I'm using GitHub Environment to deploy into my testing account before merging to my master.I have specified the environment keyword in my workflow as "testing". My workflow will be triggered on a push to test branch which will then run plan and apply to testing account. I would like to have a manual approval after plan runs so I can see the output before approving to deploy into testing account. Please how can I configure manual approval so that after plan runs i can check the plan output before approving to deploy into my test account.
name: Testing Environment
on:
push:
branches:
- test
jobs:
plan&apply:
name: "Run Terragrunt Init,Plan and Apply"
runs-on: ubuntu-20.04
environment: testing
defaults:
run:
working-directory: ${{ env.TERRAFORM_WORKING_DIR }}
steps:
- name: 'Checkout'
uses: actions/checkout#v2
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1.3.2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: true
- name: Setup Terragrunt
uses: autero1/action-terragrunt#v1.1.0
with:
terragrunt_version: ${{ env.TERRAGRUNT_VERSION }}
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1.6.1
with:
aws-region: us-east-1
role-to-assume: ${{ env.ORCHESTRATION_ROLE_ARN }}
- name: Terragrunt Init
id: init
run: terragrunt run-all init -no-color --terragrunt-non-interactive
- name: Terragrunt Plan
id: plan
run: |
terragrunt run-all plan -no-color --terragrunt-non-interactive >/dev/null -out=tfplan
- name: terragrunt Apply
id: apply
run : terragrunt run-all apply -no-color --terragrunt-non-interactive
continue-on-error:true
There are two ways to do this.
Approach 1:
In your GH actions environment settings, add reviewers. Create two jobs - Plan and Apply. Then, add "needs" in apply job. This approach also requires to upload plan output as an artifact as plan and apply are two separate jobs.
name: Testing Environment
on:
push:
branches:
- test
jobs:
plan:
name: "Run Terragrunt Plan"
runs-on: ubuntu-20.04
defaults:
run:
working-directory: ${{ env.TERRAFORM_WORKING_DIR }}
steps:
- name: 'Checkout'
uses: actions/checkout#v2
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1.3.2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: true
- name: Setup Terragrunt
uses: autero1/action-terragrunt#v1.1.0
with:
terragrunt_version: ${{ env.TERRAGRUNT_VERSION }}
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1.6.1
with:
aws-region: us-east-1
role-to-assume: ${{ env.ORCHESTRATION_ROLE_ARN }}
- name: Terragrunt Init
id: init
run: terragrunt run-all init -no-color --terragrunt-non-interactive
- name: Create Artifact Folder
shell: bash
run: |
sudo mkdir -p -m777 ${{ github.workspace }}/tfplanoutput
- name: Terragrunt Plan
id: plan
run: |
terragrunt run-all plan -no-color --terragrunt-non-interactive >/dev/null -out=${{ github.workspace }}/tfplanoutput/tf.plan
- name: Upload Artifact
uses: actions/upload-artifact#v3
with:
name: artifact
path: ${{ github.workspace }}/tfplanoutput/
if-no-files-found: error
apply:
name: "Run Terragrunt Apply"
needs: plan
runs-on: ubuntu-20.04
environment: testing
- name: 'Checkout'
uses: actions/checkout#v2
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1.3.2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: true
- name: Setup Terragrunt
uses: autero1/action-terragrunt#v1.1.0
with:
terragrunt_version: ${{ env.TERRAGRUNT_VERSION }}
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1.6.1
with:
aws-region: us-east-1
role-to-assume: ${{ env.ORCHESTRATION_ROLE_ARN }}
- name: Terragrunt Init
id: init
run: terragrunt run-all init -no-color --terragrunt-non-interactive
- name: Download Build Artifact
uses: actions/download-artifact#v3
with:
name: artifact
path: ${{ github.workspace }}/tfplanoutput
- name: terragrunt Apply
run : terragrunt run-all apply tf.plan -no-color --terragrunt-non-interactive
continue-on-error:true
Approach 2:
You can create composite actions - plan and apply same as above.
Hope this helps!!!
Related
I am using Github Actions to push an image into GCP Artifact Registry and later deploy to Cloud Run
All the process goes fine, except the automatic deploying to Cloud Run.
