-
Notifications
You must be signed in to change notification settings - Fork 3
148 lines (133 loc) · 5.35 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: "Deploy"
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
jobs:
# Generate a tailscale vpn auth key with oauth2 client
generate-tailscale-authkey:
runs-on: ubuntu-latest
env:
CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
steps:
- name: Generate Tailscale Auth Key
id: generate-key
run: |
# Generate access token with Oauth2 client
ACCESS_TOKEN=$(curl -s -d "client_id=${CLIENT_ID}" -d "client_secret=${CLIENT_SECRET}" "https://api.tailscale.com/api/v2/oauth/token" | jq -r '.access_token')
# Then create a one-off auth key via API with the access token we previously created
AUTH_KEY=$(curl -s --location 'https://api.tailscale.com/api/v2/tailnet/-/keys' \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header "Content-Type: application/json" \
--data '{
"capabilities": {
"devices": {
"create": {
"ephemeral": true,
"tags": ["tag:cicd"]
}
}
},
"expirySeconds": 120}' \
| jq -r ".key")
# Save the auth key as step output
echo "AUTH_KEY=$AUTH_KEY" >> $GITHUB_OUTPUT
outputs:
# Export step output as job output
AUTH_KEY: ${{ steps.generate-key.outputs.AUTH_KEY }}
# Deploy infrastructure
deploy:
name: "Deploy with Terraform"
needs: generate-tailscale-authkey
runs-on: ubuntu-latest
permissions:
pull-requests: write
env:
# Get auth key from previous job
TAILSCALE_AUTH_KEY: ${{ needs.generate-tailscale-authkey.outputs.AUTH_KEY }}
TAILSCALE_UPGRADE: "1"
# Configuration for S3 backend (automatically read by Terraform)
AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
AWS_REGION: "eu-south-2"
steps:
# Connect to private network with tailscale
- name: Install tailscale
run: curl -fsSL https://tailscale.com/install.sh | sh
- name: Start Tailscale
run: sudo tailscale up --auth-key $TAILSCALE_AUTH_KEY --accept-routes
- name: Tailscale status
run: tailscale status
# Checkout repository code
- name: Checkout
uses: actions/checkout@v3
# Install terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_wrapper: false
- name: Terraform Format
id: fmt
run: terraform -chdir=terraform fmt -check
- name: Terraform Init
id: init
run: terraform -chdir=terraform init
- name: Terraform Validate
id: validate
run: terraform -chdir=terraform validate -no-color
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform -chdir=terraform plan -no-color -input=false
continue-on-error: true
- name: Update Pull Request
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# If terraform previously failed abort pipeline
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
# Deploy with terraform on pushes to main branch
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
id: terraform-apply # needed to get output value in next step
run: make apply
env:
TF_VAR_proxmox_api_url: ${{ secrets.PROXMOX_API_URL }}
TF_VAR_proxmox_api_token_id: ${{ secrets.PROXMOX_API_TOKEN_ID }}
TF_VAR_proxmox_api_token_secret: ${{ secrets.PROXMOX_API_TOKEN_SECRET }}
TF_VAR_ciuser: ${{ secrets.CI_USER }}
TF_VAR_ssh_keys: ${{ secrets.SSH_KEY }}
TF_VAR_ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}
# Cloudflare variables
TF_VAR_cloudflare_zone_id: ${{ secrets.CLOUDFLARE_ZONE_ID }}
TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
TF_VAR_cloudflare_email: ${{ secrets.CLOUDFLARE_EMAIL }}
TF_VAR_cloudflare_token: ${{ secrets.CLOUDFLARE_TOKEN }}
TF_VAR_cloudflare_dns_zone: "dsilva.dev"
TF_VAR_cloudflare_tunnel_name: "k3s"
TF_VAR_coinmarketcap_api_key: ${{ secrets.COINMARKETCAP_API_KEY }}