Skip to content
terraform-plan-apply

Plan and apply dlp-policies with example-1 by @rpothin #28

Sign in to view logs

Plan and apply dlp-policies with example-1 by @rpothin

Plan and apply dlp-policies with example-1 by @rpothin #28

Workflow file for this run

.github/workflows/terraform-plan-apply.yml at fc46fbd
name: terraform-plan-apply
# Plan and apply a terraform configuration
# Workflow triggered mannually passing the terraform configuration and the terraform variable file
on:
workflow_dispatch:
inputs:
terraform_configuration:
type: choice
description: 'The name of the Terraform configuration to plan and apply'
required: true
options:
- dlp-policies
- billing-policies
terraform_var_file:
type: string
description: 'The name of the Terraform variable file to use'
required: true
# Concurrency configuration for the current workflow - Keep only the latest workflow queued for the considered group
concurrency:
group: terraform-plan-apply-${{ github.event.inputs.terraform_configuration }}-${{ github.event.inputs.terraform_var_file }}
cancel-in-progress: true
run-name: Plan and apply ${{ github.event.inputs.terraform_configuration }} with ${{ github.event.inputs.terraform_var_file }} by @${{ github.actor }}
# Set up permissions for deploying with secretless Azure federated credentials
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
permissions:
id-token: write
contents: read
#These environment variables are used by the terraform azure provider to setup OIDD authenticate.
env:
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
POWER_PLATFORM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
POWER_PLATFORM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
TARGET_DIR: ${{ github.workspace }}/src/${{ github.event.inputs.terraform_configuration }}
TF_STATE_RESOURCE_GROUP_NAME: ${{ secrets.TF_STATE_RESOURCE_GROUP_NAME }}
TF_STATE_STORAGE_ACCOUNT_NAME: ${{ secrets.TF_STATE_STORAGE_ACCOUNT_NAME }}
TF_STATE_CONTAINER_NAME: ${{ secrets.TF_STATE_CONTAINER_NAME }}
TF_STATE_KEY: ${{ github.event.inputs.terraform_configuration }}-${{ github.event.inputs.terraform_var_file }}.terraform.tfstate
TF_VAR_FILE: tfvars/${{ github.event.inputs.terraform_var_file }}.tfvars
TF_CLI_CONFIG_FILE: ${{ github.workspace }}/src/mirror.tfrc
ARM_SKIP_PROVIDER_REGISTRATION: true #this is needed since we are running terraform with read-only permissions
jobs:
terraform-plan:
name: 'Terraform Plan'
runs-on: ubuntu-latest
outputs:
tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
steps:
# Action used to checkout the main branch in the current repository
# Community action: https://github.com/actions/checkout
- name: Checkout
uses: actions/checkout@v4.1.1
# Install the latest version of the Terraform CLI
# Community action: https://github.com/hashicorp/setup-terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
# Log in to Azure using the Azure login action and with OpenID Connect (OIDC) federated credentials
# Community action: https://github.com/Azure/login
- name: Log in with Azure (Federated Credentials)
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Download the Terraform Power Platform provider from GitHub
- name: Download Terraform Power Platform Provider
env:
GITHUB_TOKEN: ${{ secrets.PAT_DOWNLOAD_RELEASE }}
PROVIDER_VERSION: ${{ vars.POWER_PLATFORM_PROVIDER_VERSION }}
PROVIDER_REPO: ${{ vars.POWER_PLATFORM_PROVIDER_REPOSITORY }}
DOWNLOAD_DIR: /usr/share/terraform/providers/registry.terraform.io/microsoft/power-platform
run: |
gh release download "$PROVIDER_VERSION" --repo "$PROVIDER_REPO" --pattern "*.zip" --dir "$DOWNLOAD_DIR" --clobber
ls -la "$DOWNLOAD_DIR"
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform -chdir=$TARGET_DIR init -backend-config="storage_account_name=$TF_STATE_STORAGE_ACCOUNT_NAME" -backend-config="resource_group_name=$TF_STATE_RESOURCE_GROUP_NAME" -backend-config="container_name=$TF_STATE_CONTAINER_NAME" -backend-config="key=$TF_STATE_KEY"
# Run terraform validate to check the syntax of the configuration files
- name: Terraform Validate
run: terraform -chdir=$TARGET_DIR validate
# Generates an execution plan for Terraform
# An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes.
- name: Terraform Plan
id: tf-plan
run: |
export exitcode=0
terraform -chdir=$TARGET_DIR plan -detailed-exitcode -no-color -out tfplan -var-file=$TF_VAR_FILE || export exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
# Save plan to artifacts
# Community action: https://github.com/actions/upload-artifact
- name: Publish Terraform Plan
uses: actions/upload-artifact@v4.3.1
with:
name: tfplan
path: ${{ env.TARGET_DIR }}/tfplan
terraform-apply:
name: 'Terraform Apply'
needs: [terraform-plan]
if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2
runs-on: ubuntu-latest
steps:
# Action used to checkout the main branch in the current repository
# Community action: https://github.com/actions/checkout
- name: Checkout
uses: actions/checkout@v4.1.1
# Install the latest version of the Terraform CLI
# Community action: https://github.com/hashicorp/setup-terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
# Log in to Azure using the Azure login action and with OpenID Connect (OIDC) federated credentials
# Community action: https://github.com/Azure/login
- name: Log in with Azure (Federated Credentials)
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Download the Terraform Power Platform provider from GitHub
- name: Download Terraform Power Platform Provider
env:
GITHUB_TOKEN: ${{ secrets.PAT_DOWNLOAD_RELEASE }}
PROVIDER_VERSION: ${{ vars.POWER_PLATFORM_PROVIDER_VERSION }}
PROVIDER_REPO: ${{ vars.POWER_PLATFORM_PROVIDER_REPOSITORY }}
DOWNLOAD_DIR: /usr/share/terraform/providers/registry.terraform.io/microsoft/power-platform
run: |
gh release download "$PROVIDER_VERSION" --repo "$PROVIDER_REPO" --pattern "*.zip" --dir "$DOWNLOAD_DIR" --clobber
ls -la "$DOWNLOAD_DIR"
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform -chdir=$TARGET_DIR init -backend-config="storage_account_name=$TF_STATE_STORAGE_ACCOUNT_NAME" -backend-config="resource_group_name=$TF_STATE_RESOURCE_GROUP_NAME" -backend-config="container_name=$TF_STATE_CONTAINER_NAME" -backend-config="key=$TF_STATE_KEY"
# Download saved plan from artifacts
# Community action: https://github.com/actions/download-artifact
- name: Download Terraform Plan
uses: actions/download-artifact@v4.1.4
with:
name: tfplan
path: ${{ env.TARGET_DIR }}
# Terraform Apply
- name: Terraform Apply
run: terraform -chdir=$TARGET_DIR apply -auto-approve tfplan