Below is the link for the example that guided me
https://github.com/codeedu/live-imersao-fullcycle10-nestjs-tests/blob/main/.github/workflows/ci_cd.yml
The error is as below:
Deploying...
failed
Deployment failed
ERROR: (gcloud.run.deploy) spec.template.spec.containers[0].image: Must provide an image URL to deploy
I appreciate any help to accomplish this task
Below is the workflow file:
name: CI and CD
on:
workflow_dispatch:
push:
branches: [main, develop]
env:
REGISTRY: gcr.io
IMAGE_NAME: ${{ secrets.GCP_PROJECT_NAME }}/${{ secrets.CLOUD_RUN_SERVICE }}
REGION: us-central1
# REGISTRY_GIT: ghcr.io
# IMAGE_NAME_GIT: ${{ github.repository }}
jobs:
test-code:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout#v3
- name: Use Node.js 16.x
uses: actions/setup-node#v3
with:
node-version: 16.x
- run: npm ci
- run: npm run test
build-image:
needs: test-code
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-20.04
outputs:
tags: ${{ steps.meta.outputs.tags }}
concurrency: build-image-process
steps:
- name: Checkout repository
uses: actions/checkout#v3
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action#79abd3f86f79a9d68a23c75a09a9a85889262adf
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action#28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
with:
registry: ${{ env.REGISTRY }}
username: _json_key
#username: ${{ github.actor }}
password: ${{ secrets.GCP_SERVICE_ACCOUNT }}
#password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action#98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action#ac9327eae2b366085ac7f6a2d02df8aa8ead720a
if: ${{ github.event_name != 'pull_request' }}
with:
context: .
file: ./Dockerfile.prod
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Outputs tags
run: echo "${{ steps.meta.outputs.tags }}"
deploy-image:
needs: build-image
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-20.04
steps:
- name: Checkout repository
uses: actions/checkout#v3
- id: 'auth'
uses: 'google-github-actions/auth#v0'
with:
credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT }}'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun#v0'
with:
service: ${{ secrets.CLOUD_RUN_SERVICE }}
image: ${{ needs.build-image.outputs.tags }}
region: ${{ env.REGION }}
I have a GitHub action code with terraform and ECR, ECS now I have two branch master and feature and when I created Pull-request for feature to master
then only my terraform plan code will run but when i create a Pull-request and merge to master then my GitHub action running but that part is skipped i am not sure why it is happing please find the below attached code
---
name: "workflow"
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: [ "master" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
cd:
name: "Deployment"
runs-on: "ubuntu-latest"
#if: startsWith(github.ref, 'refs/tags/')
steps:
- name: "Checkout Code"
uses: "actions/checkout#v2"
- name: Set tag
id: vars
run: echo "::set-output name=tag::${GITHUB_REF#refs/*/}"
- name: Configure AWS credential
uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login#v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my_ecr_repi
IMAGE_TAG: ${{ github.event.head_commit.message }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Terraform Init
run: |
cd terraform_with_ALB
terraform init
- name: Terraform Format
id: fmt
run: |
cd terraform_with_ALB
terraform fmt -check
- name: Terraform Validate
id: validate
run: |
cd terraform_with_ALB
terraform validate -no-color
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: |
cd terraform_with_ALB
terraform plan -no-color -input=false
continue-on-error: true
till terraform valiate it wokring fine after that it skip terraform plan part
you are missing the pull_request element in the on section.
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
I am using a reusable workflow, and the calling workflow does not report a failure if the reused workflow fails.
If I were to call the workflow directly, a failure would occur and get reported which is the expected behaviour.
What needs to be done to be able to report a failure in the workflow?
