From 93f5a15aed144a4848113da8e23ede513e83c6a6 Mon Sep 17 00:00:00 2001 From: NWarila <33955773+NWarila@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:11:34 +0000 Subject: [PATCH] ci: adopt reusable deploy workflow and move inventory to terraform/ Switch the runner from the inline terraform.yml job to the framework's reusable deploy workflow (import-adoption + plan_only dry-runs), and move the repo inventory from repos/ to terraform/ to match the reusable's overlay path. Pull requests now run a no-apply plan; push to main applies. --- .github/workflows/terraform.yml | 130 +++--------------- .gitignore | 10 +- terraform/private/.gitkeep | 0 {repos => terraform}/public/.github.yml | 0 .../public/ansible-framework.yml | 0 .../public/aws-terraform-framework.yml | 0 .../public/batch-powershell-polyglot.yml | 0 .../public/github-terraform-framework.yml | 0 .../public/github-terraform-runner.yml | 0 .../public/proxmox-cluster.yml | 0 .../public/proxmox-packer-framework.yml | 0 .../public/proxmox-terraform-framework.yml | 0 .../public/proxmox-vm-terraform-framework.yml | 0 .../public/rancher-terraform-framework.yml | 0 .../public/secure-packer-bootstrapper.yml | 0 .../public/secure-rockylinux9-template.yml | 0 .../public/start-uninstaller.yml | 0 {repos => terraform}/public/talos-cluster.yml | 0 {repos => terraform}/public/targetstate.yml | 0 ...erraform-proxmox-iso-manager-framework.yml | 0 .../public/ubi9-aws-signing-helper.yml | 0 .../public/ubi9-hashicorp-vault.yml | 0 .../windows-certificate-store-exporter.yml | 0 23 files changed, 24 insertions(+), 116 deletions(-) create mode 100644 terraform/private/.gitkeep rename {repos => terraform}/public/.github.yml (100%) rename {repos => terraform}/public/ansible-framework.yml (100%) rename {repos => terraform}/public/aws-terraform-framework.yml (100%) rename {repos => terraform}/public/batch-powershell-polyglot.yml (100%) rename {repos => terraform}/public/github-terraform-framework.yml (100%) rename {repos => terraform}/public/github-terraform-runner.yml (100%) rename {repos => terraform}/public/proxmox-cluster.yml (100%) rename {repos => terraform}/public/proxmox-packer-framework.yml (100%) rename {repos => terraform}/public/proxmox-terraform-framework.yml (100%) rename {repos => terraform}/public/proxmox-vm-terraform-framework.yml (100%) rename {repos => terraform}/public/rancher-terraform-framework.yml (100%) rename {repos => terraform}/public/secure-packer-bootstrapper.yml (100%) rename {repos => terraform}/public/secure-rockylinux9-template.yml (100%) rename {repos => terraform}/public/start-uninstaller.yml (100%) rename {repos => terraform}/public/talos-cluster.yml (100%) rename {repos => terraform}/public/targetstate.yml (100%) rename {repos => terraform}/public/terraform-proxmox-iso-manager-framework.yml (100%) rename {repos => terraform}/public/ubi9-aws-signing-helper.yml (100%) rename {repos => terraform}/public/ubi9-hashicorp-vault.yml (100%) rename {repos => terraform}/public/windows-certificate-store-exporter.yml (100%) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index aa6b3fb..63d67e2 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -1,21 +1,13 @@ -name: 'Deploy GitHub Terraform' +name: Deploy GitHub Terraform on: - workflow_dispatch: - inputs: - skip_refresh: - description: >- - One-time heal only. Runs plan/apply with -refresh=false to clear - phantom state (repos deleted out-of-band that remain in state and make - the normal refresh 404). Skips drift detection for this run — use - solely to recover a plan that fails on 404 refresh errors, then return - to normal runs. - type: boolean - default: false push: branches: [main] - paths: - - "repos/**" + paths: ['terraform/**'] + pull_request: + branches: [main] + paths: ['terraform/**'] + workflow_dispatch: permissions: contents: read @@ -26,100 +18,16 @@ concurrency: cancel-in-progress: false jobs: - terraform: - runs-on: ubuntu-latest - env: - TF_VAR_github_owner: "nwarila-platform" - TF_VAR_github_token: "${{ secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN }}" - - steps: - - name: 'Initialize Temporary AWS Credentials (via OIDC)' - uses: 'aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7' # v6.0.0 - with: - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - aws-region: ${{ secrets.AWS_REGION }} - mask-aws-account-id: true - - - name: 'Checkout This Repository' - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # v5.0.0 - with: - repository: "${{ github.repository }}" - ref: '${{ github.sha }}' - path: '${{ github.event.repository.name }}' - - - name: "Checkout The 'GitHub Terraform Framework' Repository" - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # v5.0.0 - with: - repository: 'nwarila-platform/github-terraform-framework' - ref: 'main' - path: 'github-terraform-framework' - - - name: 'Download Private Repo Definitions from S3' - run: | - # Sync every *.yml / *.yaml under the private-repos prefix. Keeping - # repo names out of this workflow is intentional — the names are - # private metadata and live only in the private S3 prefix. New repo - # YAMLs are picked up automatically without touching this file. - # Non-YAML objects in the prefix are filtered out. - DEST="${{ github.workspace }}/${{ github.event.repository.name }}/repos/private" - SRC="s3://${{ secrets.AWS_S3_BUCKET }}/nwarila-platform/${{ github.event.repository.name }}/repos" - mkdir -p "$DEST" - aws s3 sync "$SRC/" "$DEST/" \ - --exclude "*" \ - --include "*.yml" \ - --include "*.yaml" \ - --only-show-errors - echo "Downloaded $(ls -1 "$DEST" 2>/dev/null | wc -l) private repo definitions." - - - name: 'Assemble Workspace' - run: | - cp -r "${{ github.workspace }}/${{ github.event.repository.name }}/repos/public/"* "${{ github.workspace }}/github-terraform-framework/terraform/repos/public/" 2>/dev/null || true - cp -r "${{ github.workspace }}/${{ github.event.repository.name }}/repos/private/"* "${{ github.workspace }}/github-terraform-framework/terraform/repos/private/" 2>/dev/null || true - - - name: 'Setup Terraform' - uses: 'hashicorp/setup-terraform@v3' - with: - terraform_version: "1.15.4" - - - name: 'Terraform Init' - working-directory: "${{ github.workspace }}/github-terraform-framework/terraform" - run: | - terraform init \ - -backend-config="bucket=${{ secrets.AWS_S3_BUCKET }}" \ - -backend-config="encrypt=true" \ - -backend-config="key=nwarila-platform/${{ github.event.repository.name }}/terraform.tfstate" \ - -backend-config="region=${{ secrets.AWS_REGION }}" - - - name: 'Terraform Validate' - working-directory: "${{ github.workspace }}/github-terraform-framework/terraform" - run: terraform validate - - - name: 'Terraform Plan' - working-directory: "${{ github.workspace }}/github-terraform-framework/terraform" - run: | - REFRESH_FLAG="" - if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ inputs.skip_refresh }}" = "true" ]; then - REFRESH_FLAG="-refresh=false" - echo "::warning::Terraform Plan running with -refresh=false (one-time phantom-state heal); drift detection is skipped this run." - fi - terraform plan ${REFRESH_FLAG} -out=tfplan - terraform show -no-color tfplan > plan-output.txt - - - name: 'Archive Plan Output' - uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # v4.6.2 - if: always() - with: - name: terraform-plan-${{ github.sha }} - path: "${{ github.workspace }}/github-terraform-framework/terraform/plan-output.txt" - retention-days: 90 - - - name: 'Terraform Apply' - working-directory: "${{ github.workspace }}/github-terraform-framework/terraform" - run: terraform apply -auto-approve tfplan - - - name: 'Cleanup Workspace' - if: always() - run: | - rm -f "${{ github.workspace }}/github-terraform-framework/terraform/tfplan" - rm -rf "${{ github.workspace }}/${{ github.event.repository.name }}" - rm -rf "${{ github.workspace }}/github-terraform-framework" + deploy: + uses: nwarila-platform/github-terraform-framework/.github/workflows/reusable-terraform-deploy.yaml@37602cb8ff5d22aaebf4011eb02639de2ddbd6e3 + with: + github_owner: ${{ github.repository_owner }} + framework_ref: 37602cb8ff5d22aaebf4011eb02639de2ddbd6e3 + terraform_version: "1.15.4" + private_repos_files: ${{ vars.PRIVATE_REPOS_FILES }} + plan_only: ${{ github.event_name == 'pull_request' }} + secrets: + aws_role_arn: ${{ secrets.AWS_ROLE_TO_ASSUME }} + aws_region: ${{ secrets.AWS_REGION }} + backend_bucket: ${{ secrets.AWS_S3_BUCKET }} + gh_token: ${{ secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN }} diff --git a/.gitignore b/.gitignore index b915180..5d6fed3 100644 --- a/.gitignore +++ b/.gitignore @@ -7,8 +7,8 @@ !/.github/** # Keep repo definition YAMLs (public only; private YAMLs live in S3). -!/repos/ -!/repos/public/ -!/repos/public/** -!/repos/private/ -!/repos/private/.gitkeep +!/terraform/ +!/terraform/public/ +!/terraform/public/** +!/terraform/private/ +!