From e0e5eec38cada06729afd798240819d6b06d64ea Mon Sep 17 00:00:00 2001 From: Andre Licht Date: Wed, 23 Apr 2025 14:32:52 +0200 Subject: [PATCH 1/2] moved reusable Workflow to this repository Signed-off-by: Andre Licht --- .../prod-stackit-terraform-10-launchpad.yaml | 2 +- ...rod-stackit-terraform-40-organization.yaml | 2 +- ...rraform-50-opsstack-agent-test-server.yaml | 2 +- ...terraform-50-prj-vpn-fw-test-firewall.yaml | 4 +- ...-stackit-terraform-50-team-iac-test01.yaml | 4 +- .../workflows/terraform-deploy-stackit.yaml | 164 ++++++++++++++++++ 6 files changed, 171 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/terraform-deploy-stackit.yaml diff --git a/.github/workflows/prod-stackit-terraform-10-launchpad.yaml b/.github/workflows/prod-stackit-terraform-10-launchpad.yaml index 8a5f668..c034106 100644 --- a/.github/workflows/prod-stackit-terraform-10-launchpad.yaml +++ b/.github/workflows/prod-stackit-terraform-10-launchpad.yaml @@ -24,7 +24,7 @@ permissions: jobs: terraform: name: Terraform - uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit + uses: ./.github/workflows/terraform-deploy-stackit.yaml with: directory: prod-stackit/terraform/10_launchpad terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }} diff --git a/.github/workflows/prod-stackit-terraform-40-organization.yaml b/.github/workflows/prod-stackit-terraform-40-organization.yaml index 82d6e3b..165f235 100644 --- a/.github/workflows/prod-stackit-terraform-40-organization.yaml +++ b/.github/workflows/prod-stackit-terraform-40-organization.yaml @@ -24,7 +24,7 @@ permissions: jobs: terraform: name: Terraform - uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit + uses: ./.github/workflows/terraform-deploy-stackit.yaml with: directory: prod-stackit/terraform/40_organization terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }} diff --git a/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml b/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml index fe245e5..c8ee6fe 100644 --- a/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml +++ b/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml @@ -24,7 +24,7 @@ permissions: jobs: terraform: name: Terraform - uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit + uses: ./.github/workflows/terraform-deploy-stackit.yaml with: directory: prod-stackit/terraform/50_projects/opsstack-agent-test-server terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }} diff --git a/.github/workflows/prod-stackit-terraform-50-prj-vpn-fw-test-firewall.yaml b/.github/workflows/prod-stackit-terraform-50-prj-vpn-fw-test-firewall.yaml index 5ae5e86..1f822d7 100644 --- a/.github/workflows/prod-stackit-terraform-50-prj-vpn-fw-test-firewall.yaml +++ b/.github/workflows/prod-stackit-terraform-50-prj-vpn-fw-test-firewall.yaml @@ -15,7 +15,7 @@ on: pull_request: paths: - prod-stackit/terraform/50_projects/prj-vpn-fw-test-firewall/** - - .github/workflows/prod-stackit-terraform-prj-vpn-fw-test-firewall.yaml + - .github/workflows/prod-stackit-terraform-50-prj-vpn-fw-test-firewall.yaml permissions: contents: read @@ -24,7 +24,7 @@ permissions: jobs: terraform: name: Terraform - uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit + uses: ./.github/workflows/terraform-deploy-stackit.yaml with: directory: prod-stackit/terraform/50_projects/prj-vpn-fw-test-firewall terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }} diff --git a/.github/workflows/prod-stackit-terraform-50-team-iac-test01.yaml b/.github/workflows/prod-stackit-terraform-50-team-iac-test01.yaml index aef7b49..8f25fa7 100644 --- a/.github/workflows/prod-stackit-terraform-50-team-iac-test01.yaml +++ b/.github/workflows/prod-stackit-terraform-50-team-iac-test01.yaml @@ -15,7 +15,7 @@ on: pull_request: paths: - prod-stackit/terraform/50_projects/team-iac-test01/** - - .github/workflows/prod-stackit-terraform-team-iac-test01.yaml + - .github/workflows/prod-stackit-terraform-50-team-iac-test01.yaml permissions: contents: read @@ -24,7 +24,7 @@ permissions: jobs: terraform: name: Terraform - uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit + uses: ./.github/workflows/terraform-deploy-stackit.yaml with: directory: prod-stackit/terraform/50_projects/team-iac-test01 terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }} diff --git a/.github/workflows/terraform-deploy-stackit.yaml b/.github/workflows/terraform-deploy-stackit.yaml new file mode 100644 index 0000000..5bd778a --- /dev/null +++ b/.github/workflows/terraform-deploy-stackit.yaml @@ -0,0 +1,164 @@ +name: deploy + +on: + workflow_call: + inputs: + directory: + type: string + required: true + terraform-force-unlock: + default: false + description: Terraform force unlock + required: false + type: boolean + terraform-force-unlock-id: + description: Terraform LOCK_ID + required: false + type: string + env: + required: false + type: string + environment: + required: false + type: string + default: prod-stackit + secrets: + env: + required: false + stackit_service_account_key: + required: true + backend_s3_secret_key: + required: true + backend_s3_access_key: + required: true + +env: + # StackIT + TF_VAR_stackit_service_account_key: ${{ secrets.stackit_service_account_key }} + AWS_ACCESS_KEY_ID: ${{ secrets.backend_s3_access_key }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.backend_s3_secret_key }} + + # Working directory + CDT_IAC_WORKING_DIRECTORY: ${{ inputs.directory }} + + # Terraform Paramaters + TF_IN_AUTOMATION: true + TF_INPUT: false + TF_VERSION: ~1.10.0 + + # https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks + CHECKPOINT_DISABLE: true + +concurrency: + group: ${{ github.workflow }} + +permissions: + contents: read + id-token: write + +jobs: + plan: + name: Plan + environment: ${{ inputs.environment }} (plan) + runs-on: ubuntu-latest + outputs: + exitcode: ${{ steps.plan.outputs.exitcode }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Cache Setup + uses: actions/cache@v4 + with: + key: iac-deployment-framework:~/${{ env.CDT_IAC_WORKING_DIRECTORY }}#${{ hashFiles(format('{0}/{1}', env.CDT_IAC_WORKING_DIRECTORY, '/.terraform.lock.hcl')) }}@${{ runner.os }} + path: | + ${{ env.CDT_IAC_WORKING_DIRECTORY }}/.terraform + - name: Set environment variables from input + uses: cloudeteer/actions/set-env@main + with: + env: ${{ inputs.env }} + - name: Set environment variables from secrets + uses: cloudeteer/actions/set-env@main + with: + env: ${{ secrets.env }} + - name: Terraform Setup + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + terraform_wrapper: false + - name: Terraform Init + working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + run: terraform init + - name: Terraform State Force-Unlock + if: github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true + working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + env: + LOCK_ID: ${{ inputs.terraform-force-unlock-id }} + run: | + if [ -z "$LOCK_ID" ]; then + echo "::debug::Workflow input 'terraform-force-unlock-id' is empty. Please provide a valid Terraform LOCK_ID." + exit 1 + fi + terraform force-unlock -force "$LOCK_ID" + echo "::notice::Terraform state file successfully unlocked." + - name: Terraform Plan + id: plan + working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + run: | + set +e + terraform plan -out terraform.tfplan -detailed-exitcode + exitcode=$? + [ "$exitcode" -ne 2 ] && [ "$exitcode" -ne 0 ] && exit $exitcode + echo "exitcode=$exitcode" >> $GITHUB_OUTPUT + - name: Upload Artifact terraform.tfplan + uses: actions/upload-artifact@v4 + with: + name: terraform.tfplan + path: ${{ env.CDT_IAC_WORKING_DIRECTORY }}/terraform.tfplan + - name: Print status + run: | + if [ "${{ github.event.pull_request.draft }}" = "false" ] ; then + echo "::notice::The GitHub pull request that triggered this action is in draft status. As a result, the next apply step will be skipped." + fi + + if [ "${{ steps.plan.outputs.exitcode }}" == "0" ] ; then + echo "::notice::No changes. Your infrastructure matches the configuration." + fi + apply: + if: ${{ !cancelled() && !failure() && github.event.pull_request.draft == false && needs.plan.outputs.exitcode == 2 }} + name: Apply + needs: plan + environment: ${{ inputs.environment }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Cache Setup + uses: actions/cache@v4 + with: + key: iac-deployment-framework:~/${{ env.CDT_IAC_WORKING_DIRECTORY }}#${{ hashFiles(format('{0}/{1}', env.CDT_IAC_WORKING_DIRECTORY, '/.terraform.lock.hcl')) }}@${{ runner.os }} + path: | + ${{ env.CDT_IAC_WORKING_DIRECTORY }}/.terraform + - name: Set environment variables from input + uses: cloudeteer/actions/set-env@main + with: + env: ${{ inputs.env }} + - name: Set environment variables from secrets + uses: cloudeteer/actions/set-env@main + with: + env: ${{ secrets.env }} + - name: Terraform Setup + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + terraform_wrapper: false + - name: Download Artifact terraform.tfplan + uses: actions/download-artifact@v4 + with: + name: terraform.tfplan + path: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + - name: Terraform Init + working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + run: terraform init + - name: Terraform Apply + working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }} + run: terraform apply terraform.tfplan From f75ec17091b2df3a21f9a3671fe5a5c5d8516cf1 Mon Sep 17 00:00:00 2001 From: Andre Licht Date: Thu, 24 Apr 2025 14:17:57 +0200 Subject: [PATCH 2/2] change image-file reference to null-resource using curl Signed-off-by: Andre Licht --- .gitignore | 1 - .../team-iac-test01/modules/firewall/main.tf | 21 ++++++++++++++++--- .../modules/firewall/pfsense.qcow2 | 0 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/pfsense.qcow2 diff --git a/.gitignore b/.gitignore index 29352e4..097b28b 100644 --- a/.gitignore +++ b/.gitignore @@ -49,5 +49,4 @@ openrc key.json # Ignore volume images stored locally -*.qcow2 *.raw diff --git a/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/main.tf b/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/main.tf index d0a2ee8..8c06c72 100644 --- a/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/main.tf +++ b/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/main.tf @@ -1,15 +1,30 @@ +# Local copy of the Image +resource "null_resource" "pfsense_image_file" { + triggers = { + always_run = timestamp() + } + + provisioner "local-exec" { + command = "curl -o \"${path.module}/pfsense.qcow2\" https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" + } + lifecycle { + ignore_changes = all + } +} + resource "stackit_image" "this" { project_id = var.project_id labels = var.labels - name = "pfsense-ce-2.7.2-amd64-10-12-2024_stackit_image" disk_format = "qcow2" - local_file_path = "${path.module}/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" - + name = "pfsense-2.7.2-amd64-image" + local_file_path = "${path.module}/pfsense.qcow2" config = { # UEFI must be disabled for this image to boot correctly uefi = false } + + depends_on = [null_resource.pfsense_image_file] } resource "stackit_server" "this" { diff --git a/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/pfsense.qcow2 b/prod-stackit/terraform/50_projects/team-iac-test01/modules/firewall/pfsense.qcow2 new file mode 100644 index 0000000..e69de29