From da085b6c69e78f5e443619ea435ac9a50c7c496d Mon Sep 17 00:00:00 2001 From: 0ssigeno Date: Thu, 21 Aug 2025 11:28:53 +0200 Subject: [PATCH 1/3] Ecr fixes --- .github/actions/push_on_ecr/action.yml | 7 ++- .github/workflows/_release_and_tag.yml | 59 ++++++++++++++++++-------- .github/workflows/release.yml | 12 +++++- actions/push_on_ecr/action.yml | 7 ++- workflows/_release_and_tag.yml | 59 ++++++++++++++++++-------- workflows/release.yml | 12 +++++- 6 files changed, 116 insertions(+), 40 deletions(-) diff --git a/.github/actions/push_on_ecr/action.yml b/.github/actions/push_on_ecr/action.yml index f130e59..f7e182a 100644 --- a/.github/actions/push_on_ecr/action.yml +++ b/.github/actions/push_on_ecr/action.yml @@ -23,6 +23,10 @@ inputs: image_tag: description: Directory that must be run against the linters required: true + image_target: + description: Image target stage + required: true + default: BASE aws_region: description: Aws region @@ -46,7 +50,7 @@ runs: uses: docker/setup-buildx-action@v3 - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: ${{ inputs.working_directory }} push: true @@ -54,3 +58,4 @@ runs: cache-to: type=gha,mode=max tags: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com/${{ inputs.repository }}:${{ inputs.image_tag }} file: ${{ inputs.working_directory }}/${{ inputs.dockerfile }} + target: ${{ inputs.image_target }} diff --git a/.github/workflows/_release_and_tag.yml b/.github/workflows/_release_and_tag.yml index 92bf029..31e3c35 100644 --- a/.github/workflows/_release_and_tag.yml +++ b/.github/workflows/_release_and_tag.yml @@ -36,16 +36,12 @@ on: type: boolean required: false default: false - repository: - description: Repository name - type: string - required: false - default: ${{ github.event.repository.name }} - dockerfiles: - description: Path for dockerfiles from working directory + docker_mapping: + description: List[Dict[dockerfile sep "dockerfile_path", repository sep "repository_name"]] type: string required: false + working_directory: description: Docker build context type: string @@ -148,39 +144,68 @@ jobs: access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} - push_on_ecr: + push_on_ecr_branch: runs-on: ubuntu-latest - needs: release_and_tag - if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true + environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + if: inputs.publish_on_ecr == true strategy: matrix: - dockerfile: ${{ fromJson(inputs.dockerfiles) }} + docker_mapping: ${{ fromJson(inputs.docker_mapping) }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # otherwise, you do not retrieve the tags - - name: Push on ecr branch + + - name: Push on ecr branch from merge uses: ./.github/actions/push_on_ecr - if: github.base_ref == 'master' || github.base_ref == 'main' || github.base_ref == 'develop' || github.base_ref == 'dev' + if: github.event.pull_request.merged == true && (github.base_ref == 'master' || github.base_ref == 'develop') with: - repository: ${{ inputs.repository }} + repository: ${{ matrix.docker_mapping.repository }} aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - dockerfile: ${{ matrix.dockerfile }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} image_tag: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'stag' }} aws_region: ${{ inputs.aws_region }} working_directory: ${{ inputs.working_directory }} + image_target: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'stag' }} + + - name: Push on ecr branch from push + uses: ./.github/actions/push_on_ecr + if: github.ref_name == 'test' || github.ref_name == 'opentofu' + with: + repository: ${{ matrix.docker_mapping.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} + image_tag: 'test' + aws_region: ${{ inputs.aws_region }} + working_directory: ${{ inputs.working_directory }} + image_target: 'test' + + push_on_ecr_tag: + runs-on: ubuntu-latest + needs: release_and_tag + environment: "prod" + if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true + strategy: + matrix: + docker_mapping: ${{ fromJson(inputs.docker_mapping) }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # otherwise, you do not retrieve the tags - name: Push on ecr new release if: needs.release_and_tag.outputs.match == 'true' && (github.base_ref == 'master' || github.base_ref == 'main' ) uses: ./.github/actions/push_on_ecr with: - repository: ${{ inputs.repository }} + repository: ${{ matrix.docker_mapping.repository }} aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - dockerfile: ${{ inputs.dockerfile }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} image_tag: ${{ github.event.pull_request.title }} aws_region: ${{ inputs.aws_region }} working_directory: ${{ inputs.working_directory }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7288a8c..6f1e69d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,15 @@ on: pull_request: types: - closed + branches: + - 'master' + - 'main' + - 'develop' + - 'test' + push: + branches: + - 'test' + - 'opentofu' # discard previous execution if you commit to a branch that is already running concurrency: @@ -23,6 +32,5 @@ jobs: publish_on_ecr: false repository: certego-test working_directory: .github/test/python_test - dockerfiles: >- - ["Dockerfile"] + docker_mapping: '[{ dockerfile: "docker/Dockerfile", repository: "test"}]' aws_region: eu-central-1 diff --git a/actions/push_on_ecr/action.yml b/actions/push_on_ecr/action.yml index f130e59..f7e182a 100644 --- a/actions/push_on_ecr/action.yml +++ b/actions/push_on_ecr/action.yml @@ -23,6 +23,10 @@ inputs: image_tag: description: Directory that must be run against the linters required: true + image_target: + description: Image target stage + required: true + default: BASE aws_region: description: Aws region @@ -46,7 +50,7 @@ runs: uses: docker/setup-buildx-action@v3 - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: ${{ inputs.working_directory }} push: true @@ -54,3 +58,4 @@ runs: cache-to: type=gha,mode=max tags: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com/${{ inputs.repository }}:${{ inputs.image_tag }} file: ${{ inputs.working_directory }}/${{ inputs.dockerfile }} + target: ${{ inputs.image_target }} diff --git a/workflows/_release_and_tag.yml b/workflows/_release_and_tag.yml index 92bf029..31e3c35 100644 --- a/workflows/_release_and_tag.yml +++ b/workflows/_release_and_tag.yml @@ -36,16 +36,12 @@ on: type: boolean required: false default: false - repository: - description: Repository name - type: string - required: false - default: ${{ github.event.repository.name }} - dockerfiles: - description: Path for dockerfiles from working directory + docker_mapping: + description: List[Dict[dockerfile sep "dockerfile_path", repository sep "repository_name"]] type: string required: false + working_directory: description: Docker build context type: string @@ -148,39 +144,68 @@ jobs: access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} - push_on_ecr: + push_on_ecr_branch: runs-on: ubuntu-latest - needs: release_and_tag - if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true + environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + if: inputs.publish_on_ecr == true strategy: matrix: - dockerfile: ${{ fromJson(inputs.dockerfiles) }} + docker_mapping: ${{ fromJson(inputs.docker_mapping) }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # otherwise, you do not retrieve the tags - - name: Push on ecr branch + + - name: Push on ecr branch from merge uses: ./.github/actions/push_on_ecr - if: github.base_ref == 'master' || github.base_ref == 'main' || github.base_ref == 'develop' || github.base_ref == 'dev' + if: github.event.pull_request.merged == true && (github.base_ref == 'master' || github.base_ref == 'develop') with: - repository: ${{ inputs.repository }} + repository: ${{ matrix.docker_mapping.repository }} aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - dockerfile: ${{ matrix.dockerfile }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} image_tag: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'stag' }} aws_region: ${{ inputs.aws_region }} working_directory: ${{ inputs.working_directory }} + image_target: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'stag' }} + + - name: Push on ecr branch from push + uses: ./.github/actions/push_on_ecr + if: github.ref_name == 'test' || github.ref_name == 'opentofu' + with: + repository: ${{ matrix.docker_mapping.