diff --git a/.github/actions/rosa-cleanup-clusters/README.md b/.github/actions/rosa-cleanup-clusters/README.md new file mode 100644 index 0000000..59c37cc --- /dev/null +++ b/.github/actions/rosa-cleanup-clusters/README.md @@ -0,0 +1,43 @@ +# Delete ROSA Clusters + +## Description + +This GitHub Action automates the deletion of ROSA (Red Hat OpenShift Service on AWS) clusters using a shell script. + + +## Inputs + +| name | description | required | default | +| --- | --- | --- | --- | +| `tf-bucket` |

Bucket containing the clusters states

| `true` | `""` | +| `tf-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION

| `false` | `""` | +| `max-age-hours-cluster` |

Maximum age of clusters in hours

| `false` | `20` | + + +## Runs + +This action is a `composite` action. + +## Usage + +```yaml +- uses: camunda/camunda-tf-rosa/.github/actions/rosa-cleanup-clusters@main + with: + tf-bucket: + # Bucket containing the clusters states + # + # Required: true + # Default: "" + + tf-bucket-region: + # Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION + # + # Required: false + # Default: "" + + max-age-hours-cluster: + # Maximum age of clusters in hours + # + # Required: false + # Default: 20 +``` diff --git a/.github/actions/rosa-cleanup-clusters/action.yml b/.github/actions/rosa-cleanup-clusters/action.yml index 3e65342..a197477 100644 --- a/.github/actions/rosa-cleanup-clusters/action.yml +++ b/.github/actions/rosa-cleanup-clusters/action.yml @@ -1,28 +1,30 @@ +--- name: Delete ROSA Clusters description: | - This GitHub Action automates the deletion of ROSA (Red Hat OpenShift Service on AWS) clusters using a shell script. + This GitHub Action automates the deletion of ROSA (Red Hat OpenShift Service on AWS) clusters using a shell script. inputs: - tf-bucket: - description: 'Bucket containing the clusters states' - required: true - tf-bucket-region: - description: 'Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION' - max-age-hours-cluster: - description: 'Maximum age of clusters in hours' - required: false - default: "20" + tf-bucket: + description: Bucket containing the clusters states + required: true + tf-bucket-region: + description: Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION + max-age-hours-cluster: + description: Maximum age of clusters in hours + required: false + default: '20' runs: - using: 'composite' - steps: - - name: Delete clusters - id: delete_clusters - shell: bash - run: | - if [ -n "${{ inputs.tf-bucket-region }}" ]; then - export AWS_S3_REGION="${{ inputs.tf-bucket-region }}" - fi + using: composite + steps: + - name: Delete clusters + id: delete_clusters + shell: bash + run: | + if [ -n "${{ inputs.tf-bucket-region }}" ]; then + export AWS_S3_REGION="${{ inputs.tf-bucket-region }}" + fi - ${{ github.action_path }}/scripts/destroy-clusters.sh "${{ inputs.tf-bucket }}" ${{ github.action_path }}/../../../modules/rosa-hcp/ /tmp/rosa/ ${{ inputs.max-age-hours-cluster }} + ${{ github.action_path }}/scripts/destroy-clusters.sh "${{ inputs.tf-bucket }}" \ + ${{ github.action_path }}/../../../modules/rosa-hcp/ /tmp/rosa/ ${{ inputs.max-age-hours-cluster }} diff --git a/.github/actions/rosa-create-cluster/README.md b/.github/actions/rosa-create-cluster/README.md index 07da879..1b83d59 100644 --- a/.github/actions/rosa-create-cluster/README.md +++ b/.github/actions/rosa-create-cluster/README.md @@ -1,68 +1,164 @@ -# Deploy ROSA HCP Cluster GitHub Action +# Deploy ROSA HCP Cluster + +## Description + +This GitHub Action automates the deployment of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. +This action will also install oc, awscli, rosa cli. +The kube context will be set on the created cluster. -This GitHub Action automates the deployment of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. It also installs `oc`, `awscli`, and `rosa` CLI tools. ## Inputs -| Input | Description | Required | Default | -|---------------------|--------------------------------------------------------------|----------|------------------| -| `rh-token` | Red Hat Hybrid Cloud Console Token | true | | -| `cluster-name` | Name of the ROSA cluster to deploy | true | | -| `admin-password` | Admin password for the ROSA cluster | true | | -| `admin-username` | Admin username for the ROSA cluster | false | `kube-admin` | -| `aws-region` | AWS region where the ROSA cluster will be deployed | true | | -| `rosa-cli-version` | Version of the ROSA CLI to use | false | `latest` | -| `awscli-version` | Version of the AWS CLI to use | false | __see `action.yml`__ | -| `openshift-version` | Version of the OpenShift to install | false | __see `action.yml`__ | -| `replicas` | Number of replicas for the ROSA cluster | false | `2` | -| `s3-backend-bucket` | Name of the S3 bucket to store Terraform state | true | | -| `s3-bucket-region` | Region of the bucket containing the resources states, if not set, will fallback on `aws-region` | false | | -| `tf-modules-revision`| Git revision of the Terraform modules to use | false | `main` | -| `tf-modules-path` | Path where the Terraform ROSA modules will be cloned | false | `./.action-tf-modules/rosa/` | -| `login` | Authenticate the current kube context on the created cluster | false | `true` | -| `tf-cli-config-credentials-hostname` | The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to `app.terraform.io`. | false | `app.terraform.io` | -| `tf-cli-config-credentials-token` | The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. | false | | -| `tf-terraform-version` | The version of Terraform CLI to install. Defaults to `latest`. | false | `latest` | -| `tf-terraform-wrapper` | Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. | false | `true` | +| name | description | required | default | +| --- | --- | --- | --- | +| `rh-token` |

