chore: Updating README.md #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pipelines Execute | |
| run-name: Run Gruntwork Pipelines | |
| on: | |
| workflow_call: | |
| secrets: | |
| PIPELINES_READ_TOKEN: | |
| required: true | |
| INFRA_ROOT_WRITE_TOKEN: | |
| required: true | |
| ORG_REPO_ADMIN_TOKEN: | |
| required: false | |
| env: | |
| PIPELINES_CLI_VERSION: 0.9.3 | |
| jobs: | |
| detect_changes: | |
| name: Detect Infrastructure Changes | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Preflight Checks | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| - name: Pipelines Orchestrate | |
| id: orchestrate | |
| uses: [email protected] | |
| with: | |
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| outputs: | |
| pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} | |
| pipelines_cli_version: ${{ steps.orchestrate.outputs.pipelines_cli_version }} | |
| pipelines_determine: | |
| name: ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} | |
| needs: [detect_changes] | |
| runs-on: ubuntu-latest | |
| # GHA can't check for length, so we just check if there is an item in the 0 index | |
| if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0] != null | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs) }} | |
| steps: | |
| - name: Check out repo code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Bootstrap Workflow | |
| id: bootstrap | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| change_type: ${{ matrix.jobs.ChangeType }} | |
| branch: ${{ matrix.jobs.Ref }} | |
| working_directory: ${{ matrix.jobs.WorkingDirectory }} | |
| account_id: ${{ matrix.jobs.AccountId }} | |
| terragrunt_command: ${{ matrix.jobs.Action.Command }} ${{ matrix.jobs.Action.Args }} | |
| additional_data: ${{ toJson(matrix.jobs.AdditionalData) }} | |
| child_account_id: ${{ matrix.jobs.AdditionalData.ChildAccountId }} | |
| account_names: ${{ matrix.jobs.AdditionalData.AccountNames }} | |
| # TODO: This should be "first_new_account_name". | |
| new_account_name: ${{ matrix.jobs.NewAccounts[0].Name }} | |
| - name: "[ProvisionAccount]: Provision New Account" | |
| id: provision_access_control | |
| if: ${{ steps.bootstrap.outputs.action == 'PROVISION_ACCOUNT' }} | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} | |
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | |
| # Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly) | |
| - name: "Run core accounts baselines" | |
| id: core_accounts_baselines | |
| if: steps.bootstrap.outputs.action == 'BASELINE_ACCOUNT' | |
| # TODO: Rename this as pipelines-apply-core-baselines or something similar | |
| # Also, the final Auth to the management account in this action should be done by the pipelines-baseline-child-account-action | |
| # instead to prevent the indirection and confusion | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | |
| - name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt" | |
| id: terragrunt | |
| if: ${{ steps.bootstrap.outputs.action == 'TERRAGRUNT_EXECUTE' }} | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| account_id: ${{ steps.bootstrap.outputs.account_id }} | |
| working_directory: ${{ steps.bootstrap.outputs.working_directory }} | |
| account_role_name: ${{ steps.bootstrap.outputs.role_name }} | |
| role_session_name: ${{ steps.bootstrap.outputs.role_session_name }} | |
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | |
| - name: Update comment | |
| uses: gruntwork-io/[email protected] | |
| if: always() | |
| with: | |
| step_name: ${{ matrix.jobs.ChangeType }} | |
| step_working_directory: ${{ matrix.jobs.WorkingDirectory }} | |
| step_status: ${{ (steps.provision_access_control.conclusion == 'success' || steps.terragrunt.conclusion == 'success' || steps.core_accounts_baselines.conclusion == 'success') && 'success' || 'failed' }} | |
| step_details: ${{ steps.terragrunt.outputs.formatted_plan_output || steps.terragrunt.outputs.execute_stdout || 'Unable to determine output. Check the logs for more details.' }} | |
| pull_request_number: ${{ steps.bootstrap.outputs.pr_number }} | |
| outputs: | |
| account_id: ${{ matrix.jobs.AccountId }} | |
| branch: ${{ steps.bootstrap.outputs.branch }} | |
| action: ${{ steps.bootstrap.outputs.action }} | |
| working_directory: ${{ steps.bootstrap.outputs.working_directory }} | |
| terragrunt_command: ${{ steps.bootstrap.outputs.terragrunt_command }} | |
| additional_data: ${{ steps.bootstrap.outputs.additional_data }} | |
| child_account_id: ${{ steps.bootstrap.outputs.child_account_id }} | |
| pr_number: ${{ steps.bootstrap.outputs.pr_number }} | |
| delegate_management: ${{ steps.bootstrap.outputs.delegate_management }} | |
| pipelines_apply_baselines: | |
| name: Baseline Child Account ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }}) | |
| needs: [detect_changes, pipelines_determine] | |
| runs-on: ubuntu-latest | |
| # GHA can't check for length, so we just check if there is an item in the 0 index | |
| if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts }} | |
| steps: | |
| - name: Update comment | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| step_name: Baseline Child Account ${{ matrix.jobs.Name }} | |
| step_status: "in_progress" | |
| pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }} | |
| - name: "[Baseline]: Baseline the Child Account" | |
| id: baseline_child_account | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| account_id: ${{ matrix.jobs.ID }} | |
| account_name: ${{ matrix.jobs.Name }} | |
| job: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0]) }} | |
| - name: Update comment | |
| uses: gruntwork-io/[email protected] | |
| if: always() | |
| with: | |
| step_name: Baseline Child Account ${{ matrix.jobs.Name }} | |
| step_status: ${{ steps.baseline_child_account.conclusion == 'success' && 'success' || 'failed' }} | |
| step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || steps.baseline_child_account.outputs.execute_stdout || 'Unable to determine output. Check the logs for more details.' }} | |
| pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }} | |
| pipelines_setup_delegated_repo: | |
| name: "Setup Delegated Repo" | |
| needs: [detect_changes, pipelines_apply_baselines, pipelines_determine] | |
| runs-on: ubuntu-latest | |
| # GHA can't check for length, so we just check if there is an item in the 0 index | |
| if: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_determine.outputs.delegate_management == 'true' && needs.pipelines_determine.outputs.terragrunt_command == 'run-all apply' }} | |
| steps: | |
| - name: Check out repo code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Bootstrap Workflow | |
| id: bootstrap | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| change_type: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].ChangeType }} | |
| branch: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Ref }} | |
| working_directory: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].WorkingDirectory }} | |
| account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AccountId }} | |
| terragrunt_command: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Action.Command }} ${{ needs.detect_changes.outputs.pipelines_jobs[0].Action.Args }} | |
| additional_data: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData) }} | |
| child_account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.ChildAccountId }} | |
| account_names: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }} | |
| # This is just to help bootstrap find one of the (possibly several) new account request files | |
| # Inside those files is some shared config that we need to setup access control such as | |
| # the delegated_repo_name (which is the same in all the new request files) | |
| new_account_name: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0].Name }} | |
| - name: "Create Access Control PR" | |
| id: access_control_pr | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} | |
| - name: "Create and bootstrap delegated Repo" | |
| id: provision_delegated_repo | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | |
| access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} | |
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |
| ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} |