Added terratest user permissions (#124)

* Added terratest user permissions * Added tests * Added tests * Added tests * Added real users list * Added real users list * Update shared-access-controller.yml
cloudposse · Sep 11, 2024 · ffe3d96 · ffe3d96
1 parent 8d28f87
commit ffe3d96
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 12 deletions.
diff --git a/.github/workflows/shared-access-controller.yml b/.github/workflows/shared-access-controller.yml
@@ -0,0 +1,68 @@
+name: "Shared Access Controller"
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: "Overrides job runs-on setting (json-encoded list)"
+        type: string
+        required: false
+        default: '["ubuntu-latest"]'
+      user:
+        description: "User name"
+        type: string
+        required: true
+      permission:
+        description: "Permission to check. One of 'run_terratest'"
+        type: string
+        required: true
+      debug:
+        description: "Debug"
+        type: boolean
+        required: false
+        default: false
+    outputs:
+      granted:
+        description: If user granted access.
+        value: ${{ jobs.check.outputs.granted }}
+
+jobs:
+  check:
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    outputs:
+      granted: ${{ contains(fromJSON(steps.controller.outputs.users), inputs.user) }}
+    steps:
+      - name: Controller
+        id: controller
+        uses: cloudposse/github-action-yaml-config-query@v1
+        with:
+          query: .${{ inputs.permission }}
+          config: |-
+            run_terratest:
+              users:
+                - osterman
+                - goruha
+                - dudymas
+                - mcalhoun
+                - Nuru
+                - aknysh
+                - korenyoni
+                - milldr
+                - Benbentwo
+                - GabisCampana
+                - hans-d
+                - johncblandii
+                - kevcube
+                - Gowiem
+                - jamengual
+                - joe-niland
+                - nitrocode
+                - gberenice
+                - RoseSecurity
+
+      - name: debug
+        if: ${{ inputs.debug }}
+        run: |-
+          echo "Users has '${{ inputs.permission }} permission' = ${{ steps.controller.outputs.users }}"
+          echo "User '${{ inputs.user }}' has permission '${{ inputs.permission }}' = ${{ contains(fromJSON(steps.controller.outputs.users), inputs.user) }}"
+          
diff --git a/.github/workflows/shared-terraform-chatops.yml b/.github/workflows/shared-terraform-chatops.yml
@@ -19,21 +19,20 @@ defaults:
     shell: bash -e -o pipefail {0}
 
 jobs:
-  debug:
-    runs-on: ${{ fromJSON(inputs.runs-on) }}    
-    steps:
-      - run: echo "${{ toJSON(github.event.comment) }}"
+  access:
+    if: ${{ github.event.issue.pull_request &&
+            contains(github.event.comment.body, '/terratest') &&
+            github.event.issue.state == 'open' }}
+    uses: cloudposse/.github/.github/workflows/shared-access-controller.yml@main
+    with:
+      runs-on: ${{ inputs.runs-on }}
+      permission: run_terratest
+      user: ${{ github.event.comment.user.login }}
 
   pr:
     name: PR Info
-    # https://docs.github.com/en/graphql/reference/enums#commentauthorassociation
-    if: ${{ github.event.issue.pull_request && 
-            contains(github.event.comment.body, '/terratest') &&
-            github.event.issue.state == 'open' &&
-            ( github.event.comment.author_association == 'OWNER' ||
-              github.event.comment.author_association == 'COLLABORATOR' ||
-              github.event.comment.author_association == 'MEMBER' )
-        }}
+    needs: [access]
+    if: ${{ needs.access.outputs.granted == 'true' }}
     runs-on: ${{ fromJSON(inputs.runs-on) }}
     steps:
       - uses: cloudposse-github-actions/get-pr@v2