feat: initial implementation (#1)

.github/workflows/ci.yaml

@@ -0,0 +1,198 @@
+name: CI
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
+concurrency:
+  group: ${{ github.workflow}}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' && github.event.action != 'closed' }}
+permissions:
+  contents: write
+
+defaults:
+  run:
+    shell: bash
+jobs:
+  cleanup:
+    name: Clean Up
+    if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == false
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ github.token }}
+    steps:
+      - name: Delete release
+        run: |
+          # step script
+          set -x
+          release_id="$(gh api "/repos/$GITHUB_REPOSITORY/releases/tags/${{ github.event.pull_request.number }}" --jq .id)"
+          gh api --method DELETE "/repos/$GITHUB_REPOSITORY/releases/$release_id"
+      - name: Delete tag
+        run: gh api --method DELETE "/repos/$GITHUB_REPOSITORY/git/refs/tags/${{ github.event.pull_request.number }}"
+
+  plan:
+    name: TF Plan
+    if: github.event_name == 'pull_request' && github.event.action != 'closed'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dependencies
+        run: sudo apt-get install -y colorized-logs
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Import PGP key
+        env:
+          TFSTATE_PGP_KEY: ${{ secrets.TF_TFSTATE_PGP_KEY }}
+        run: gpg --import <<< "$TFSTATE_PGP_KEY"
+      - name: Download and decrypt statefile
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: ./scripts/get-state-file.sh
+      - name: Terraform init
+        run: terraform init
+      - name: Generate app token
+        id: generate-app-token
+        uses: tibdex/[email protected]
+        with:
+          app_id: ${{ vars.GH_APP_STEELECO_SYSTEMS_APP_ID }}
+          private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }}
+      - name: Terraform plan
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }}
+        run: terraform plan -var-file=secrets.tfvars | tee >(ansi2txt > terraform.tfplan.log)
+      - name: Create release body
+        run: |
+          cat \
+            <(echo "<details><summary>Terraform Plan Log</summary>") \
+            <(echo "") \
+            <(echo '```') \
+            terraform.tfplan.log \
+            <(echo '```') \
+            <(echo "</details>") \
+          > release.md
+      - name: Create or update tag
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          # step script
+          set -x
+          
+          if gh api /repos/:owner/:repo/git/ref/tags/${{ github.event.pull_request.number }}; then
+            gh api --method PATCH /repos/:owner/:repo/git/refs/tags/${{ github.event.pull_request.number }} \
+              -f sha=${{ github.event.pull_request.head.sha }} \
+              -F force=true \
+              | jq .
+          else
+            gh api --method POST /repos/:owner/:repo/git/refs \
+              -f ref=refs/tags/${{ github.event.pull_request.number }} \
+              -f sha=${{ github.event.pull_request.head.sha }} \
+              | jq .
+          fi
+      - name: Create release
+        id: create-release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: release.md
+          prerelease: true
+          files: terraform.tfplan.log
+          tag_name: ${{ github.event.pull_request.number }}
+          name: ${{ github.event.pull_request.title }} (#${{ github.event.pull_request.number }})
+          fail_on_unmatched_files: true
+          target_commitish: ${{ github.event.pull_request.head.sha }}
+
+  apply:
+    name: TF Apply
+    if: github.event_name == 'pull_request' && github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dependencies
+        run: sudo apt-get install -y colorized-logs
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Import PGP key
+        env:
+          TFSTATE_PGP_KEY: ${{ secrets.TF_TFSTATE_PGP_KEY }}
+        run: gpg --import <<< "$TFSTATE_PGP_KEY"
+      - name: Download and decrypt statefile
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: ./scripts/get-state-file.sh
+      - name: Terraform init
+        run: terraform init
+      - name: Generate app token
+        id: generate-app-token
+        uses: tibdex/[email protected]
+        with:
+          app_id: ${{ vars.GH_APP_STEELECO_SYSTEMS_APP_ID }}
+          private_key: ${{ secrets.GH_APP_STEELECO_SYSTEMS_PRIVATE_KEY }}
+      - name: Terraform apply
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }}
+        run: terraform apply -var-file=secrets.tfvars -auto-approve | tee >(ansi2txt > terraform.apply.log)
+      - name: Encrypt statefile
+        run: |
+          # step script
+          set -x
+          gpg --batch --encrypt --recipient "141457414+steeleco-systems[bot]@users.noreply.github.com" --trust-model always \
+            --output terraform.tfstate.gpg terraform.tfstate
+          
+          if [ -f terraform.tfstate.backup ]; then
+            gpg --batch --encrypt --recipient "141457414+steeleco-systems[bot]@users.noreply.github.com" --trust-model always \
+              --output terraform.tfstate.backup.gpg terraform.tfstate.backup
+          fi
+      - name: Create release body
+        run: |
+          cat \
+            <(echo "<details><summary>Terraform Apply Log</summary>") \
+            <(echo "") \
+            <(echo '```') \
+            terraform.apply.log \
+            <(echo '```') \
+            <(echo "</details>") \
+          > release.md
+      - name: Create or update tag
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          # step script
+          set -x
+          
+          if gh api /repos/:owner/:repo/git/ref/tags/${{ github.event.pull_request.number }}; then
+            gh api --method PATCH /repos/:owner/:repo/git/refs/tags/${{ github.event.pull_request.number }} \
+              -f sha=${{ github.event.pull_request.merge_commit_sha }} \
+              -F force=true \
+              | jq .
+          else
+            gh api --method POST /repos/:owner/:repo/git/refs \
+              -f ref=refs/tags/${{ github.event.pull_request.number }} \
+              -f sha=${{ github.event.pull_request.merge_commit_sha }} \
+              | jq .
+          fi
+      - name: Create release
+        id: create-release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: release.md
+          prerelease: false
+          files: |
+            terraform.apply.log
+            terraform.tfstate*.gpg
+          tag_name: ${{ github.event.pull_request.number }}
+          name: ${{ github.event.pull_request.title }} (#${{ github.event.pull_request.number }})
+          fail_on_unmatched_files: true
+          target_commitish: ${{ github.event.pull_request.merge_commit_sha }}
+      - name: Clean up plan log from release
+        env:
+          release_id: ${{ steps.create-release.outputs.id }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          # step script
+          set -x
+          release_assets="$(gh api "/repos/:owner/:repo/releases/$release_id" --jq .assets)"
+          tfplanlog_asset_id="$(jq -r '.[] | select(.name == "terraform.tfplan.log") | .id' <<< "$release_assets")"
+          if [[ "$tfplanlog_asset_id" != "" ]]; then
+            gh api --method DELETE "/repos/:owner/:repo/releases/assets/$tfplanlog_asset_id"
+          fi
+            
+          

