testground
diff --git a/‎.github/actions/git-config-user/action.yml
+10 b/‎.github/actions/git-config-user/action.yml
+10
diff --git a/‎.github/actions/git-push/action.yml
+39 b/‎.github/actions/git-push/action.yml
+39
diff --git a/‎.github/workflows/apply.yml
+95 b/‎.github/workflows/apply.yml
+95
diff --git a/‎.github/workflows/plan.yml
+171 b/‎.github/workflows/plan.yml
+171
diff --git a/‎.github/workflows/plan_post.yml
+26 b/‎.github/workflows/plan_post.yml
+26
diff --git a/‎.github/workflows/plan_pre.yml
+13 b/‎.github/workflows/plan_pre.yml
+13
@@ -0,0 +1,10 @@
+name: Configure git user
+description: Configure git user
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        git config --global user.email '${{ github.actor }}@users.noreply.github.com>'
+        git config --global user.name '${{ github.actor }}'
+      shell: bash
@@ -0,0 +1,39 @@
+name: Push to a git branch
+description: Push to a git branch
+
+inputs:
+  suffix:
+    description: Branch name suffix
+    required: true
+  working-directory:
+    description: Working directory
+    required: false
+    default: ${{ github.workspace }}
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        protected="$(gh api 'repos/{owner}/{repo}/branches/${{ github.ref_name }}' --jq '.protected')"
+
+        if [[ "$protected" == 'true' ]]; then
+          git_branch='${{ github.ref_name }}-${{ inputs.suffix }}'
+        else
+          git_branch='${{ github.ref_name }}'
+        fi
+
+        git checkout -B "$git_branch"
+
+        if [[ "$protected" == 'true' ]]; then
+          git push origin "$git_branch" --force
+          if [[ ! -z "$(git diff --name-only 'origin/${{ github.ref_name }}')" ]]; then
+            state="$(gh pr view "$git_branch" --json state --jq .state 2> /dev/null || echo '')"
+            if [[ "$state" != 'OPEN' ]]; then
+              gh pr create --body 'The changes in this PR were made by a bot. Please review carefully.' --head "$git_branch" --base '${{ github.ref_name }}' --fill
+            fi
+          fi
+        else
+          git push origin "$git_branch"
+        fi
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
@@ -0,0 +1,95 @@
+name: Apply
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  prepare:
+    if: github.ref_name == github.event.repository.default_branch &&
+        github.event.repository.is_template == false
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    name: Prepare
+    runs-on: ubuntu-latest
+    outputs:
+      workspaces: ${{ steps.workspaces.outputs.this }}
+      sha: ${{ steps.sha.outputs.this }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Discover workspaces
+        id: workspaces
+        run: echo "::set-output name=this::$(ls github | jq --raw-input '[.]' | jq -sc add)"
+      - name: Find pull request number
+        id: pull_request
+        if: github.event_name == 'push'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: protocol/github-api-action-library/find-content-by-query@v1
+        with:
+          query: repository:${{ github.repository }} ${{ github.sha }}
+      - name: Find sha for plan
+        id: sha
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ '${{ github.event_name }}' == 'push' ]]; then
+            number="$(jq -r '.[0].number // ""' <<< '${{ steps.pull_request.outputs.issues-or-pull-requests }}')"
+            if [[ ! -z "$number" ]]; then
+              sha="$(gh pr view "$number" --json commits --jq '.commits[-1].oid')"
+            fi
+          else
+            sha='${{ github.sha }}'
+          fi
+          echo "::set-output name=this::$sha"
+  apply:
+    needs: [prepare]
+    if: needs.prepare.outputs.sha != '' && needs.prepare.outputs.workspaces != ''
+    permissions:
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
+    name: Apply
+    runs-on: ubuntu-latest
+    env:
+      TF_IN_AUTOMATION: 1
+      TF_INPUT: 0
+      TF_WORKSPACE: ${{ matrix.workspace }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.RW_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.RW_AWS_SECRET_ACCESS_KEY }}
+      GITHUB_APP_ID: ${{ secrets.RW_GITHUB_APP_ID }}
+      GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] }}
+      GITHUB_APP_PEM_FILE: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
+      TF_VAR_write_delay_ms: 300
+    defaults:
+      run:
+        shell: bash
+        working-directory: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
+        with:
+          terraform_version: 1.1.4
+      - name: Initialize terraform
+        run: terraform init
+      - name: Retrieve targets from config
+        id: target
+        run: echo "::set-output name=this::$(jq -r 'split(" ")[:-1] | map("-target=github_\(sub(".json$"; "")).this") | join(" ")' <<< '"'"$(ls | tr '\n' ' ')"'"')"
+        working-directory: github/${{ env.TF_WORKSPACE }}
+      - name: Terraform Plan Download
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh run download -n ${{ env.TF_WORKSPACE }}_${{ needs.prepare.outputs.sha }}.tfplan --repo ${{ github.repository }}
+      - name: Terraform Apply
+        run: terraform apply -auto-approve -lock-timeout=0s -no-color ${{ env.TF_WORKSPACE }}.tfplan
@@ -0,0 +1,171 @@
+name: Plan
+
+on:
+  workflow_run:
+    workflows:
+      - "Plan (pre)"
+    types:
+      - completed
+  workflow_dispatch:
+
+jobs:
+  prepare:
+    if: (github.event_name == 'workflow_dispatch' &&
+        github.ref_name == github.event.repository.default_branch) ||
+        (github.event_name == 'workflow_run' &&
+        github.event.workflow_run.conclusion == 'success')
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+    name: Prepare
+    runs-on: ubuntu-latest
+    outputs:
+      workspaces: ${{ steps.workspaces.outputs.this }}
+      repository: ${{ steps.github.outputs.repository }}
+      sha: ${{ steps.github.outputs.sha }}
+      number: ${{ steps.github.outputs.number }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Find repository and sha to checkout