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} + image_tag: 'test' + aws_region: ${{ inputs.aws_region }} + working_directory: ${{ inputs.working_directory }} + image_target: 'test' + + push_on_ecr_tag: + runs-on: ubuntu-latest + needs: release_and_tag + environment: "prod" + if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true + strategy: + matrix: + docker_mapping: ${{ fromJson(inputs.docker_mapping) }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # otherwise, you do not retrieve the tags - name: Push on ecr new release if: needs.release_and_tag.outputs.match == 'true' && (github.base_ref == 'master' || github.base_ref == 'main' ) uses: ./.github/actions/push_on_ecr with: - repository: ${{ inputs.repository }} + repository: ${{ matrix.docker_mapping.repository }} aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - dockerfile: ${{ inputs.dockerfile }} + dockerfile: ${{ matrix.docker_mapping.dockerfile }} image_tag: ${{ github.event.pull_request.title }} aws_region: ${{ inputs.aws_region }} working_directory: ${{ inputs.working_directory }} \ No newline at end of file diff --git a/workflows/release.yml b/workflows/release.yml index 7288a8c..6f1e69d 100644 --- a/workflows/release.yml +++ b/workflows/release.yml @@ -4,6 +4,15 @@ on: pull_request: types: - closed + branches: + - 'master' + - 'main' + - 'develop' + - 'test' + push: + branches: + - 'test' + - 'opentofu' # discard previous execution if you commit to a branch that is already running concurrency: @@ -23,6 +32,5 @@ jobs: publish_on_ecr: false repository: certego-test working_directory: .github/test/python_test - dockerfiles: >- - ["Dockerfile"] + docker_mapping: '[{ dockerfile: "docker/Dockerfile", repository: "test"}]' aws_region: eu-central-1 From 499d1517ec40d5f0c4c9a29184e38d0789de1878 Mon Sep 17 00:00:00 2001 From: 0ssigeno Date: Wed, 27 Aug 2025 10:53:48 +0200 Subject: [PATCH 2/3] Opentofu stuff --- .github/workflows/_detect_changes.yml | 40 +++++++++++++-- .github/workflows/_opentofu.yml | 51 +++++++++++++++++++ .github/workflows/pull_request_automation.yml | 8 +++ workflows/_detect_changes.yml | 40 +++++++++++++-- workflows/_opentofu.yml | 51 +++++++++++++++++++ workflows/pull_request_automation.yml | 8 +++ 6 files changed, 190 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/_opentofu.yml create mode 100644 workflows/_opentofu.yml diff --git a/.github/workflows/_detect_changes.yml b/.github/workflows/_detect_changes.yml index 9e9b8a6..1a20cf9 100644 --- a/.github/workflows/_detect_changes.yml +++ b/.github/workflows/_detect_changes.yml @@ -16,12 +16,22 @@ on: description: Space separated list of frontend directories required: false type: string - + frontend_exclusions: description: Space separated list of frontend directories or files to be excluded required: false type: string + infrastructure_directories: + description: Space separated list of infrastructure directories + required: false + type: string + + infrastructure_exclusions: + description: Space separated list of infrastructure directories or files to be excluded + required: false + type: string + ubuntu_version: description: Ubuntu version to use type: string @@ -37,6 +47,10 @@ on: description: Number of files changed in frontend value: ${{ jobs.detect-changes.outputs.frontend }} + infrastructure: + description: Number of files changed in infrastructure + value: ${{ jobs.detect-changes.outputs.infrastructure }} + jobs: detect-changes: name: Detect changes @@ -44,6 +58,8 @@ jobs: outputs: backend: ${{steps.diff_check_backend.outputs.backend}} frontend: ${{steps.diff_check_frontend.outputs.frontend}} + infrastructure: ${{steps.diff_check_infrastructure.outputs.infrastructure}} + steps: - name: Check out PR target branch uses: actions/checkout@v4 @@ -56,7 +72,7 @@ jobs: clean: false - name: Generate summary - if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}} + if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}} | ${{inputs.infrastructure_directories != ''}} run: | echo "### Detect Changes summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY @@ -92,7 +108,23 @@ jobs: FRONTEND_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 | wc -l) echo "frontend=$FRONTEND_CHANGES" >> $GITHUB_OUTPUT echo "Frontend Changes: $FRONTEND_CHANGES" >> $GITHUB_STEP_SUMMARY - echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS" - echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )" + echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS" + echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )" echo "frontend $FRONTEND_CHANGES" + - name: Generate diffs for infrastructure + if: ${{inputs.infrastructure_directories != ''}} + id: diff_check_infrastructure + run: | + INFRASTRUCTURE_EXCLUSIONS="" + if ${{ inputs.infrastructure_exclusions != ''}}; then + for exclusion in ${{ inputs.infrastructure_exclusions }}; do + INFRASTRUCTURE_EXCLUSIONS+=":(glob,exclude)$exclusion " + done + fi + INFRASTRUCTURE_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 | wc -l) + echo "infrastructure=$INFRASTRUCTURE_CHANGES" >> $GITHUB_OUTPUT + echo "Infrastructure Changes: $INFRASTRUCTURE_CHANGES" >> $GITHUB_STEP_SUMMARY + echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS" + echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 )" + echo "infrastructure $INFRASTRUCTURE_CHANGES" diff --git a/.github/workflows/_opentofu.yml b/.github/workflows/_opentofu.yml new file mode 100644 index 0000000..97a122f --- /dev/null +++ b/.github/workflows/_opentofu.yml @@ -0,0 +1,51 @@ +name: Reusable opentofu workflow +on: + workflow_call: + inputs: + working_directory: + description: Directory that must be run against the linters + type: string + required: true + + +jobs: + python: + name: Run opentofu test suite + runs-on: ubuntu-latest + env: + STAGE: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + strategy: + matrix: + directory: ["infrastructure", "application" ] + fail-fast: false + environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + permissions: write-all + steps: + - name: Check out latest commit + uses: actions/checkout@v4 + + - name: tofu fmt ${{ matrix.directory }} + uses: dflook/tofu-fmt-check@v2 + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + + - name: tofu validate ${{ matrix.directory }} + uses: dflook/tofu-validate@v2 + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + + - name: tofu plan ${{ matrix.directory }} + uses: dflook/tofu-plan@v2 + env: + GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }} + TF_VAR_github_token : ${{ secrets.GITHUB_TOKEN }} + TF_VAR_github_organization_name : certego + TF_VAR_aws_account_id : ${{ secrets.AWS_ACCOUNT_ID }} + TF_VAR_aws_access_key : ${{ secrets.AWS_ACCESS_KEY }} + TF_VAR_aws_secret_key : ${{ secrets.AWS_SECRET_ACCESS_KEY }} + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + label: ${{ matrix.path }} + # TODO per qualche ragione di permessi (credo del token github) non riesce a recuperarsi le chiavi + exclude: | + module.github_ecr_access_keys diff --git a/.github/workflows/pull_request_automation.yml b/.github/workflows/pull_request_automation.yml index fc6a62e..3e21a9a 100644 --- a/.github/workflows/pull_request_automation.yml +++ b/.github/workflows/pull_request_automation.yml @@ -106,3 +106,11 @@ jobs: ["3.12"] max_timeout: 15 ubuntu_version: latest + + opentofu_test: + needs: detect-changes + if: ${{ needs.detect-changes.outputs.infrastructure > 0 }} + uses: ./.github/workflows/_opentofu.yml + secrets: inherit + with: + working_directory: . diff --git a/workflows/_detect_changes.yml b/workflows/_detect_changes.yml index 9e9b8a6..1a20cf9 100644 --- a/workflows/_detect_changes.yml +++ b/workflows/_detect_changes.yml @@ -16,12 +16,22 @@ on: description: Space separated list of frontend directories required: false type: string - + frontend_exclusions: description: Space separated list of frontend directories or files to be excluded required: false type: string + infrastructure_directories: + description: Space separated list of infrastructure directories + required: false + type: string + + infrastructure_exclusions: + description: Space separated list of infrastructure directories or files to be excluded + required: false + type: string + ubuntu_version: description: Ubuntu version to use type: string @@ -37,6 +47,10 @@ on: description: Number of files changed in frontend value: ${{ jobs.detect-changes.outputs.frontend }} + infrastructure: + description: Number of files changed in infrastructure + value: ${{ jobs.detect-changes.outputs.infrastructure }} + jobs: detect-changes: name: Detect changes @@ -44,6 +58,8 @@ jobs: outputs: backend: ${{steps.diff_check_backend.outputs.backend}} frontend: ${{steps.diff_check_frontend.outputs.frontend}} + infrastructure: ${{steps.diff_check_infrastructure.outputs.infrastructure}} + steps: - name: Check out PR target branch uses: