-
Notifications
You must be signed in to change notification settings - Fork 1
128 lines (120 loc) · 3.89 KB
/
az-oidc-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: az-oidc-test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TERRAFORM_BASE_PATH: 'terraform'
VAR_BASE_PATH: 'terraform/vars'
on:
push:
branches:
- master
paths:
- "terraform/resource-group/*"
- ".github/workflows/az-oidc-test.yml"
pull_request:
branches:
- master
paths:
- "terraform/resource-group/*"
- ".github/workflows/az-oidc-test.yml"
permissions:
id-token: write
contents: read
pull-requests: write
issues: write
statuses: write
#
# subject on oidc : pullrequest or environment:
# if environment specified on job (pull request) does not work
jobs:
plan-rg:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
name: plan rg
environment:
name: Nonprod
env:
ARM_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
LAYER_NAME: resource-group
ARM_USE_OIDC: true
TF_LOG: debug
steps:
- name: Checkout
uses: actions/checkout@v3
# - name: debug
# run: |
# echo "$GITHUB_CONTEXT"
# env
# echo ${ACTIONS_ID_TOKEN_REQUEST_URL}
# echo ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}
- name: terraform plan
uses: dflook/terraform-plan@v1.25.1
# env:
# TERRAFORM_HTTP_CREDENTIALS: github.com/stevengonsalvez=foo:${{ secrets.SAML_GITHUB_TOKEN }}
with:
add_github_comment: changes-only
path: ${{ env.TERRAFORM_BASE_PATH }}/${{ env.LAYER_NAME }}
label: ${{ env.LAYER_NAME }}-sandbox
variables: |
foo = "bar"
# var_file: ${{ env.VAR_BASE_PATH }}
backend_config: key=${{ env.LAYER_NAME }}-sb-mock.tfstate,resource_group_name=nonprod-bc-t565-mock-v1-eun-layer0-rg,container_name=dev-eun,storage_account_name=statef9iir3ov5swfnkd3zjw",use_oidc=true
apply-rg:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
name: apply rg
environment:
name: Nonprod
env:
ARM_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
LAYER_NAME: resource-group
ARM_USE_OIDC: true
TF_LOG: debug
steps:
- name: Checkout
uses: actions/checkout@v3
# - name: debug
# run: |
# echo "$GITHUB_CONTEXT"
# env
# echo ${ACTIONS_ID_TOKEN_REQUEST_URL}
# echo ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}
- name: terraform apply
uses: dflook/terraform-apply@v1.25.1
# env:
# TERRAFORM_HTTP_CREDENTIALS: github.com/stevengonsalvez=foo:${{ secrets.SAML_GITHUB_TOKEN }}
with:
auto_approve: true
path: ${{ env.TERRAFORM_BASE_PATH }}/${{ env.LAYER_NAME }}
label: ${{ env.LAYER_NAME }}-sandbox
variables: |
foo = "bar"
# var_file: ${{ env.VAR_BASE_PATH }}
backend_config: key=${{ env.LAYER_NAME }}-sb-mock.tfstate,resource_group_name=nonprod-bc-t565-mock-v1-eun-layer0-rg,container_name=dev-eun,storage_account_name=statef9iir3ov5swfnkd3zjw",use_oidc=true
delete-rg:
needs: ["apply-rg"]
runs-on: ubuntu-latest
name: delete rg
environment:
name: Nonprod
env:
ARM_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
LAYER_NAME: resource-group
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.SP_CLIENT_ID }}
tenant-id: ${{ secrets.TENANT_ID }}
subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
- name: delete-rg
uses: azure/CLI@v1.0.5
with:
azcliversion: 2.37.0
inlineScript: |
az group delete -n "sandbox-rg-test" --yes --no-wait