Skip to content
.github/workflows/aws-vm-packer-build.yml

.github/workflows/aws-vm-packer-build.yml #9

Sign in to view logs

.github/workflows/aws-vm-packer-build.yml

.github/workflows/aws-vm-packer-build.yml #9

Workflow file for this run

.github/workflows/aws-vm-packer-build.yml at 74af101
on: workflow_dispatch
env:
AWS_REGION: "eu-central-1"
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
packer-build:
runs-on: ubuntu-latest
name: Run Packer
outputs:
ami_id: ${{ steps.packer.outputs.ami_id }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup `packer`
uses: hashicorp/setup-packer@main
id: setup
with:
version: "latest"
- name: Run `packer init`
id: init
working-directory: ./aws/test-ec2-secrets/packer
run: "packer init ./aws-ubuntu.pkr.hcl"
- name: Run `packer validate`
id: validate
working-directory: ./aws/test-ec2-secrets/packer
run: "packer validate ./aws-ubuntu.pkr.hcl"
- name: configure aws credentials
uses: aws-actions/[email protected]
with:
role-to-assume: arn:aws:iam::853805194132:role/GitHubAction-Gitstafette #change to reflect your IAM role’s ARN
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
# this is a massive file, 1M+ lines
#- name: test aws credentials
# run: aws ec2 describe-images --region eu-central-1
- name: Run `packer build`
id: build
working-directory: ./aws/test-ec2-secrets/packer
run: |
packer build ./aws-ubuntu.pkr.hcl
cat manifest.json | jq -r '.builds[-1].artifact_id' | cut -d':' -f2
ami_id=$(cat manifest.json | jq -r '.builds[-1].artifact_id' | cut -d':' -f2)
ami_id="ami-09652ef7f1166e7d3"
echo "ami_id=${ami_id}" | tee -a $GITHUB_OUTPUT
terraform-build:
runs-on: ubuntu-latest
name: Gitstafette AWS VM Rebuild
needs: packer-build
steps:
- id: tf-checkout
name: Checkout code for TF
uses: actions/checkout@v4
- id: tf-aws-creds
name: Configure AWS credentials for Terraform
uses: aws-actions/[email protected]
with:
role-to-assume: arn:aws:iam::853805194132:role/GitHubAction-Gitstafette #change to reflect your IAM role’s ARN
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
- id: tf-setup
name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- id: tf-init
name: Terraform Init
working-directory: ./aws/test-ec2-secrets/terraform
run: terraform init
- id: tf-validate
name: Terraform Validate
working-directory: ./aws/test-ec2-secrets/terraform
run: terraform validate -no-color
- id: tf-plan
name: Terraform Plan
env:
AMI_ID: ${{ needs.packer-build.outputs.ami_id }}
working-directory: ./aws/test-ec2-secrets/terraform
continue-on-error: true
run: |
export exitcode=0
terraform plan \
-var "ami_id=${AMI_ID}" -detailed-exitcode -no-color -out tfplan -input=false || export exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
- id: tf-apply-approval
name: Manual Approval
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.TOKEN }}
approvers: joostvdg
minimum-approvals: 1
issue-title: "Applying Terraform Plan - AMI ID: ${{ needs.packer-build.outputs.ami_id }}"
issue-body: "Review the terraform plan, then approve or deny the deployment of ${{ needs.packer-build.outputs.ami_id }} AMI."
exclude-workflow-initiator-as-approver: false
# https://github.com/camillehe1992/demo-for-aws-deployment-via-oidc/blob/main/.github/workflows/deploy.yaml
# Apply the pending changes
- name: Terraform apply
working-directory: ./aws/test-ec2-secrets/terraform
run: |
terraform apply -auto-approve tfplan -input=false -no-color