From ffe3d960df23e1ffd1a683aaee05d3b9317ba3e0 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 11 Sep 2024 21:29:02 +0300 Subject: [PATCH] Added terratest user permissions (#124) * Added terratest user permissions * Added tests * Added tests * Added tests * Added real users list * Added real users list * Update shared-access-controller.yml --- .../workflows/shared-access-controller.yml | 68 +++++++++++++++++++ .../workflows/shared-terraform-chatops.yml | 23 +++---- 2 files changed, 79 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/shared-access-controller.yml diff --git a/.github/workflows/shared-access-controller.yml b/.github/workflows/shared-access-controller.yml new file mode 100644 index 0000000..621f080 --- /dev/null +++ b/.github/workflows/shared-access-controller.yml @@ -0,0 +1,68 @@ +name: "Shared Access Controller" + +on: + workflow_call: + inputs: + runs-on: + description: "Overrides job runs-on setting (json-encoded list)" + type: string + required: false + default: '["ubuntu-latest"]' + user: + description: "User name" + type: string + required: true + permission: + description: "Permission to check. One of 'run_terratest'" + type: string + required: true + debug: + description: "Debug" + type: boolean + required: false + default: false + outputs: + granted: + description: If user granted access. + value: ${{ jobs.check.outputs.granted }} + +jobs: + check: + runs-on: ${{ fromJSON(inputs.runs-on) }} + outputs: + granted: ${{ contains(fromJSON(steps.controller.outputs.users), inputs.user) }} + steps: + - name: Controller + id: controller + uses: cloudposse/github-action-yaml-config-query@v1 + with: + query: .${{ inputs.permission }} + config: |- + run_terratest: + users: + - osterman + - goruha + - dudymas + - mcalhoun + - Nuru + - aknysh + - korenyoni + - milldr + - Benbentwo + - GabisCampana + - hans-d + - johncblandii + - kevcube + - Gowiem + - jamengual + - joe-niland + - nitrocode + - gberenice + - RoseSecurity + + - name: debug + if: ${{ inputs.debug }} + run: |- + echo "Users has '${{ inputs.permission }} permission' = ${{ steps.controller.outputs.users }}" + echo "User '${{ inputs.user }}' has permission '${{ inputs.permission }}' = ${{ contains(fromJSON(steps.controller.outputs.users), inputs.user) }}" + diff --git a/.github/workflows/shared-terraform-chatops.yml b/.github/workflows/shared-terraform-chatops.yml index ee9a299..a0a0edf 100644 --- a/.github/workflows/shared-terraform-chatops.yml +++ b/.github/workflows/shared-terraform-chatops.yml @@ -19,21 +19,20 @@ defaults: shell: bash -e -o pipefail {0} jobs: - debug: - runs-on: ${{ fromJSON(inputs.runs-on) }} - steps: - - run: echo "${{ toJSON(github.event.comment) }}" + access: + if: ${{ github.event.issue.pull_request && + contains(github.event.comment.body, '/terratest') && + github.event.issue.state == 'open' }} + uses: cloudposse/.github/.github/workflows/shared-access-controller.yml@main + with: + runs-on: ${{ inputs.runs-on }} + permission: run_terratest + user: ${{ github.event.comment.user.login }} pr: name: PR Info - # https://docs.github.com/en/graphql/reference/enums#commentauthorassociation - if: ${{ github.event.issue.pull_request && - contains(github.event.comment.body, '/terratest') && - github.event.issue.state == 'open' && - ( github.event.comment.author_association == 'OWNER' || - github.event.comment.author_association == 'COLLABORATOR' || - github.event.comment.author_association == 'MEMBER' ) - }} + needs: [access] + if: ${{ needs.access.outputs.granted == 'true' }} runs-on: ${{ fromJSON(inputs.runs-on) }} steps: - uses: cloudposse-github-actions/get-pr@v2