Sonar Single Account CLI #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Sonar Single Account CLI' | |
| concurrency: | |
| group: single_account | |
| on: | |
| workflow_call: | |
| inputs: | |
| branch: | |
| required: true | |
| type: string | |
| secrets: | |
| AWS_ACCESS_KEY_ID_STAGE: | |
| required: true | |
| AWS_SECRET_ACCESS_KEY_STAGE: | |
| required: true | |
| SLACK_WEBHOOK_URL: | |
| required: true | |
| JUMP_SERVER_KEY: | |
| required: true | |
| DEPLOYMENT_TAGS: | |
| required: true | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| required: true | |
| type: string | |
| delay_destroy: | |
| description: 'Delay the destroy step and subsequent steps to allow investigation' | |
| type: boolean | |
| default: false | |
| required: false | |
| env: | |
| TF_CLI_ARGS: "-no-color" | |
| TF_INPUT: 0 | |
| TF_VAR_gw_count: 1 | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }} | |
| JUMP_SERVER_KEY: ${{ secrets.JUMP_SERVER_KEY }} | |
| AWS_REGION: ap-southeast-1 | |
| TF_WORKSPACE: sonar_single_account_cli | |
| DESTROY_DELAY_SECONDS: 1800 | |
| TF_VAR_additional_tags: ${{ secrets.DEPLOYMENT_TAGS }} | |
| permissions: | |
| contents: read | |
| jobs: | |
| terraform: | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| include: | |
| - name: single account | |
| example_dir: examples/aws/installation/sonar_single_account_deployment | |
| target_dir: single_account | |
| name: '${{ matrix.name }} ${{ inputs.branch }}' | |
| runs-on: ubuntu-latest | |
| env: | |
| EXAMPLE_DIR: ./${{ matrix.example_dir }} | |
| REMOTE_EXAMPLE_DIR: ./${{ matrix.target_dir }}/dsfkit/${{ matrix.example_dir }} | |
| TARGET_DIR: ${{ matrix.target_dir }} | |
| environment: test | |
| # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| # Checkout the repository to the GitHub Actions runner | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ inputs.branch }} | |
| - name: Setup jq | |
| uses: sergeysova/jq-action@v2 | |
| - name: Get The Public IP | |
| run: echo curr_ip=$(curl -s https://ipinfo.io/ip) >> $GITHUB_ENV | |
| - name: Set IP in AWS Security Group | |
| run: | | |
| aws_sg=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --protocol tcp --port 22 --cidr $curr_ip/32) | |
| echo sg_id=$(echo $aws_sg | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV | |
| - name: Change the modules source to local | |
| run: | | |
| find ./examples/ -type f -exec sed -i -f sed.expr {} \; | |
| - name: Cleaning environment | |
| continue-on-error: true | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE | |
| script: | | |
| terraform -chdir=$REMOTE_EXAMPLE_DIR destroy -auto-approve | |
| - name: Delete Old Environment | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: TARGET_DIR | |
| script: | | |
| cd $TARGET_DIR | |
| rm -rf dsfkit | |
| rm -rf dsfkit.zip | |
| - name: Create terraform backend file | |
| run: | | |
| cat << EOF > $EXAMPLE_DIR/backend.tf | |
| terraform { | |
| backend "s3" { | |
| bucket = "terraform-state-bucket-dsfkit-github-tests" | |
| key = "states/terraform.tfstate" | |
| dynamodb_table = "terraform-state-lock" | |
| region = "us-east-1" | |
| } | |
| } | |
| EOF | |
| - name: Create tfvars File | |
| run: | | |
| cat << EOF > $EXAMPLE_DIR/terraform.tfvars | |
| ${{ vars.TFVAR_PARAMETERS_SINGLE_ACCOUNT_AUTOMATION_V1 }} | |
| EOF | |
| - name: View The Vars | |
| run: cat $EXAMPLE_DIR/terraform.tfvars | |
| - name: Create a ZIP File | |
| run: zip -r dsfkit.zip ../dsfkit | |
| - name: View The ZIP File | |
| run: | | |
| ls -l | |
| pwd | |
| - name: SCP the ZIP File | |
| uses: appleboy/scp-action@master | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| source: "dsfkit.zip" | |
| timeout: "10m" | |
| target: ${{ matrix.target_dir }} | |
| overwrite: true | |
| - name: Unzip | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: TARGET_DIR | |
| script: | | |
| cd $TARGET_DIR | |
| unzip -uq dsfkit.zip | |
| # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. | |
| - name: Terraform Init | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE | |
| script: terraform -chdir=$REMOTE_EXAMPLE_DIR init | |
| - name: Terraform Validate | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE | |
| script: terraform -chdir=$REMOTE_EXAMPLE_DIR validate | |
| # Generates an execution plan for Terraform | |
| - name: Terraform Plan | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE, TF_VAR_additional_tags | |
| script: | | |
| printenv | |
| terraform -chdir=$REMOTE_EXAMPLE_DIR plan | |
| - name: Terraform Apply | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE, TF_VAR_additional_tags | |
| script: terraform -chdir=$REMOTE_EXAMPLE_DIR apply -auto-approve | |
| - name: Terraform Output | |
| if: always() | |
| uses: appleboy/[email protected] | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE | |
| script: terraform -chdir=$REMOTE_EXAMPLE_DIR output -json | |
| - name: Collect Artifacts | |
| id: collect-artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: collected-keys-${{ env.TF_WORKSPACE }} | |
| path: | | |
| ${{ env.EXAMPLE_DIR }}/ssh_keys | |
| - name: Check how was the workflow run | |
| if: ${{ failure() }} | |
| id: check-trigger | |
| run: | | |
| if [ "${{ github.event_name }}" == "schedule" ]; then | |
| echo "run-by=Automation" >> $GITHUB_OUTPUT | |
| else | |
| echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT | |
| fi | |
| # This step allows time for investigation of the failed resources before destroying them | |
| - name: Conditional Delay | |
| if: ${{ failure() }} | |
| run: | | |
| echo "delay_destroy: ${{ inputs.delay_destroy }}" | |
| if [ "${{ inputs.delay_destroy }}" == "true" ]; then | |
| echo "Terraform workspace: $TF_WORKSPACE" | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} | |
| echo "" | |
| echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment" | |
| sleep $DESTROY_DELAY_SECONDS | |
| fi | |
| - name: Terraform Destroy | |
| # if: always() | |
| uses: appleboy/[email protected] | |
| id: test_audit | |
| with: | |
| host: 54.179.25.83 | |
| username: ec2-user | |
| key: ${{ env.JUMP_SERVER_KEY }} | |
| port: 22 | |
| command_timeout: "2h" | |
| envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE | |
| script: terraform -chdir=$REMOTE_EXAMPLE_DIR destroy -auto-approve | |
| - name: Delete Security Group | |
| if: always() | |
| run: aws ec2 revoke-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --security-group-rule-ids ${{ env.sg_id }} | |
| # Send job failure to Slack | |
| - name: Send Slack When Failure | |
| run: | | |
| if [ ${{ inputs.branch }} == 'master' ]; then | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*Prod ${{ matrix.name }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }} | |
| else | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*Dev nightly ${{ matrix.name }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} | |
| fi | |
| if: ${{ failure() }} |