Red Hat Hybrid Cloud Console Token

| `true` | `""` | +| `cluster-name` |

Name of the ROSA cluster to deploy

| `true` | `""` | +| `admin-password` |

Admin password for the ROSA cluster

| `true` | `""` | +| `admin-username` |

Admin username for the ROSA cluster

| `true` | `kube-admin` | +| `aws-region` |

AWS region where the ROSA cluster will be deployed

| `true` | `""` | +| `rosa-cli-version` |

Version of the ROSA CLI to use

| `true` | `latest` | +| `awscli-version` |

Version of the aws cli to use

| `true` | `2.15.52` | +| `openshift-version` |

Version of the OpenShift to install

| `true` | `4.16.10` | +| `replicas` |

Number of replicas for the ROSA cluster

| `true` | `2` | +| `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | +| `s3-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on aws-region

| `false` | `""` | +| `tf-modules-revision` |

Git revision of the tf modules to use

| `true` | `main` | +| `tf-modules-path` |

Path where the tf rosa modules will be cloned

| `true` | `./.action-tf-modules/rosa/` | +| `login` |

Authenticate the current kube context on the created cluster

| `true` | `true` | +| `tf-cli-config-credentials-hostname` |

The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to app.terraform.io.

| `false` | `app.terraform.io` | +| `tf-cli-config-credentials-token` |

The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file.

| `false` | `""` | +| `tf-terraform-version` |

The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example <1.13.0) to install the latest version satisfying the constraint. A value of latest will install the latest version of Terraform CLI. Defaults to latest.

| `false` | `latest` | +| `tf-terraform-wrapper` |

Whether or not to install a wrapper to wrap subsequent calls of the terraform binary and expose its STDOUT, STDERR, and exit code as outputs named stdout, stderr, and exitcode respectively. Defaults to true.

| `false` | `true` | + ## Outputs -| Output | Description | -|--------------------------|------------------------------------------------------------| -| `openshift-server-api` | The server API URL of the deployed ROSA cluster | -| `openshift-cluster-id` | The ID of the deployed ROSA cluster | -| `terraform-state-url` | URL of the Terraform state file in the S3 bucket | +| name | description | +| --- | --- | +| `openshift-server-api` |

