This repository has been archived by the owner on May 24, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
action.yml
201 lines (183 loc) · 10.5 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
name: Bootstrap a new account in access-control repo
description: "Sets up a new AWS account and basic roles inside the access control repo"
inputs:
ORG_REPO_ADMIN_TOKEN:
description: ""
required: true
PIPELINES_READ_TOKEN:
description: ""
required: true
gruntwork_context:
description: "Gruntwork Context From the Gruntwork Bootstrap step"
required: true
access_control_pull_request_url:
description: "URL to the access-control pull request"
required: true
runs:
using: composite
steps:
- name: "[ProvisionDelegatedAccount]: Read gruntwork context"
id: gruntwork_context
uses: gruntwork-io/[email protected]
with:
cache: ${{ inputs.gruntwork_context }}
- name: "[ProvisionDelegatedAccount] Create new delegated repo"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
shell: bash
env:
GH_TOKEN: ${{ inputs.ORG_REPO_ADMIN_TOKEN }}
GH_ORG: ${{github.repository_owner }}
GH_DELEGATED_REPO_NAME: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
run: |
# Check if the repo exists before trying to create it
GH_REPO_STATUS_CODE="$(curl --silent --write-out '%{http_code}' --output /dev/null \
-X GET \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GH_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/$GH_ORG/$GH_DELEGATED_REPO_NAME")"
# If the repo does not exist (404 status code), then create it
if [[ "$GH_REPO_STATUS_CODE" == 404 ]]; then
gh api \
--method POST \
-H "Accept: application/vnd.github.v3+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/orgs/$GH_ORG/repos \
-f "name=$GH_DELEGATED_REPO_NAME" \
-f visibility=private \
-f auto_init=true
echo "::notice title=New delegated repo created!::See created repository: https://github.com/$GH_ORG/$GH_DELEGATED_REPO_NAME."
# If the repo exists (200 status code), print a message and continue
elif [[ "$GH_REPO_STATUS_CODE" == 200 ]]; then
echo "Repository https://github.com/$GH_ORG/$GH_DELEGATED_REPO_NAME already exists."
# If GH returns a non 200 or non 404 status code, print and exit with an error
else
echo "Status code $GH_REPO_STATUS_CODE returned from GitHub API. Exiting with error."
exit 1
fi
- name: "[ProvisionDelegatedAccount] Set new repo branch protection"
shell: bash
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
env:
GH_TOKEN: ${{ inputs.ORG_REPO_ADMIN_TOKEN }}
GH_ORG: ${{github.repository_owner }}
GH_DELEGATED_REPO_NAME: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
run: |
echo "Setting branch protection rules for $GH_ORG/$GH_DELEGATED_REPO_NAME. See https://docs.gruntwork.io/pipelines/security/branch-protection for more information on recommended rules."
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GH_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/$GH_ORG/$GH_DELEGATED_REPO_NAME/branches/main/protection" \
-d '{ "required_status_checks": { "strict": true, "checks": [ ] }, "required_pull_request_reviews": { "require_code_owner_reviews": true, "require_last_push_approval": true, "required_approving_review_count": 1 }, "enforce_admins": false, "restrictions": null }'
- name: "[ProvisionDelegatedAccount] Assign additional collaborators to the new repo"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
shell: bash
env:
GH_TOKEN: ${{ inputs.ORG_REPO_ADMIN_TOKEN }}
GH_ORG: ${{github.repository_owner }}
GH_DELEGATED_REPO_NAME: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
GITHUB_COLLABORATORS: ${{ steps.gruntwork_context.outputs.github_collaborators }}
run: |
echo "Add additional collaborators to the new repo."
