Add runner input #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pipelines Execute | ||
| run-name: Run Gruntwork Pipelines | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| runner: | ||
| type: string | ||
| default: "ubuntu-latest" | ||
| secrets: | ||
| PIPELINES_READ_TOKEN: | ||
| required: true | ||
| INFRA_ROOT_WRITE_TOKEN: | ||
| required: true | ||
| ORG_REPO_ADMIN_TOKEN: | ||
| required: false | ||
| env: | ||
| PIPELINES_CLI_VERSION: v0.10.1 | ||
| PIPELINES_ACTIONS_VERSION: v1.3.1 | ||
| jobs: | ||
| detect_changes: | ||
| name: Detect Infrastructure Changes | ||
| runs-on: [${{ inputs.runner }}] | ||
| steps: | ||
| - name: Checkout Pipelines Actions | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: pipelines-actions | ||
| repository: gruntwork-io/pipelines-actions | ||
| ref: ${{ env.PIPELINES_ACTIONS_VERSION }} | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| - name: Check out repo code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: infra-live-repo | ||
| fetch-depth: 0 | ||
| - name: Preflight Checks | ||
| uses: ./pipelines-actions/.github/actions/pipelines-preflight-action | ||
| with: | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| - name: Pipelines Orchestrate | ||
| id: orchestrate | ||
| uses: ./pipelines-actions/.github/actions/pipelines-orchestrate | ||
| with: | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| outputs: | ||
| pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} | ||
| pipelines_determine: | ||
| name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} | ||
| needs: [detect_changes] | ||
| runs-on: [${{ inputs.runner }}] | ||
| # GHA can't check for length, so we just check if there is an item in the 0 index | ||
| if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0] != null | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs) }} | ||
| steps: | ||
| - name: Checkout Pipelines Actions | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: pipelines-actions | ||
| repository: gruntwork-io/pipelines-actions | ||
| ref: ${{ env.PIPELINES_ACTIONS_VERSION }} | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| - name: Check out repo code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: infra-live-repo | ||
| fetch-depth: 0 | ||
| - name: Bootstrap Workflow | ||
| id: bootstrap | ||
| uses: ./pipelines-actions/.github/actions/pipelines-bootstrap | ||
| with: | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| change_type: ${{ matrix.jobs.ChangeType }} | ||
| branch: ${{ matrix.jobs.Ref }} | ||
| working_directory: ${{ matrix.jobs.WorkingDirectory }} | ||
| account_id: ${{ matrix.jobs.AccountId }} | ||
| terragrunt_command: ${{ matrix.jobs.Action.Command }} ${{ matrix.jobs.Action.Args }} | ||
| additional_data: ${{ toJson(matrix.jobs.AdditionalData) }} | ||
| child_account_id: ${{ matrix.jobs.AdditionalData.ChildAccountId }} | ||
| account_names: ${{ matrix.jobs.AdditionalData.AccountNames }} | ||
| # TODO: This should be "first_new_account_name". | ||
| new_account_name: ${{ matrix.jobs.NewAccounts[0].Name }} | ||
| - name: "[ProvisionAccount]: Provision New Account" | ||
| id: provision_access_control | ||
| if: ${{ steps.bootstrap.outputs.action == 'PROVISION_ACCOUNT' }} | ||
| uses: ./pipelines-actions/.github/actions/pipelines-provision-account-action | ||
| with: | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} | ||
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | ||
| # Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly) | ||
| - name: "Run core accounts baselines" | ||
| id: core_accounts_baselines | ||
| if: steps.bootstrap.outputs.action == 'BASELINE_ACCOUNT' | ||
| # TODO: Rename this as pipelines-apply-core-baselines or something similar | ||
| # Also, the final Auth to the management account in this action should be done by the pipelines-baseline-child-account-action | ||
| # instead to prevent the indirection and confusion | ||
| uses: ./pipelines-actions/.github/actions/pipelines-baseline-account-action | ||
| with: | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | ||
| - name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt" | ||
| id: terragrunt | ||
| if: ${{ steps.bootstrap.outputs.action == 'TERRAGRUNT_EXECUTE' }} | ||
| uses: ./pipelines-actions/.github/actions/pipelines-aws-execute | ||
| with: | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| account_id: ${{ steps.bootstrap.outputs.account_id }} | ||
| working_directory: ${{ steps.bootstrap.outputs.working_directory }} | ||
| account_role_name: ${{ steps.bootstrap.outputs.role_name }} | ||
| role_session_name: ${{ steps.bootstrap.outputs.role_session_name }} | ||
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | ||
| - name: Update comment | ||
| uses: ./pipelines-actions/.github/actions/pipelines-status-update | ||
| if: always() | ||
| with: | ||
| step_name: ${{ matrix.jobs.ChangeType }} | ||
| step_working_directory: ${{ matrix.jobs.WorkingDirectory }} | ||
| step_status: ${{ (steps.provision_access_control.conclusion == 'success' || steps.terragrunt.conclusion == 'success' || steps.core_accounts_baselines.conclusion == 'success') && 'success' || 'failed' }} | ||
| step_details: ${{ steps.terragrunt.outputs.formatted_plan_output || 'Check the logs for more details.' }} | ||
| step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} | ||
| pull_request_number: ${{ steps.bootstrap.outputs.pr_number }} | ||
