprints'
+
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }}
+
+    steps:
+      - name: Remove default Terraform
+        run: rm -rf $(which terraform)
+
+      - name: checkout-merge
+        if: "contains(github.event_name, 'pull_request')"
+        uses: actions/checkout@v3
+        with:
+          ref: refs/pull/${{github.event.pull_request.number}}/merge
+
+      - name: checkout
+        if: "!contains(github.event_name, 'pull_request')"
+        uses: actions/checkout@v3
+
+      - uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          # Need to check not only the example directory
+          # but also the supporting module(s) code
+          # for plans (not for pre-commit)
+          filters: |
+            src:
+              - '${{ matrix.directory }}/**/*.(tf|yml|yaml)'
+              - 'modules/**/*.(tf|yml|yaml)'
+              - '*.tf'
+
+      - name: Configure AWS credentials from Test account
+        uses: aws-actions/configure-aws-credentials@v1
+        if: steps.changes.outputs.src== 'true'
+        with:
+          role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+          role-session-name: GithubActions-Session
+
+      - name: Terraform Job
+        uses: hashicorp/setup-terraform@v2
+        if: steps.changes.outputs.src== 'true'
+        with:
+          terraform_version: 1.0.0
+
+      - if: steps.changes.outputs.src== 'true'
+        run: terraform version
+
+      - name: Terraform Init
+        if: steps.changes.outputs.src== 'true'
+        run: terraform init -reconfigure
+        working-directory: ${{ matrix.directory }}
+
+      - name: Terraform Plan
+        if: steps.changes.outputs.src== 'true'
+        working-directory: ${{ matrix.directory }}
+        run: terraform plan -no-color
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -41,6 +41,9 @@ jobs:
       matrix:
         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
     steps:
+      - name: Remove default Terraform
+        run: rm -rf $(which terraform)
+
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -94,6 +97,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: collectInputs
     steps:
+      - name: Remove default Terraform
+        run: rm -rf $(which terraform)
+
       - name: Checkout
         uses: actions/checkout@v3