/terraform/private/.gitkeep diff --git a/terraform/private/.gitkeep b/terraform/private/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/repos/public/.github.yml b/terraform/public/.github.yml similarity index 100% rename from repos/public/.github.yml rename to terraform/public/.github.yml diff --git a/repos/public/ansible-framework.yml b/terraform/public/ansible-framework.yml similarity index 100% rename from repos/public/ansible-framework.yml rename to terraform/public/ansible-framework.yml diff --git a/repos/public/aws-terraform-framework.yml b/terraform/public/aws-terraform-framework.yml similarity index 100% rename from repos/public/aws-terraform-framework.yml rename to terraform/public/aws-terraform-framework.yml diff --git a/repos/public/batch-powershell-polyglot.yml b/terraform/public/batch-powershell-polyglot.yml similarity index 100% rename from repos/public/batch-powershell-polyglot.yml rename to terraform/public/batch-powershell-polyglot.yml diff --git a/repos/public/github-terraform-framework.yml b/terraform/public/github-terraform-framework.yml similarity index 100% rename from repos/public/github-terraform-framework.yml rename to terraform/public/github-terraform-framework.yml diff --git a/repos/public/github-terraform-runner.yml b/terraform/public/github-terraform-runner.yml similarity index 100% rename from repos/public/github-terraform-runner.yml rename to terraform/public/github-terraform-runner.yml diff --git a/repos/public/proxmox-cluster.yml b/terraform/public/proxmox-cluster.yml similarity index 100% rename from repos/public/proxmox-cluster.yml rename to terraform/public/proxmox-cluster.yml diff --git a/repos/public/proxmox-packer-framework.yml b/terraform/public/proxmox-packer-framework.yml similarity index 100% rename from repos/public/proxmox-packer-framework.yml rename to terraform/public/proxmox-packer-framework.yml diff --git a/repos/public/proxmox-terraform-framework.yml b/terraform/public/proxmox-terraform-framework.yml similarity index 100% rename from repos/public/proxmox-terraform-framework.yml rename to terraform/public/proxmox-terraform-framework.yml diff --git a/repos/public/proxmox-vm-terraform-framework.yml b/terraform/public/proxmox-vm-terraform-framework.yml similarity index 100% rename from repos/public/proxmox-vm-terraform-framework.yml rename to terraform/public/proxmox-vm-terraform-framework.yml diff --git a/repos/public/rancher-terraform-framework.yml b/terraform/public/rancher-terraform-framework.yml similarity index 100% rename from repos/public/rancher-terraform-framework.yml rename to terraform/public/rancher-terraform-framework.yml diff --git a/repos/public/secure-packer-bootstrapper.yml b/terraform/public/secure-packer-bootstrapper.yml similarity index 100% rename from repos/public/secure-packer-bootstrapper.yml rename to terraform/public/secure-packer-bootstrapper.yml diff --git a/repos/public/secure-rockylinux9-template.yml b/terraform/public/secure-rockylinux9-template.yml similarity index 100% rename from repos/public/secure-rockylinux9-template.yml rename to terraform/public/secure-rockylinux9-template.yml diff --git a/repos/public/start-uninstaller.yml b/terraform/public/start-uninstaller.yml similarity index 100% rename from repos/public/start-uninstaller.yml rename to terraform/public/start-uninstaller.yml diff --git a/repos/public/talos-cluster.yml b/terraform/public/talos-cluster.yml similarity index 100% rename from repos/public/talos-cluster.yml rename to terraform/public/talos-cluster.yml diff --git a/repos/public/targetstate.yml b/terraform/public/targetstate.yml similarity index 100% rename from repos/public/targetstate.yml rename to terraform/public/targetstate.yml diff --git a/repos/public/terraform-proxmox-iso-manager-framework.yml b/terraform/public/terraform-proxmox-iso-manager-framework.yml similarity index 100% rename from repos/public/terraform-proxmox-iso-manager-framework.yml rename to terraform/public/terraform-proxmox-iso-manager-framework.yml diff --git a/repos/public/ubi9-aws-signing-helper.yml b/terraform/public/ubi9-aws-signing-helper.yml similarity index 100% rename from repos/public/ubi9-aws-signing-helper.yml rename to terraform/public/ubi9-aws-signing-helper.yml diff --git a/repos/public/ubi9-hashicorp-vault.yml b/terraform/public/ubi9-hashicorp-vault.yml similarity index 100% rename from repos/public/ubi9-hashicorp-vault.yml rename to terraform/public/ubi9-hashicorp-vault.yml diff --git a/repos/public/windows-certificate-store-exporter.yml b/terraform/public/windows-certificate-store-exporter.yml similarity index 100% rename from repos/public/windows-certificate-store-exporter.yml rename to terraform/public/windows-certificate-store-exporter.yml