Calling Workflow
name: Deploy to dev
on:
push:
branches:
- 'main'
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
call-workflow-passing-data:
uses: ./.github/workflows/deploy-to-env.yml
with:
environment: dev
secrets: inherit
continue-on-error: false
Reused Workflow
name: Deploy to Environment
on:
workflow_call:
inputs:
environment:
required: true
type: string
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
validate:
runs-on:
- my-custom-runner
name: Apply Terraform
environment:
name: ${{ inputs.environment }}
env:
TF_VAR_environment: dev
steps:
- name: Checkout this repo
uses: actions/checkout#v3
- uses: actions/setup-node#v3
with:
node-version: 14
- uses: hashicorp/setup-terraform#v2
with:
terraform_version: 1.2.3
- name: Terraform fmt
id: fmt
run: terraform fmt -check
continue-on-error: false
- name: Terraform Init
id: init
run: terraform -chdir=terraform/src init
- name: Terraform Plan
id: plan
run: terraform plan
continue-on-error: false
- name: Terraform Apply
id: apply
run: terraform apply
continue-on-error: false
- name: Terraform outputs
id: outputs
run: terraform output -json
continue-on-error: true
I am working on a GitHub Actions pipeline where I am creating a terraform plan and then after downloading and reviewing the plan in a file authentication the apply stage. Everything is working smoothly, I get a plan that I am then saving as a tt file using the 'out' flag, but I am not able to figure out how to download the plan file from the runner to my local machine or even save it as an artifact. Please help me out if there is a workaround.
name: 'Terraform PR'
on:
push:
branches:
- main
pull_request:
jobs:
terraform:
name: 'Terraform'
runs-on: ubuntu-latest
defaults:
run:
working-directory: infrastructure/env/dev-slb-alpha/dev
permissions:
id-token: write
contents: write
steps:
- name: Clone Repository (Latest)
uses: actions/checkout#v2
if: github.event.inputs.git-ref != ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout#master
if: github.event.inputs.git-ref == ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#master
with:
role-to-assume: arn:aws:iam::262267462662:role/slb-dev-github-actions
aws-region: us-east-1
# role-session-name: GithubActionsSession
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1
with:
terraform_version: 1.1.2
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Init
id: init
run: |
# cd infrastructure/env/dev-slb-alpha/dev
terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
continue-on-error: true
run: |
# cd infrastructure/env/dev-slb-alpha/dev
touch tfplan.txt
# terraform force-unlock -force d5f2d86a-e0f6-222f-db3f-2c1d792ed528
# terraform force-unlock -force QOCDA86JVO02CCFV3SB010RGP3VV4KQNSO5AEMVJF66Q9ASUAAJG
terraform plan -lock=false -input=false -out=tfplan.txt
readlink -f tfplan.txt
- name: terraform plan upload
uses: actions/upload-artifact#v2
with:
name: plan
path: tfplan.txt
retention-days: 5
- uses: actions/download-artifact#v3
with:
name: my-plan
path: tfplan.txt
- name: Terraform Apply
id: apply
if: github.event_name == 'pull_request'
run: |
cd infrastructure/env/dev-slb-alpha/dev
terraform force-unlock -force 8de3f689-282e-12fd-72b2-cdd27f94e4da
terraform apply
The workflow in file inrisk.packages.ci.yml generates a tag and a realise of the code when a push is done in the develop branch. The below works as expected.
name: Code Int
on:
push:
paths:
- 'infra/**'
jobs:
ci:
runs-on: ubuntu-latest
steps:
# Checks-out to $GITHUB_WORKSPACE
- uses: actions/checkout#v2
- name: Basic Checks
run: |
whoami
ls -lah
pwd
- uses: actions/setup-node#v1
# Create a new release when on develop which triggers the deployment
- name: Bump version and push tag
if: github.ref == 'refs/heads/develop'
uses: mathieudutour/github-tag-action#v4.5
id: tag_version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create Release
if: github.ref == 'refs/heads/develop'
id: create_release
uses: actions/create-release#v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag_version.outputs.new_tag }}
release_name: Release ${{ steps.tag_version.outputs.new_tag }}
draft: false
prerelease: false
The below workflow in file inrisk.packages.cd.yml and is suppose to be triggered when ever a tag/realise is created/published.
name: Code Deploy
on:
push:
tags:
- 'v*'
release:
types:
- published
- created
- released
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
# Checks-out to $GITHUB_WORKSPACE
- uses: actions/checkout#v2
- uses: actions/setup-node#v1
- name: Install Yarn
run: npm install -g yarn
- uses: chrislennon/action-aws-cli#v1.1
- name: Install, Build and Deploy
run: |
whoami
ls -lah
pwd
The second workflow Code Deploy dose not get trigger after Code Int publishes/created a tag/realise
However when I manually create a realise/tag the second workflow Code Deploy get triggered
This seems to be by design as stated here .This is to stop recursive workflow runs.
I used this article to get around the problem