| outputs: | ||
| account_id: ${{ matrix.jobs.AccountId }} | ||
| branch: ${{ steps.bootstrap.outputs.branch }} | ||
| action: ${{ steps.bootstrap.outputs.action }} | ||
| working_directory: ${{ steps.bootstrap.outputs.working_directory }} | ||
| terragrunt_command: ${{ steps.bootstrap.outputs.terragrunt_command }} | ||
| additional_data: ${{ steps.bootstrap.outputs.additional_data }} | ||
| child_account_id: ${{ steps.bootstrap.outputs.child_account_id }} | ||
| pr_number: ${{ steps.bootstrap.outputs.pr_number }} | ||
| delegate_management: ${{ steps.bootstrap.outputs.delegate_management }} | ||
| pipelines_apply_baselines: | ||
| name: Baseline Child Account ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }}) | ||
| needs: [detect_changes, pipelines_determine] | ||
| runs-on: [${{ inputs.runner }}] | ||
| # GHA can't check for length, so we just check if there is an item in the 0 index | ||
| if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts }} | ||
| steps: | ||
| - name: Checkout Pipelines Actions | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: pipelines-actions | ||
| repository: gruntwork-io/pipelines-actions | ||
| ref: ${{ env.PIPELINES_ACTIONS_VERSION }} | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| - name: Check out repo code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: infra-live-repo | ||
| fetch-depth: 0 | ||
| - name: Update comment | ||
| uses: ./pipelines-actions/.github/actions/pipelines-status-update | ||
| with: | ||
| step_name: Baseline Child Account ${{ matrix.jobs.Name }} | ||
| step_status: "in_progress" | ||
| pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }} | ||
| - name: "[Baseline]: Baseline the Child Account" | ||
| id: baseline_child_account | ||
| uses: ./pipelines-actions/.github/actions/pipelines-baseline-child-account-action | ||
| with: | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| account_id: ${{ matrix.jobs.ID }} | ||
| account_name: ${{ matrix.jobs.Name }} | ||
| job: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0]) }} | ||
| - name: Update comment | ||
| uses: ./pipelines-actions/.github/actions/pipelines-status-update | ||
| if: always() | ||
| with: | ||
| step_name: Baseline Child Account ${{ matrix.jobs.Name }} | ||
| step_status: ${{ steps.baseline_child_account.conclusion == 'success' && 'success' || 'failed' }} | ||
| step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || 'Check the logs for more details.' }} | ||
| step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }} | ||
| pull_request_number: ${{ needs.pipelines_determine.outputs.pr_number }} | ||
| pipelines_setup_delegated_repo: | ||
| name: "Setup Delegated Repo" | ||
| needs: [detect_changes, pipelines_apply_baselines, pipelines_determine] | ||
| runs-on: [${{ inputs.runner }}] | ||
| # GHA can't check for length, so we just check if there is an item in the 0 index | ||
| if: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_determine.outputs.delegate_management == 'true' && needs.pipelines_determine.outputs.terragrunt_command == 'run-all apply' }} | ||
| steps: | ||
| - name: Checkout Pipelines Actions | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: pipelines-actions | ||
| repository: gruntwork-io/pipelines-actions | ||
| ref: ${{ env.PIPELINES_ACTIONS_VERSION }} | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| - name: Check out repo code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: infra-live-repo | ||
| fetch-depth: 0 | ||
| - name: Bootstrap Workflow | ||
| id: bootstrap | ||
| uses: ./pipelines-actions/.github/actions/pipelines-bootstrap | ||
| with: | ||
| token: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| change_type: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].ChangeType }} | ||
| branch: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Ref }} | ||
| working_directory: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].WorkingDirectory }} | ||
| account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AccountId }} | ||
| terragrunt_command: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].Action.Command }} ${{ needs.detect_changes.outputs.pipelines_jobs[0].Action.Args }} | ||
| additional_data: ${{ toJson(fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData) }} | ||
| child_account_id: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.ChildAccountId }} | ||
| account_names: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }} | ||
| # This is just to help bootstrap find one of the (possibly several) new account request files | ||
| # Inside those files is some shared config that we need to setup access control such as | ||
| # the delegated_repo_name (which is the same in all the new request files) | ||
| new_account_name: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs)[0].NewAccounts[0].Name }} | ||
| - name: "Create Access Control PR" | ||
| id: access_control_pr | ||
| uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action | ||
| with: | ||
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} | ||
| - name: "Create and bootstrap delegated Repo" | ||
| id: provision_delegated_repo | ||
| uses: ./pipelines-actions/.github/actions/pipelines-provision-repo-action | ||
| with: | ||
| gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }} | ||
| access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} | ||
