Skip to content

chore: synced file(s) with cds-snc/site-reliability-engineering #1631

chore: synced file(s) with cds-snc/site-reliability-engineering

chore: synced file(s) with cds-snc/site-reliability-engineering #1631

Workflow file for this run

name: Terraform plan
on:
workflow_dispatch:
pull_request:
paths:
- "terragrunt/**"
- ".github/workflows/**"
env:
AWS_REGION: "ca-central-1"
TERRAFORM_VERSION: 1.7.2
TERRAGRUNT_VERSION: 0.55.1
CONFTEST_VERSION: 0.49.0
permissions:
id-token: write
contents: read
pull-requests: write
actions: write
checks: write
statuses: write
jobs:
terraform-plan-account:
strategy:
fail-fast: false
matrix:
include:
#
# If more modules are added, they should also
# be added to tf-drift-check.yml
#
- account_folder: org_account
module: main
account: 659087519042
role: cds-aws-lz-plan
assume_role_name: "assume_plan"
la_customer_id: LA_CUSTOMER_ID
la_shared_key: LA_SHARED_KEY
la_customer_ids: LA_CUSTOMER_IDS
- account_folder: org_account
module: spend_notifier
account: 659087519042
role: cds-aws-lz-plan
spend_notifier_hook: SPEND_NOTIFIER_HOOK
weekly_spend_notifier_hook: WEEKLY_SPEND_NOTIFIER_HOOK
- account_folder: org_account
module: roles
account: 659087519042
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: org_account
module: sentinel_oidc
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: cost_usage_report
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: iam_identity_center
account: 659087519042
role: cds-aws-lz-plan
- account_folder: log_archive
module: main
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: legacy_archives
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: sre_bot
account: 274536870005
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: audit
module: main
account: 886481071419
role: cds-aws-lz-plan
- account_folder: audit
module: sre_bot
account: 886481071419
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: aft
module: main
account: 137554749751
role: cds-aws-lz-plan
lz_webhook_key: LZ_CHANNEL_WEBHOOK
- account_folder: aft
module: notifications
account: 137554749751
role: cds-aws-lz-plan
aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure aws credentials using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::${{ matrix.account }}:role/${{ matrix.role }}
role-session-name: ${{matrix.module}}-plan
aws-region: ${{ env.AWS_REGION }}
- name: Terraform Plan for ${{matrix.module }}/${{ matrix.module }}
env:
TF_VAR_aft_slack_webhook: ${{ secrets[matrix.lz_webhook_key] }}
TF_VAR_assume_role_name: ${{ matrix.assume_role_name }}
TF_VAR_lw_customer_id: ${{ secrets[matrix.la_customer_id] }}
TF_VAR_lw_shared_key: ${{ secrets[matrix.la_shared_key] }}
TF_VAR_lw_customer_ids: ${{ secrets[matrix.la_customer_ids] }}
TF_VAR_daily_spend_notifier_hook: ${{ secrets[matrix.spend_notifier_hook] }}
TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
uses: cds-snc/terraform-plan@v3
with:
comment-delete: true
comment-title: Plan for ${{matrix.account_folder}}/${{ matrix.module }}
directory: ./terragrunt/${{ matrix.account_folder }}/${{ matrix.module }}
github-token: ${{ secrets.GITHUB_TOKEN }}
terragrunt: true