From ba79a215bd8a43119de9ae9a0f03e5af26a648fa Mon Sep 17 00:00:00 2001 From: mikereiddigital Date: Fri, 24 Jan 2025 10:07:10 +0000 Subject: [PATCH] Testing Approval --- .../reusable_terraform_plan_apply.yml | 40 +++++++++++++++++++ scripts/get-terraform-destroy-count.sh | 6 ++- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml index 7c46531ab..44f5bb7ff 100644 --- a/.github/workflows/reusable_terraform_plan_apply.yml +++ b/.github/workflows/reusable_terraform_plan_apply.yml @@ -133,6 +133,7 @@ jobs: - name: Get Destroy Count if: github.event_name == 'pull_request' + id: get_destroy_count env: destroy_threshold: ${{ env.TF_DESTROY_THRESHOLD }} plan_summary: ${{ steps.show.outputs.summary }} @@ -164,6 +165,45 @@ jobs: }); } + - name: Check for Approval + id: check_approval + if: github.event_name == 'pull_request' && steps.get_destroy_count.outputs.destroy_notify == 'true' + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ secrets.pipeline_github_token }} + script: | + const orgName = 'ministryofjustice'; + const teamSlug = 'modernisation-platform'; + + const {data: reviews} = await github.rest.pulls.listReviews({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number + }); + + const {data: team_members} = await github.rest.teams.listMembersInOrg({ + org: orgName, + team_slug: teamSlug + }); + + const teamMemberLogins = team_members.map(member => member.login); + const approved = reviews.some(review => review.state === 'APPROVED' && teamMemberLogins.includes(review.user.login)); + + if (approved) { + core.notice('Pull request approved by a member of @ministryofjustice/modernisation-platform'); + } + else { + core.setFailed('Terraform plan evaluation detected that resources will be destroyed & so requires approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance'); + + await github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + event: 'REQUEST_CHANGES', + body: 'Terraform plan evaluation detected that resources will be destroyed & so requires approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance' + }); + } + - name: Post Comment if: github.event.ref != 'refs/heads/main' uses: actions/github-script@v7 diff --git a/scripts/get-terraform-destroy-count.sh b/scripts/get-terraform-destroy-count.sh index 971864323..508195d35 100644 --- a/scripts/get-terraform-destroy-count.sh +++ b/scripts/get-terraform-destroy-count.sh @@ -14,6 +14,8 @@ fi destroy_count=$(echo "$plan_summary" | grep -oE 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy.' | awk '{print $8}') +destroy_notify=false + echo "destroy_threshold=$destroy_threshold" echo "destroy_count=$destroy_count" @@ -36,10 +38,12 @@ fi # These checks will print a warning if the destroy count is above the threshold. Useful for trouble-shooting. if [ "$destroy_count" -gt "$destroy_threshold" ]; then echo "Warning: There are $destroy_count resources to be destroyed in this plan." + destroy_notify=true elif [ "$destroy_count" -gt 0 ]; then echo "There are $destroy_count resources to be destroyed, which is below the set threshold of $DESTROY_THRESHOLD." else echo "No resources to be destroyed" fi -echo "destroy_count=$destroy_count" >> $GITHUB_ENV \ No newline at end of file +echo "destroy_count=$destroy_count" >> $GITHUB_ENV +echo "destroy_notify=$destroy_notify" >> $GITHUB_OUTPUT