.gitignore

@@ -0,0 +1,8 @@
+terraform.tfstate
+terraform.tfstate.backup
+terraform.tfplan
+terraform.tfplan.log
+terraform.apply.log
+.terraform.lock.hcl
+.terraform
+*.gpg

README.md

@@ -1 +1 @@
-# tf-test
+# tf

main.tf

@@ -0,0 +1,37 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.38"
+    }
+  }
+}
+
+# Configure the GitHub Provider
+provider "github" {
+
+#  app_auth {
+#    id              = "371766"
+#    installation_id = "40392571"
+#    pem_file        = file("~/Downloads/steelecosystems.2023-09-24.private-key.pem")
+#  }
+  owner = "SteelecoSystems"
+}
+
+resource "github_actions_secret" "test_secret" {
+  secret_name = "SECRET_NAME"
+  plaintext_value = "SECRET_${var.secret_name}"
+  repository = "tf-test"
+}
+
+#resource "github_actions_secret" "test_secret_2" {
+#  secret_name = "SECRET_${var.secret_name}"
+#  plaintext_value = "SECRET_${var.secret_name}"
+#  repository = "tf-test"
+#}
+
+variable "secret_name" {
+  description = "The secret name"
+  type = string
+  sensitive = true
+}

scripts/get-state-file.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -eo pipefail
+[[ $RUNNER_DEBUG || $DEBUG ]] && set -x
+
+set +e
+state_file_url="$(gh api /repos/:owner/:repo/releases/latest --jq '.assets[] | select(.name == "terraform.tfstate.gpg") | .url')"
+rc=$?; set -e
+
+if [[ $rc != 0 ]]; then
+  error_message="$(jq -r .message <<< "$state_file_url")"
+  if [[ $error_message == "Not Found" ]]; then
+    >&2 echo "No state file found, exiting"
+    exit 0
+  else
+    >&2 echo "Other error occurred while trying to obtain the state file:"
+    >&2 echo "$error_message"
+    exit 1
+  fi
+fi
+
+gh api -H 'Accept: application/octet-stream' "$state_file_url" | gpg --out terraform.tfstate --decrypt
+
+

scripts/upload-state-file.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -eo pipefail
+[[ $RUNNER_DEBUG || $DEBUG ]] && set -x
+
+gpg --encrypt --default-recipient "141457414+steeleco-systems[bot]@users.noreply.github.com" --output terraform.tfstate.gpg terraform.tfstate

secrets.tfvars

@@ -0,0 +1 @@
+secret_name = "NMOHULCFXIMKVXTL"