+        id: github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ '${{ github.event_name }}' == 'workflow_dispatch' ]]; then
+            repository='${{ github.repository }}'
+            sha='${{ github.sha }}'
+          elif [[ '${{ github.event_name }}' == 'workflow_run' ]]; then
+            repository='${{ github.event.workflow_run.head_repository.full_name }}'
+            sha='${{ github.event.workflow_run.head_commit.id }}'
+            number="$(gh api '/repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}' --jq '.pull_requests[0].number')"
+          fi
+          echo "::set-output name=repository::$repository"
+          echo "::set-output name=sha::$sha"
+          echo "::set-output name=number::$number"
+      - run: sha=${{ steps.github.outputs.sha }}
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh api 'repos/${{ github.repository }}/statuses/${{ steps.github.outputs.sha }}' -f context='Plan' -f state='pending' -f target_url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ steps.github.outputs.repository }}
+          ref: ${{ steps.github.outputs.sha }}
+      - name: Discover workspaces
+        id: workspaces
+        run: echo "::set-output name=this::$(ls github | jq --raw-input '[.]' | jq -sc add)"
+  plan:
+    needs: [prepare]
+    if: needs.prepare.outputs.workspaces != ''
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
+    name: Plan
+    runs-on: ubuntu-latest
+    env:
+      TF_IN_AUTOMATION: 1
+      TF_INPUT: 0
+      TF_WORKSPACE: ${{ matrix.workspace }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
+      GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
+      GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] }}
+      GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
+      TF_VAR_write_delay_ms: 300
+    defaults:
+      run:
+        shell: bash
+        working-directory: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ needs.prepare.outputs.repository }}
+          ref: ${{ needs.prepare.outputs.sha }}
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
+        with:
+          terraform_version: 1.1.4
+      - name: Initialize terraform
+        run: terraform init
+      - name: Check terraform lock
+        if: github.event_name == 'workflow_run'
+        run: git diff --exit-code .terraform.lock.hcl
+      - name: Format terraform
+        run: terraform fmt -check
+      - name: Validate terraform
+        run: terraform validate -no-color
+      - name: Retrieve targets from config
+        id: target
+        run: echo "::set-output name=this::$(jq -r 'split(" ")[:-1] | map("-target=github_\(sub(".json$"; "")).this") | join(" ")' <<< '"'"$(ls | tr '\n' ' ')"'"')"
+        working-directory: github/${{ env.TF_WORKSPACE }}
+      - name: Plan terraform
+        id: plan
+        run: terraform plan ${{ steps.target.outputs.this }} -refresh=false -lock=false -out=${{ env.TF_WORKSPACE }}.tfplan -no-color
+      - name: Upload terraform plan
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ env.TF_WORKSPACE }}_${{ needs.prepare.outputs.sha }}.tfplan
+          path: terraform/${{ env.TF_WORKSPACE }}.tfplan
+          if-no-files-found: error
+          retention-days: 90
+  comment:
+    needs: [prepare, plan]
+    if: github.event_name == 'workflow_run'
+    permissions:
+      contents: read
+      pull-requests: write
+    name: Comment
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
+    defaults:
+      run:
+        shell: bash
+        working-directory: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ needs.prepare.outputs.repository }}
+          ref: ${{ needs.prepare.outputs.sha }}
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
+        with:
+          terraform_version: 1.1.4
+          terraform_wrapper: false
+      - name: Initialize terraform
+        run: terraform init
+      - name: Download terraform plans
+        uses: actions/download-artifact@v2
+        with:
+          path: terraform
+      - name: Show terraform plans
+        run: |
+          echo 'COMMENT<<EOF' >> $GITHUB_ENV
+          for plan in $(find . -type f -name '*.tfplan'); do
+            echo "<details><summary>$(basename "$plan" '.tfplan')</summary>" >> $GITHUB_ENV
+            echo '' >> $GITHUB_ENV
+            echo '```' >> $GITHUB_ENV
+            echo "$(terraform show -no-color "$plan" 2>&1)" >> $GITHUB_ENV
+            echo '```' >> $GITHUB_ENV
+            echo '' >> $GITHUB_ENV
+            echo '</details>' >> $GITHUB_ENV
+          done
+          echo 'EOF' >> $GITHUB_ENV
+      - name: Comment on pull request
+        uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443 # v2.2.0
+        with:
+          number: ${{ needs.prepare.outputs.number }}
+          message: |
+            Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.
+
+            #### Terraform plans
+            ${{ env.COMMENT }}
@@ -0,0 +1,26 @@
+name: "Plan (post)"
+
+on:
+  workflow_run:
+    workflows:
+      - Plan
+    types:
+      - completed
+
+jobs:
+  notify:
+    permissions:
+      actions: read
+      statuses: write
+    name: "Notify"
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          sha="$(gh api '/repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}/jobs' --jq '.jobs[] | .steps[] | .name | select(startswith("Run sha="))')"
+          sha="${sha#Run sha=}"
+          gh api "repos/${{ github.repository }}/statuses/$sha" -f context='Plan' -f state='${{ github.event.workflow_run.conclusion }}' -f target_url='${{ github.event.workflow_run.html_url }}'
@@ -0,0 +1,13 @@
+name: "Plan (pre)"
+
+on:
+  pull_request:
+
+jobs:
+  trigger:
+    if: github.event.pull_request.base.ref == github.event.repository.default_branch &&
+        github.event.repository.is_template == false
+    name: "Trigger"
+    runs-on: ubuntu-latest
+    steps:
+      - run: "true"