The server API URL of the deployed ROSA cluster

| +| `openshift-cluster-id` |

The ID of the deployed ROSA cluster

| +| `terraform-state-url` |

URL of the Terraform state file in the S3 bucket

| -## Usage -This action is idempotent and can be re-run without affecting the existing cluster, following the principles of Terraform. +## Runs + +This action is a `composite` action. -Create a file in your repository's `.github/workflows` directory, for example `deploy-rosa-hcp.yml`, with the following content: +## Usage ```yaml -name: Deploy ROSA HCP Cluster - -on: - pull_request: - -jobs: - deploy: - runs-on: ubuntu-latest - steps: - - name: Add profile credentials to ~/.aws/credentials - run: | - aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} - - - name: Deploy ROSA HCP Cluster - uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@main - id: create_cluster - with: - rh-token: ${{ secrets.RH_OPENSHIFT_TOKEN }} - cluster-name: "my-ocp-cluster" - admin-username: "kube-admin" - admin-password: ${{ secrets.CI_OPENSHIFT_MAIN_PASSWORD }} - aws-region: "us-west-2" - s3-backend-bucket: ${{ secrets.TF_S3_BUCKET }} +- uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@main + with: + rh-token: + # Red Hat Hybrid Cloud Console Token + # + # Required: true + # Default: "" + + cluster-name: + # Name of the ROSA cluster to deploy + # + # Required: true + # Default: "" + + admin-password: + # Admin password for the ROSA cluster + # + # Required: true + # Default: "" + + admin-username: + # Admin username for the ROSA cluster + # + # Required: true + # Default: kube-admin + + aws-region: + # AWS region where the ROSA cluster will be deployed + # + # Required: true + # Default: "" + + rosa-cli-version: + # Version of the ROSA CLI to use + # + # Required: true + # Default: latest + + awscli-version: + # Version of the aws cli to use + # + # Required: true + # Default: 2.15.52 + + openshift-version: + # Version of the OpenShift to install + # + # Required: true + # Default: 4.16.10 + + replicas: + # Number of replicas for the ROSA cluster + # + # Required: true + # Default: 2 + + s3-backend-bucket: + # Name of the S3 bucket to store Terraform state + # + # Required: true + # Default: "" + + s3-bucket-region: + # Region of the bucket containing the resources states, if not set, will fallback on aws-region + # + # Required: false + # Default: "" + + tf-modules-revision: + # Git revision of the tf modules to use + # + # Required: true + # Default: main + + tf-modules-path: + # Path where the tf rosa modules will be cloned + # + # Required: true + # Default: ./.action-tf-modules/rosa/ + + login: + # Authenticate the current kube context on the created cluster + # + # Required: true + # Default: true + + tf-cli-config-credentials-hostname: + # The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + # file. Defaults to `app.terraform.io`. + # + # Required: false + # Default: app.terraform.io + + tf-cli-config-credentials-token: + # The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + # file. + # + # Required: false + # Default: "" + + tf-terraform-version: + # The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for + # example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform + # CLI. Defaults to `latest`. + # + # Required: false + # Default: latest + + tf-terraform-wrapper: + # Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code + # as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + # + # Required: false + # Default: true ``` diff --git a/.github/actions/rosa-create-cluster/action.yml b/.github/actions/rosa-create-cluster/action.yml index 511c8d7..460b4f9 100644 --- a/.github/actions/rosa-create-cluster/action.yml +++ b/.github/actions/rosa-create-cluster/action.yml @@ -1,243 +1,268 @@ +--- name: Deploy ROSA HCP Cluster description: | - This GitHub Action automates the deployment of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. - This action will also install oc, awscli, rosa cli. - The kube context will be set on the created cluster. + This GitHub Action automates the deployment of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. + This action will also install oc, awscli, rosa cli. + The kube context will be set on the created cluster. inputs: - rh-token: - description: 'Red Hat Hybrid Cloud Console Token' - required: true - cluster-name: - description: 'Name of the ROSA cluster to deploy' - required: true - admin-password: - description: 'Admin password for the ROSA cluster' - required: true - admin-username: - description: 'Admin username for the ROSA cluster' - default: "kube-admin" - required: true - aws-region: - description: 'AWS region where the ROSA