1+ name : ' OpenTofu: Plan/Apply'
2+
3+ on :
4+ workflow_call :
5+ outputs :
6+ tf_plan_exit_code :
7+ description : ' OpenTofu Plan exit code'
8+ value : ${{ jobs.tofu-plan.outputs.tf_plan_exit_code }}
9+ tf_destroy :
10+ description : ' Destroy flag'
11+ value : ${{ jobs.tofu-plan.outputs.tf_destroy }}
12+
13+ # Special permissions required for OIDC authentication
14+ permissions :
15+ id-token : write
16+ contents : read
17+ pull-requests : write
18+
19+ jobs :
20+ tofu-plan :
21+ name : ' OpenTofu Plan'
22+ runs-on : ubuntu-latest
23+ environment : ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || github.ref_name }}
24+ env :
25+ ENVIRONMENT_NAME : ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || github.ref_name }}
26+ # this is needed since we are running tofu with read-only permissions
27+ # ARM_SKIP_PROVIDER_REGISTRATION: true
28+ ARM_CLIENT_ID : " ${{ secrets.AZURE_CLIENT_ID }}"
29+ ARM_SUBSCRIPTION_ID : " ${{ secrets.AZURE_SUBSCRIPTION_ID }}"
30+ ARM_TENANT_ID : " ${{ secrets.AZURE_TENANT_ID }}"
31+ ARM_USE_OIDC : true
32+ TF_DESTROY : " ${{ vars.TF_DESTROY }}"
33+ outputs :
34+ tf_plan_exit_code : ${{ steps.tf-plan.outputs.exitcode }}
35+ tf_destroy : ${{ steps.tf-plan.outputs.tf_destroy }}
36+
37+ steps :
38+ # Checkout the repository to the GitHub Actions runner
39+ - name : Checkout
40+ uses : actions/checkout@v4
41+ with :
42+ token : ${{ secrets.GH_TOKEN }}
43+
44+ # Install the latest version of the OpenTofu CLI
45+ - name : Setup OpenTofu
46+ uses : opentofu/setup-opentofu@v1
47+ with :
48+ tofu_wrapper : false
49+ github_token : ${{ secrets.GH_TOKEN }}
50+
51+ # - name: GitHub Configuration
52+ # run: git config --global url."https://oauth2:${{ secrets.GH_TOKEN }}@github.com".insteadOf https://github.com
53+
54+ # Initialize a new or existing OpenTofu working directory by creating initial files, loading any remote state, downloading modules, etc.
55+ - name : OpenTofu Init
56+ run : |
57+ tofu init \
58+ -backend-config="resource_group_name=${{ env.ENVIRONMENT_NAME }}-tf-azure-admin" \
59+ -backend-config="storage_account_name=${{ env.ENVIRONMENT_NAME }}kernaiadmin" \
60+ -backend-config="container_name=tfstate" \
61+ -backend-config="key=${{ github.event.repository.name }}/${{ env.ENVIRONMENT_NAME }}.tfstate"
62+
63+ # Generates an execution plan for OpenTofu
64+ # An exit code of 0 indicated no changes, 1 a tofu failure, 2 there are pending changes.
65+ - name : OpenTofu Plan
66+ id : tf-plan
67+ run : |
68+ export exitcode=0
69+
70+ tofu plan ${{ env.TF_DESTROY }} \
71+ -detailed-exitcode \
72+ -var-file vars-${{ env.ENVIRONMENT_NAME }}.tfvars \
73+ -out tfplan || export exitcode=$?
74+
75+ echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
76+ echo "tf_destroy=${{ env.TF_DESTROY }}" >> $GITHUB_OUTPUT
77+
78+ if [ $exitcode -eq 1 ]; then
79+ echo OpenTofu Plan Failed!
80+ exit 1
81+ else
82+ exit 0
83+ fi
84+
85+ # Save plan to artifacts
86+ - name : Publish OpenTofu Plan
87+ if : ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.merged }}
88+ uses : actions/upload-artifact@v4
89+ with :
90+ name : tfplan
91+ path : tfplan
92+
93+ tofu-apply :
94+ name : ' OpenTofu Apply'
95+ needs : [tofu-plan]
96+ if : ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.merged) && needs.tofu-plan.outputs.tf_plan_exit_code == 2 }}
97+ runs-on : ubuntu-latest
98+ environment : ${{ github.ref_name }}
99+ env :
100+ ENVIRONMENT_NAME : ${{ github.ref_name }}
101+ # this is needed since we are running tofu with read-only permissions
102+ # ARM_SKIP_PROVIDER_REGISTRATION: true
103+ ARM_CLIENT_ID : " ${{ secrets.AZURE_CLIENT_ID }}"
104+ ARM_SUBSCRIPTION_ID : " ${{ secrets.AZURE_SUBSCRIPTION_ID }}"
105+ ARM_TENANT_ID : " ${{ secrets.AZURE_TENANT_ID }}"
106+ ARM_USE_OIDC : true
107+ TF_DESTROY : " ${{ vars.TF_DESTROY }}"
108+ steps :
109+ # Checkout the repository to the GitHub Actions runner
110+ - name : Checkout
111+ uses : actions/checkout@v4
112+
113+ # Install the latest version of OpenTofu CLI and configure the OpenTofu CLI configuration file with a OpenTofu Cloud user API token
114+ - name : Setup OpenTofu
115+ uses : opentofu/setup-opentofu@v1
116+ with :
117+ github_token : ${{ secrets.GH_TOKEN }}
118+
119+ # - name: GitHub Configuration
120+ # run: git config --global url."https://oauth2:${{ secrets.GH_TOKEN }}@github.com".insteadOf https://github.com
121+
122+ # Initialize a new or existing OpenTofu working directory by creating initial files, loading any remote state, downloading modules, etc.
123+ - name : OpenTofu Init
124+ run : |
125+ tofu init \
126+ -backend-config="resource_group_name=${{ env.ENVIRONMENT_NAME }}-tf-azure-admin" \
127+ -backend-config="storage_account_name=${{ env.ENVIRONMENT_NAME }}kernaiadmin" \
128+ -backend-config="container_name=tfstate" \
129+ -backend-config="key=${{ github.event.repository.name }}/${{ github.ref_name }}.tfstate"
130+
131+ # Download saved plan from artifacts
132+ - name : Download OpenTofu Plan
133+ uses : actions/download-artifact@v4
134+ with :
135+ name : tfplan
136+
137+ # OpenTofu Apply
138+ - name : OpenTofu Apply
139+ run : tofu apply ${{ env.TF_DESTROY }} -auto-approve tfplan
0 commit comments