actions/checkout@v4 @@ -56,7 +72,7 @@ jobs: clean: false - name: Generate summary - if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}} + if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}} | ${{inputs.infrastructure_directories != ''}} run: | echo "### Detect Changes summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY @@ -92,7 +108,23 @@ jobs: FRONTEND_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 | wc -l) echo "frontend=$FRONTEND_CHANGES" >> $GITHUB_OUTPUT echo "Frontend Changes: $FRONTEND_CHANGES" >> $GITHUB_STEP_SUMMARY - echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS" - echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )" + echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS" + echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )" echo "frontend $FRONTEND_CHANGES" + - name: Generate diffs for infrastructure + if: ${{inputs.infrastructure_directories != ''}} + id: diff_check_infrastructure + run: | + INFRASTRUCTURE_EXCLUSIONS="" + if ${{ inputs.infrastructure_exclusions != ''}}; then + for exclusion in ${{ inputs.infrastructure_exclusions }}; do + INFRASTRUCTURE_EXCLUSIONS+=":(glob,exclude)$exclusion " + done + fi + INFRASTRUCTURE_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 | wc -l) + echo "infrastructure=$INFRASTRUCTURE_CHANGES" >> $GITHUB_OUTPUT + echo "Infrastructure Changes: $INFRASTRUCTURE_CHANGES" >> $GITHUB_STEP_SUMMARY + echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS" + echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 )" + echo "infrastructure $INFRASTRUCTURE_CHANGES" diff --git a/workflows/_opentofu.yml b/workflows/_opentofu.yml new file mode 100644 index 0000000..97a122f --- /dev/null +++ b/workflows/_opentofu.yml @@ -0,0 +1,51 @@ +name: Reusable opentofu workflow +on: + workflow_call: + inputs: + working_directory: + description: Directory that must be run against the linters + type: string + required: true + + +jobs: + python: + name: Run opentofu test suite + runs-on: ubuntu-latest + env: + STAGE: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + strategy: + matrix: + directory: ["infrastructure", "application" ] + fail-fast: false + environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' ) && 'stag' || 'test' }} + permissions: write-all + steps: + - name: Check out latest commit + uses: actions/checkout@v4 + + - name: tofu fmt ${{ matrix.directory }} + uses: dflook/tofu-fmt-check@v2 + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + + - name: tofu validate ${{ matrix.directory }} + uses: dflook/tofu-validate@v2 + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + + - name: tofu plan ${{ matrix.directory }} + uses: dflook/tofu-plan@v2 + env: + GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }} + TF_VAR_github_token : ${{ secrets.GITHUB_TOKEN }} + TF_VAR_github_organization_name : certego + TF_VAR_aws_account_id : ${{ secrets.AWS_ACCOUNT_ID }} + TF_VAR_aws_access_key : ${{ secrets.AWS_ACCESS_KEY }} + TF_VAR_aws_secret_key : ${{ secrets.AWS_SECRET_ACCESS_KEY }} + with: + path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }} + label: ${{ matrix.path }} + # TODO per qualche ragione di permessi (credo del token github) non riesce a recuperarsi le chiavi + exclude: | + module.github_ecr_access_keys diff --git a/workflows/pull_request_automation.yml b/workflows/pull_request_automation.yml index fc6a62e..3e21a9a 100644 --- a/workflows/pull_request_automation.yml +++ b/workflows/pull_request_automation.yml @@ -106,3 +106,11 @@ jobs: ["3.12"] max_timeout: 15 ubuntu_version: latest + + opentofu_test: + needs: detect-changes + if: ${{ needs.detect-changes.outputs.infrastructure > 0 }} + uses: ./.github/workflows/_opentofu.yml + secrets: inherit + with: + working_directory: . From 5023a80eaf5881bacebdebd6d5a26925c01c4658 Mon Sep 17 00:00:00 2001 From: 0ssigeno Date: Wed, 27 Aug 2025 11:43:50 +0200 Subject: [PATCH 3/3] Added pre commit --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9697a09..f76324e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -52,3 +52,9 @@ repos: - id: ruff name: ruff-lint args: ["--config", "./.github/configurations/python_linters/.ruff.toml"] + +- repo: https://github.com/tofuutils/pre-commit-opentofu + rev: v2.2.1 + hooks: + - id: tofu_fmt + - id: tofu_validate \ No newline at end of file