diff --git a/docs/xks/operator-guide/github.md b/docs/xks/operator-guide/github.md new file mode 100644 index 00000000000..c289be6c33d --- /dev/null +++ b/docs/xks/operator-guide/github.md @@ -0,0 +1,108 @@ +--- +id: github +title: XKF on Github +--- + +As a XKF user you can use both Azure DevOps and GitHub to store +your terraform and gitops repositories. + +In this document we will go through how to use XKF on GitHub focusing +on Infrastructure As Code (IAC) using Terraform. + +## Terraform + +How to run Terraform plan and apply through a GitHub action workflow. + +### Workflow + +Just like in azure devops case we have created a +[basic pipeline](https://github.com/XenitAB/azure-devops-templates/terraform-docker-github/README.md) +for easy use. + +Below you can find a example pipeline that uses the github action workflow. +Read further down to see how to create the secrets needed to run the pipeline. + +You should store this GitHub action in your Terraform repository under `.github/workflows/name.yaml` + +```.github/workflows/core.yaml +name: terraform_core + +on: + push: + branches: + - main + paths: + - core/** + pull_request: + paths: + - core/** + workflow_dispatch: + inputs: + OPA_BLAST_RADIUS: + description: OPA Blast Radius + required: true + default: "50" + +jobs: + terraform: + uses: xenitab/azure-devops-templates/.github/workflows/terraform-docker.yaml@2021.10.1 + with: + DIR: core + runs-on: '["self-hosted", "linux"]' # If you don't want to use the default ubuntu-latest + ENVIRONMENTS: | + { + "environments":[ + {"name":"dev"}, + {"name":"qa"}, + {"name":"prod"} + ] + } + secrets: + AZURE_CREDENTIALS_DEV: ${{ secrets.AZURE_CREDENTIALS_DEV }} + AZURE_CREDENTIALS_QA: ${{ secrets.AZURE_CREDENTIALS_QA }} + AZURE_CREDENTIALS_PROD: ${{ secrets.AZURE_CREDENTIALS_PROD }} +``` + +### Azure Service Principal + +Create a Service Principal(SP) with the access that terraform requires to perform all the tasks you want. +You can read more about SP creation in our [operator guide](operator-guide.md) + +The workflow is using [Azure Login GitHub Action](https://github.com/marketplace/actions/azure-login#configure-deployment-credentials) +to login to Azure. When uploading your SP to GitHub make sure to follow the formatting in the examples. + +This is to prevent unnecessary masking of { } in your logs which are in dictionary form. + +**For example, do**: + +```.json +{"clientId": "00000000-0000-0000-0000-000000000000", + "clientSecret": "super-duper-secret-value", + "subscriptionId": "00000000-0000-0000-0000-000000000000", + "tenantId": "00000000-0000-0000-0000-000000000000"} +``` + +**instead of**: + +```.json +{ + "clientId": "00000000-0000-0000-0000-000000000000", + "clientSecret": "super-duper-secret-value", + "subscriptionId": "00000000-0000-0000-0000-000000000000", + "tenantId": "00000000-0000-0000-0000-000000000000" +} +``` + +Upload the entire json as your github secret. +The workflow uses one secret per environment and we recommend that you follow our namestandard. +The secret name the workflow use is **AZURE_CREDENTIALS_\**, for example **AZURE_CREDENTIALS_DEV** + +To upload the secret to github you can use the github UI or you can use the [gh cli](https://github.com/cli/cli) to upload secrets to GitHub. + +Assuming that you are storing the SP json data in a file you could do: + +```shell +gh secret -R ORG/xks-terraform set AZURE_CREDENTIALS_DEV < dev-secrets.json +gh secret -R ORG/xks-terraform set AZURE_CREDENTIALS_QA < qa-secrets.json +gh secret -R ORG/xks-terraform set AZURE_CREDENTIALS_PROD < prod-secrets.json +``` diff --git a/sidebars.js b/sidebars.js index f8d5c0ea982..b6b47bad266 100644 --- a/sidebars.js +++ b/sidebars.js @@ -37,7 +37,8 @@ module.exports = { "xks/operator-guide/eks", "xks/operator-guide/blast-radius", "xks/operator-guide/operator-guide", - "xks/operator-guide/azure-devops-agents" + "xks/operator-guide/azure-devops-agents", + "xks/operator-guide/github", ] } ]