for collaborator in $(jq -c '.[]' <<< "$GITHUB_COLLABORATORS"); do
team_name=$(echo $collaborator | jq -r '.team')
collaborator_permission=$(echo $collaborator | jq -r '.permission // "pull"')
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/orgs/$GH_ORG/teams/$team_name/repos/$GH_ORG/$GH_DELEGATED_REPO_NAME" \
-f permission="$collaborator_permission"
done
- name: "[ProvisionDelegatedAccount] Checkout new delegated repo"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
uses: actions/checkout@v4
with:
token: ${{ inputs.ORG_REPO_ADMIN_TOKEN }}
repository: ${{github.repository_owner }}/${{ steps.gruntwork_context.outputs.delegate_repo_name }}
path: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
ref: main
fetch-depth: 0
- name: "[ProvisionDelegatedAccount] Install boilerplate"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
shell: bash
run: |
curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/main/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version "${{ steps.gruntwork_context.outputs.gruntwork_installer_version }}"
gruntwork-install --binary-name boilerplate --repo https://github.com/gruntwork-io/boilerplate --tag "${{ steps.gruntwork_context.outputs.boilerplate_version }}"
- name: "[ProvisionDelegatedAccount] Checkout architecture catalog"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
uses: actions/checkout@v4
with:
token: ${{ inputs.PIPELINES_READ_TOKEN }}
repository: gruntwork-io/terraform-aws-architecture-catalog
path: terraform-aws-architecture-catalog
ref: ${{ steps.gruntwork_context.outputs.arch_catalog_version }}
- name: "[ProvisionDelegatedAccount] Run boilerplate to scaffold new delegated repo"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
shell: bash
working-directory: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
env:
TAGS: ${{ steps.gruntwork_context.outputs.tags }}
WORKING_DIRECTORY: ${{ steps.gruntwork_context.outputs.working_directory }}
ORG_NAME_PREFIX: ${{ steps.gruntwork_context.outputs.org_name_prefix }}
AWS_REGION: ${{ steps.gruntwork_context.outputs.aws_region }}
INFRA_LIVE_REPO_NAME: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
INFRA_MODULES_REPO_NAME: ${{ steps.gruntwork_context.outputs.infra_modules_repo_name }}
INFRA_MODULES_RELEASE_VERSION: ${{ steps.gruntwork_context.outputs.infra_modules_release_version }}
TOFU_VERSION: ${{ steps.gruntwork_context.outputs.tofu_version }}
TERRAGRUNT_VERSION: ${{ steps.gruntwork_context.outputs.terragrunt_version }}
CREATE_VPC: ${{ steps.gruntwork_context.outputs.create_vpc }}
CATALOG_REPOSITORIES: ${{ steps.gruntwork_context.outputs.catalog_repositories }}
run: |
# Convert list of accounts to Bash array. We use working_directory here because GW Pipelines will configure
# its name as a comma-separated list of account names.
IFS=',' read -ra account_names <<<"$WORKING_DIRECTORY"
# Convert Bash array to JSON array: https://stackoverflow.com/a/67489301/483528
account_names_as_json_list="$(jq --compact-output --raw-output --monochrome-output --null-input '$ARGS.positional' --args -- "${account_names[@]}")"
# Use yq to filter accounts.yml to just the accounts we created, producing JSON output
AWS_ACCOUNTS="$(yq --no-colors -o=json -I=0 pick\("$account_names_as_json_list"\) "../accounts.yml")"
# Run boilerplate to scaffold out the delegated infra-live repo contents
boilerplate \
--template-url ../terraform-aws-architecture-catalog//templates/devops-foundations-infrastructure-live-delegated-v3 \
--output-folder . \
--var AWSAccounts="$AWS_ACCOUNTS" \
--var OrgNamePrefix="$ORG_NAME_PREFIX" \
--var DefaultRegion="$AWS_REGION" \
--var RepoBaseUrl=github.com/gruntwork-io \
--var GithubOrg=gruntwork-io \
--var InfraLiveRepoName="$INFRA_LIVE_REPO_NAME" \
--var InfraModulesRepoName="$INFRA_MODULES_REPO_NAME" \
--var InfraModulesReleaseVersion="$INFRA_MODULES_RELEASE_VERSION" \
--var TerraformVersion="$TOFU_VERSION" \
--var TerragruntVersion="$TERRAGRUNT_VERSION" \
--var DefaultTags="$TAGS" \
--var VPCCreated="$CREATE_VPC" \
--var CatalogRepositories="$CATALOG_REPOSITORIES" \
--non-interactive
- name: "[ProvisionDelegatedAccount] Create Pull Request in new delegated repo with scaffolding"
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
id: create_scaffolding_pr
uses: peter-evans/create-pull-request@v6
with:
base: main
path: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
token: ${{ inputs.ORG_REPO_ADMIN_TOKEN }}
branch: "bootstrap-repository"
commit-message: "Bootstrap infrastructure-live repository"
title: "Bootstrap infrastructure-live repository"
body: |
This pull request adds all code required to set up your `infrastructure-live` repository.
> [!TIP]
> The first CI run fails due to the parallel generation of the Pipelines, OIDC, roles in this [access-control pull request](${{ inputs.access_control_pull_request_url }}).
> Once the access-control pull request has been merged, rerun the CI Job and the AWS Authentication required for CI will succeed.
- name: "[ProvisionDelegatedAccount] Show Pull Request URL in Summary"
shell: bash
if: ${{ contains(steps.gruntwork_context.outputs.terragrunt_command , 'apply') }}
env:
PR_URL: ${{steps.create_scaffolding_pr.outputs.pull-request-url }}
DELEGATED_REPO_NAME: ${{ steps.gruntwork_context.outputs.delegate_repo_name }}
run: |
echo "### Successfully bootstrapped $DELEGATED_REPO_NAME! 🚀" >> "$GITHUB_STEP_SUMMARY"
echo "[Link to Pull Request]($PR_URL)" >> "$GITHUB_STEP_SUMMARY"