cluster will be deployed' - required: true - rosa-cli-version: - description: 'Version of the ROSA CLI to use' - required: true - default: "latest" - awscli-version: - description: 'Version of the aws cli to use' - required: true - # renovate: datasource=github-releases depName=aws/aws-cli - default: "2.15.52" - openshift-version: - description: 'Version of the OpenShift to install' - required: true - # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver - default: "4.16.10" - replicas: - description: 'Number of replicas for the ROSA cluster' - required: true - default: "2" - s3-backend-bucket: - description: 'Name of the S3 bucket to store Terraform state' - required: true - s3-bucket-region: - description: 'Region of the bucket containing the resources states, if not set, will fallback on aws-region' - tf-modules-revision: - description: 'Git revision of the tf modules to use' - default: 'main' - required: true - tf-modules-path: - description: 'Path where the tf rosa modules will be cloned' - default: './.action-tf-modules/rosa/' - required: true - login: - description: 'Authenticate the current kube context on the created cluster' - default: "true" - required: true - - # inherited from https://github.com/hashicorp/setup-terraform/blob/main/action.yml - tf-cli-config-credentials-hostname: - description: 'The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to `app.terraform.io`.' - default: 'app.terraform.io' - required: false - tf-cli-config-credentials-token: - description: 'The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file.' - required: false - tf-terraform-version: - description: 'The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform CLI. Defaults to `latest`.' - default: 'latest' - required: false - tf-terraform-wrapper: - description: 'Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`.' - default: 'true' - required: false + rh-token: + description: Red Hat Hybrid Cloud Console Token + required: true + cluster-name: + description: Name of the ROSA cluster to deploy + required: true + admin-password: + description: Admin password for the ROSA cluster + required: true + admin-username: + description: Admin username for the ROSA cluster + default: kube-admin + required: true + aws-region: + description: AWS region where the ROSA cluster will be deployed + required: true + rosa-cli-version: + description: Version of the ROSA CLI to use + required: true + default: latest + awscli-version: + description: Version of the aws cli to use + required: true + # renovate: datasource=github-releases depName=aws/aws-cli + default: 2.15.52 + openshift-version: + description: Version of the OpenShift to install + required: true + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver + default: 4.16.10 + replicas: + description: Number of replicas for the ROSA cluster + required: true + default: '2' + s3-backend-bucket: + description: Name of the S3 bucket to store Terraform state + required: true + s3-bucket-region: + description: Region of the bucket containing the resources states, if not set, will fallback on aws-region + tf-modules-revision: + description: Git revision of the tf modules to use + default: main + required: true + tf-modules-path: + description: Path where the tf rosa modules will be cloned + default: ./.action-tf-modules/rosa/ + required: true + login: + description: Authenticate the current kube context on the created cluster + default: 'true' + required: true + + # inherited from https://github.com/hashicorp/setup-terraform/blob/main/action.yml + tf-cli-config-credentials-hostname: + description: | + The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + file. Defaults to `app.terraform.io`. + default: app.terraform.io + required: false + tf-cli-config-credentials-token: + description: | + The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + file. + required: false + tf-terraform-version: + description: | + The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for + example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform + CLI. Defaults to `latest`. + default: latest + required: false + tf-terraform-wrapper: + description: | + Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code + as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + default: 'true' + required: false outputs: - openshift-server-api: - description: 'The server API URL of the deployed ROSA cluster' - value: ${{ steps.cluster_info.outputs.cluster_api }} + openshift-server-api: + description: The server API URL of the deployed ROSA cluster + value: ${{ steps.cluster_info.outputs.cluster_api }} - openshift-cluster-id: - description: 'The ID of the deployed ROSA