Merge pull request #127 from hashicorp/tsccr-auto-pinning/trusted/202… #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) HashiCorp, Inc. | |
# SPDX-License-Identifier: MPL-2.0 | |
name: hashicorp/hashicat-gcp/infrastructure-tests | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- 'master' | |
env: | |
# See IL-575 for the source of these | |
TF_VAR_project: ${{ vars.TF_VAR_project }} | |
TF_VAR_prefix: gha-infrastructure-tests-${{ github.run_id }}-${{ github.run_number }} | |
permissions: {} | |
jobs: | |
get-gcp-creds: | |
runs-on: ubuntu-latest | |
outputs: | |
GOOGLE_CREDENTIALS: ${{ steps.decipher-creds.outputs.GOOGLE_CREDENTIALS }} | |
steps: | |
- name: Write Credentials | |
id: decipher-creds | |
run: |- | |
# You *MUST* base64 encode json secrets, otherwise GHA being | |
# zealous in protecting secrets will randomly mangle the | |
# various GHA contexts we use by replacing "{" and "}" bits | |
# with "***" | |
GOOGLE_CREDENTIALS=$(base64 -d <<<"${{ secrets.GOOGLE_CREDENTIALS_JSON_BASE64 }}") | |
# NOTE: Where we typically use 'EOF' as a heredoc delimiter, following | |
# the security advice in | |
# https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings | |
# we generate a random delimiter every time | |
EOF=$(uuidgen) | |
{ | |
echo "GOOGLE_CREDENTIALS<<${EOF}" | |
echo "${GOOGLE_CREDENTIALS}" | |
echo "${EOF}" | |
} >> "${GITHUB_OUTPUT}" | |
terraform-init: | |
runs-on: ubuntu-latest | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/terraform:light | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
- name: Terraform Init | |
run: terraform init | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
terraform-validate: | |
runs-on: ubuntu-latest | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/terraform:light | |
needs: | |
- terraform-init | |
steps: | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
# Either upload or download-artifact does not preserve the exec bit on | |
# binaries, so fix that here | |
- name: fix-perms | |
run: |- | |
# e.g. .terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64/terraform-provider-null_v3.2.1_x5 | |
chmod +x .terraform/providers/*/*/*/*/*/terraform-provider-* | |
- name: Terraform Validate | |
run: terraform validate | |
terraform-plan: | |
runs-on: ubuntu-latest | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/terraform:light | |
needs: | |
- get-gcp-creds | |
- terraform-validate | |
env: | |
GOOGLE_CREDENTIALS: ${{ needs.get-gcp-creds.outputs.GOOGLE_CREDENTIALS }} | |
steps: | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
# Either upload or download-artifact does not preserve the exec bit on | |
# binaries, so fix that here | |
- name: fix-perms | |
run: |- | |
# e.g. .terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64/terraform-provider-null_v3.2.1_x5 | |
chmod +x .terraform/providers/*/*/*/*/*/terraform-provider-* | |
- name: Terraform Plan | |
run: terraform plan -out=gha-infrastructure-tests-${{ github.run_id }}-${{ github.run_number }}.plan | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
terraform-apply: | |
runs-on: ubuntu-latest | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/terraform:light | |
needs: | |
- get-gcp-creds | |
- terraform-plan | |
env: | |
GOOGLE_CREDENTIALS: ${{ needs.get-gcp-creds.outputs.GOOGLE_CREDENTIALS }} | |
steps: | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
# Either upload or download-artifact does not preserve the exec bit on | |
# binaries, so fix that here | |
- name: fix-perms | |
run: |- | |
# e.g. .terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64/terraform-provider-null_v3.2.1_x5 | |
chmod +x .terraform/providers/*/*/*/*/*/terraform-provider-* | |
- name: Terraform Apply | |
run: terraform apply -auto-approve gha-infrastructure-tests-${{ github.run_id }}-${{ github.run_number }}.plan | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
terraform-destroy: | |
runs-on: ubuntu-latest | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/terraform:light | |
needs: | |
- get-gcp-creds | |
- terraform-apply | |
env: | |
GOOGLE_CREDENTIALS: ${{ needs.get-gcp-creds.outputs.GOOGLE_CREDENTIALS }} | |
steps: | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: "tf-code" | |
path: ${{ github.workspace }} | |
# Either upload or download-artifact does not preserve the exec bit on | |
# binaries, so fix that here | |
- name: fix-perms | |
run: |- | |
# e.g. .terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64/terraform-provider-null_v3.2.1_x5 | |
chmod +x .terraform/providers/*/*/*/*/*/terraform-provider-* | |
- name: Terraform Destroy | |
run: terraform destroy -auto-approve |