-
Notifications
You must be signed in to change notification settings - Fork 0
251 lines (227 loc) · 11.8 KB
/
pipelines-root.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
name: Pipelines Execute
run-name: Run Gruntwork Pipelines
on:
workflow_call:
secrets:
PIPELINES_READ_TOKEN:
required: true
INFRA_ROOT_WRITE_TOKEN:
required: true
ORG_REPO_ADMIN_TOKEN:
required: false
env:
PIPELINES_CLI_VERSION: v0.9.10
PIPELINES_ACTIONS_VERSION: v1.1.3
jobs:
detect_changes:
name: Detect Infrastructure Changes
runs-on: ubuntu-latest
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Preflight Checks
uses: ./pipelines-actions/.github/actions/pipelines-preflight-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Pipelines Orchestrate
id: orchestrate
uses: ./pipelines-actions/.github/actions/pipelines-orchestrate
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
outputs:
pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }}
pipelines_determine:
name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }}
needs: [detect_changes]
runs-on: ubuntu-latest
# GHA can't check for length, so we just check if there is an item in the 0 index
if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0] != null
strategy:
fail-fast: false
matrix:
jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs) }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Bootstrap Workflow
id: bootstrap
uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
change_type: ${{ matrix.jobs.ChangeType }}
branch: ${{ matrix.jobs.Ref }}
working_directory: ${{ matrix.jobs.WorkingDirectory }}
account_id: ${{ matrix.jobs.AccountId }}
terragrunt_command: ${{ matrix.jobs.Action.Command }} ${{ matrix.jobs.Action.Args }}
additional_data: ${{ toJson(matrix.jobs.AdditionalData) }}
child_account_id: ${{ matrix.jobs.AdditionalData.ChildAccountId }}
account_names: ${{ matrix.jobs.AdditionalData.AccountNames }}
# TODO: This should be "first_new_account_name".
new_account_name: ${{ matrix.jobs.NewAccounts[0].Name }}
- name: "[ProvisionAccount]: Provision New Account"
id: provision_access_control
if: ${{ steps.bootstrap.outputs.action == 'PROVISION_ACCOUNT' }}
uses: ./pipelines-actions/.github/actions/pipelines-provision-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}
# Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly)
- name: "Run core accounts baselines"
id: core_accounts_baselines
if: steps.bootstrap.outputs.action == 'BASELINE_ACCOUNT'
# TODO: Rename this as pipelines-apply-core-baselines or something similar
# Also, the final Auth to the management account in this action should be done by the pipelines-baseline-child-account-action
# instead to prevent the indirection and confusion
uses: ./pipelines-actions/.github/actions/pipelines-baseline-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}
- name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt"
id: terragrunt
if: ${{ steps.bootstrap.outputs.action == 'TERRAGRUNT_EXECUTE' }}
uses: ./pipelines-actions/.github/actions/pipelines-aws-execute
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
account_id: ${{ steps.bootstrap.outputs.account_id }}
working_directory: ${{ steps.bootstrap.outputs.working_directory }}
account_role_name: ${{ steps.bootstrap.outputs.role_name }}
role_session_name: ${{ steps.bootstrap.outputs.role_session_name }}
gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
if: always()
with:
step_name: ${{ matrix.jobs.ChangeType }}
step_working_directory: ${{ matrix.jobs.WorkingDirectory }}
step_status: ${{ (steps.provision_access_control.conclusion == 'success' || steps.terragrunt.conclusion == 'success' || steps.core_accounts_baselines.conclusion == 'success') && 'success' || 'failed' }}
step_details: ${{ steps.terragrunt.outputs.formatted_plan_output || 'Check the logs for more details.' }}
step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }}
pull_request_number: ${{ steps.bootstrap.outputs.pr_number }}
outputs:
account_id: ${{ matrix.jobs.AccountId }}
branch: ${{ steps.bootstrap.outputs.branch }}
action: ${{ steps.bootstrap.outputs.action }}
working_directory: ${{ steps.bootstrap.outputs.working_directory }}
terragrunt_command: ${{ steps.bootstrap.outputs.terragrunt_command }}
additional_data: ${{ steps.bootstrap.outputs.additional_data }}
child_account_id: ${{ steps.bootstrap.outputs.child_account_id }}
pr_number: ${{ steps.bootstrap.outputs.pr_number }}
delegate_management: ${{ steps.bootstrap.outputs.delegate_management }}
pipelines_apply_baselines:
name: Baseline Child Account ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }})
needs: [detect_changes, pipelines_determine]
runs-on: ubuntu-latest
# GHA can't check for length, so we just check if there is an item in the 0 index
if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null
strategy:
fail-fast: false
matrix:
jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
with:
step_name: Baseline Child Account ${{ matrix.jobs.Name }}
step_status: "in_progress"
pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }}
- name: "[Baseline]: Baseline the Child Account"
id: baseline_child_account
uses: ./pipelines-actions/.github/actions/pipelines-baseline-child-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
account_id: ${{ matrix.jobs.ID }}
account_name: ${{ matrix.jobs.Name }}
job: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0]) }}
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
if: always()
with:
step_name: Baseline Child Account ${{ matrix.jobs.Name }}
step_status: ${{ steps.baseline_child_account.conclusion == 'success' && 'success' || 'failed' }}
step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || 'Check the logs for more details.' }}
step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }}
pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }}
pipelines_setup_delegated_repo:
name: "Setup Delegated Repo"
needs: [detect_changes, pipelines_apply_baselines, pipelines_determine]
runs-on: ubuntu-latest
# GHA can't check for length, so we just check if there is an item in the 0 index
if: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_determine.outputs.delegate_management == 'true' && needs.pipelines_determine.outputs.terragrunt_command == 'run-all apply' }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Bootstrap Workflow
id: bootstrap
uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
change_type: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].ChangeType }}
branch: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Ref }}
working_directory: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].WorkingDirectory }}
account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AccountId }}
terragrunt_command: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Action.Command }} ${{ needs.detect_changes.outputs.pipelines_jobs[0].Action.Args }}
additional_data: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData) }}
child_account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.ChildAccountId }}
account_names: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }}
# This is just to help bootstrap find one of the (possibly several) new account request files
# Inside those files is some shared config that we need to setup access control such as
# the delegated_repo_name (which is the same in all the new request files)
new_account_name: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0].Name }}
- name: "Create Access Control PR"
id: access_control_pr
uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action
with:
gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
- name: "Create and bootstrap delegated Repo"
id: provision_delegated_repo
uses: ./pipelines-actions/.github/actions/pipelines-provision-repo-action
with:
gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}
access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }}
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}