cluster' - value: ${{ steps.apply.outputs.cluster_id }} + openshift-cluster-id: + description: The ID of the deployed ROSA cluster + value: ${{ steps.apply.outputs.cluster_id }} - terraform-state-url: - description: 'URL of the Terraform state file in the S3 bucket' - value: ${{ steps.set-terraform-variables.outputs.terraform-state-url }} + terraform-state-url: + description: URL of the Terraform state file in the S3 bucket + value: ${{ steps.set-terraform-variables.outputs.terraform-state-url }} runs: - using: 'composite' - steps: - - name: Install ROSA CLI - shell: bash - run: | - curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/${{ inputs.rosa-cli-version }}/rosa-linux.tar.gz" - tar -xvf rosa-linux.tar.gz - sudo mv rosa /usr/local/bin/rosa - chmod +x /usr/local/bin/rosa - rm -f rosa-linux.tar.gz - rosa version - - - name: Install Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 - with: - cli_config_credentials_hostname: ${{ inputs.tf-cli-config-credentials-hostname }} - cli_config_credentials_token: ${{ inputs.tf-cli-config-credentials-token }} - terraform_version: ${{ inputs.tf-terraform-version }} - terraform_wrapper: ${{ inputs.tf-terraform-wrapper }} - - - name: Install CLI tools from OpenShift Mirror - uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 - with: - oc: "${{ inputs.openshift-version }}" - - - name: Login to Red Hat Hybrid Cloud Console - shell: bash - run: | - rosa login --token=${{ inputs.rh-token }} --region="${{ inputs.aws-region }}" - rosa whoami --region="${{ inputs.aws-region }}" - - - name: Verify and enable HCP ROSA on AWS Marketplace - shell: bash - run: | - rosa verify quota --region="${{ inputs.aws-region }}" - rosa verify permissions --region="${{ inputs.aws-region }}" - rosa create account-roles --mode auto --region="${{ inputs.aws-region }}" - - - name: Install aws-cli v2 - shell: bash - run: | - sudo rm -rf /usr/local/aws-cli - mkdir -p /tmp/awscli && cd /tmp/awscli - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${{ inputs.awscli-version }}.zip" -o "awscliv2.zip" - unzip -qq awscliv2.zip - sudo ./aws/install - cd - && rm -Rf /tmp/awscli - - - name: Set Terraform variables - shell: bash - id: set-terraform-variables - run: | - export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" - export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" - - if [ -z "${{ inputs.s3-bucket-region }}" ]; then - export TFSTATE_REGION="${{ inputs.aws-region }}" - else - export TFSTATE_REGION="${{ inputs.s3-bucket-region }}" - fi - - echo "TFSTATE_BUCKET=${TFSTATE_BUCKET}" >> "$GITHUB_OUTPUT" - echo "TFSTATE_REGION=${TFSTATE_REGION}" >> "$GITHUB_OUTPUT" - echo "TFSTATE_KEY=${TFSTATE_KEY}" >> "$GITHUB_OUTPUT" - - terraform_state_url="s3://${TFSTATE_BUCKET}/${TFSTATE_KEY}" - echo "terraform-state-url=${terraform_state_url}" >> "$GITHUB_OUTPUT" - - - name: Check if S3 bucket exists - id: create-s3-bucket - shell: bash - run: | - if aws s3api head-bucket --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} 2>/dev/null; then - echo "Bucket already exists" - else - echo "Bucket does not exist, creating..." - aws s3api create-bucket --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} --create-bucket-configuration LocationConstraint=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} - fi - - aws s3api put-public-access-block --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" - - - name: Checkout Repository rosa modules - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - repository: "camunda/camunda-tf-rosa" - ref: ${{ inputs.tf-modules-revision }} - path: ${{ inputs.tf-modules-path }} - fetch-depth: 0 - - - name: Terraform Init - shell: bash - id: init - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform version - terraform init -backend-config="bucket=${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}" -backend-config="key=${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }}" -backend-config="region=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }}" - terraform validate -no-color - - - name: Terraform Plan - shell: bash - id: plan - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform plan -no-color -out rosa.plan -var "cluster_name=${{ inputs.cluster-name }}" -var "replicas=${{ inputs.replicas }}" -var "htpasswd_password=${{ inputs.admin-password }}" -var "htpasswd_username=${{ inputs.admin-username }}" -var "offline_access_token=${{ inputs.rh-token }}" -var "openshift_version=${{ inputs.openshift-version }}" - - - name: Terraform Apply - shell: bash - id: apply - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform apply -no-color rosa.plan - - export cluster_id="$(terraform output -raw cluster_id)" - echo "cluster_id=$cluster_id" >> "$GITHUB_OUTPUT" - - - name: Retrieve cluster information - shell: bash - id: cluster_info - run: | - rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" --region="${{ inputs.aws-region }}" - export cluster_api=$(rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" | jq -r '.api.url') - echo "cluster_api=$cluster_api" - echo "cluster_api=$cluster_api" >> "$GITHUB_OUTPUT" - - - name: Login and generate kubeconfig - # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 - id: kube_config - if: inputs.login == 'true' - with: - timeout_minutes: 10 - max_attempts: 40 - shell: bash - retry_wait_seconds: 15 - command: | - : # see https://github.com/nick-fields/retry/issues/133 - set -o errexit - set -o pipefail - - oc login --username "${{ inputs.admin-username }}" --password "${{ inputs.admin-password }}" "${{ steps.cluster_info.outputs.cluster_api }}" - rosa grant user cluster-admin --cluster="${{ inputs.cluster-name }}" --user="${{ inputs.admin-username }}" --region="${{ inputs.aws-region }}" - - oc whoami - - kubectl config rename-context $(oc config current-context) "${{ inputs.cluster-name }}" - kubectl config use "${{ inputs.cluster-name }}" - - - name: Clean up cloned modules - if: always() - shell: bash - run: | - rm -rf "${{ inputs.tf-modules-path }}" + using: composite + steps: + - name: Install ROSA CLI + shell: bash + run: | + curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/${{ inputs.rosa-cli-version }}/rosa-linux.tar.gz" + tar -xvf rosa-linux.tar.gz + sudo mv rosa /usr/local/bin/rosa + chmod +x /usr/local/bin/rosa + rm -f rosa-linux.tar.gz + rosa version + + - name: Install Terraform + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 + with: + cli_config_credentials_hostname: ${{ inputs.tf-cli-config-credentials-hostname }} + cli_config_credentials_token: ${{ inputs.tf-cli-config-credentials-token }} + terraform_version: ${{ inputs.tf-terraform-version }} + terraform_wrapper: ${{ inputs.tf-terraform-wrapper }} + + - name: Install CLI tools from OpenShift Mirror + uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 + with: + oc: ${{ inputs.openshift-version }} + + - name: Login to Red Hat Hybrid Cloud Console + shell: bash + run: | + rosa login --token=${{ inputs.rh-token }} --region="${{ inputs.aws-region }}" + rosa whoami --region="${{ inputs.aws-region }}" + + - name: Verify and enable HCP ROSA on AWS Marketplace + shell: bash + run: | + rosa verify quota --region="${{ inputs.aws-region }}" + rosa verify permissions --region="${{ inputs.aws-region }}" + rosa create account-roles --mode auto --region="${{ inputs.aws-region }}" + + - name: Install aws-cli v2 + shell: bash + run: | + sudo rm -rf /usr/local/aws-cli + mkdir -p /tmp/awscli && cd /tmp/awscli + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${{ inputs.awscli-version }}.zip" -o "awscliv2.zip" + unzip -qq awscliv2.zip + sudo ./aws/install + cd - && rm -Rf /tmp/awscli + + - name: Set Terraform variables + shell: bash + id: set-terraform-variables + run: | + export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" + export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" + + if [ -z "${{ inputs.s3-bucket-region }}" ]; then + export TFSTATE_REGION="${{ inputs.aws-region }}" + else + export TFSTATE_REGION="${{ inputs.s3-bucket-region }}" + fi + + echo "TFSTATE_BUCKET=${TFSTATE_BUCKET}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_REGION=${TFSTATE_REGION}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_KEY=${TFSTATE_KEY}" >> "$GITHUB_OUTPUT" + + terraform_state_url="s3://${TFSTATE_BUCKET}/${TFSTATE_KEY}" + echo "terraform-state-url=${terraform_state_url}" >> "$GITHUB_OUTPUT" + + - name: Check if S3 bucket exists + id: create-s3-bucket + shell: bash + run: | + if aws s3api head-bucket --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} 2>/dev/null; then + echo "Bucket already exists" + else + echo "Bucket does not exist, creating..." + aws s3api create-bucket --bucket ${{ inputs.s3-backend-bucket }} \ + --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} \ + --create-bucket-configuration LocationConstraint=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} + fi + + aws s3api put-public-access-block --bucket ${{ inputs.s3-backend-bucket }} \ + --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} \ + --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" + + - name: Checkout Repository rosa modules + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + repository: camunda/camunda-tf-rosa + ref: ${{ inputs.tf-modules-revision }} + path: ${{ inputs.tf-modules-path }} + fetch-depth: 0 + + - name: Terraform Init + shell: bash + id: init + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform version + + terraform init \ + -backend-config="bucket=${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}" \ + -backend-config="key=${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }}" \ + -backend-config="region=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }}" + + terraform validate -no-color + + - name: Terraform Plan + shell: bash + id: plan + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform plan -no-color -out rosa.plan \ + -var "cluster_name=${{ inputs.cluster-name }}" \ + -var "replicas=${{ inputs.replicas }}" \ + -var "htpasswd_password=${{ inputs.admin-password }}" \ + -var "htpasswd_username=${{ inputs.admin-username }}" \ + -var "offline_access_token=${{ inputs.rh-token }}" \ + -var "openshift_version=${{ inputs.openshift-version }}" + + - name: Terraform Apply + shell: bash + id: apply + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform apply -no-color rosa.plan + + export cluster_id="$(terraform output -raw cluster_id)" + echo "cluster_id=$cluster_id" >> "$GITHUB_OUTPUT" + + - name: Retrieve cluster information + shell: bash + id: cluster_info + run: | + rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" --region="${{ inputs.aws-region }}" + export cluster_api=$(rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" | jq -r '.api.url') + echo "cluster_api=$cluster_api" + echo "cluster_api=$cluster_api" >> "$GITHUB_OUTPUT" + + - name: Login and generate kubeconfig + # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 + id: kube_config + if: inputs.login == 'true' + with: + timeout_minutes: 10 + max_attempts: 40 + shell: bash + retry_wait_seconds: 15 + command: | + : # see https://github.com/nick-fields/retry/issues/133 + set -o errexit + set -o pipefail + + oc login --username "${{ inputs.admin-username }}" --password "${{ inputs.admin-password }}" "${{ steps.cluster_info.outputs.cluster_api }}" + rosa grant user cluster-admin --cluster="${{ inputs.cluster-name }}" --user="${{ inputs.admin-username }}" --region="${{ inputs.aws-region }}" + + oc whoami + + kubectl config rename-context $(oc config current-context) "${{ inputs.cluster-name }}" + kubectl config use "${{ inputs.cluster-name }}" + + - name: Clean up cloned modules + if: always() + shell: bash + run: | + rm -rf "${{ inputs.tf-modules-path }}" diff --git a/.github/actions/rosa-delete-cluster/README.md b/.github/actions/rosa-delete-cluster/README.md index abec54c..acd559a 100644 --- a/.github/actions/rosa-delete-cluster/README.md +++ b/.github/actions/rosa-delete-cluster/README.md @@ -1,45 +1,107 @@ -# Delete ROSA HCP Cluster GitHub Action +# Delete ROSA HCP Cluster + +## Description + +This GitHub Action automates the deletion of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. +This action will also install awscli. -This GitHub Action automates the deletion of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. It also installs `awscli`. ## Inputs -| Input | Description | Required | Default | -|----------------------|----------------------------------------------------------|----------|--------------------------------| -| `rh-token` | Red Hat Hybrid Cloud Console Token | true | | -| `cluster-name` | Name of the ROSA cluster to delete | true | | -| `aws-region` | AWS region where the ROSA cluster is deployed | true | | -| `s3-backend-bucket` | Name of the S3 bucket where the Terraform state is stored| true | | -| `s3-bucket-region` | Region of the bucket containing the resources states, if not set, will fallback on `aws-region` | false | | -| `awscli-version` | Version of the aws cli to use | false | __see `action.yml`__ | -| `tf-modules-revision`| Git revision of the tf modules to use | false | `main` | -| `tf-modules-path` | Path where the tf rosa modules will be cloned | false | `./.action-tf-modules/rosa/` | -| `tf-cli-config-credentials-hostname` | The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to `app.terraform.io`. | false | `app.terraform.io` | -| `tf-cli-config-credentials-token` | The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. | false | | -| `tf-terraform-version` | The version of Terraform CLI to install. Defaults to `latest`. | false | `latest` | -| `tf-terraform-wrapper` | Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. | false | `true` | +| name | description | required | default | +| --- | --- | --- | --- | +| `rh-token` |

Red Hat Hybrid Cloud Console Token

| `true` | `""` | +| `cluster-name` |

Name of the ROSA cluster to delete

| `true` | `""` | +| `aws-region` |

AWS region where the ROSA cluster is deployed

| `true` | `""` | +| `s3-backend-bucket` |

Name of the S3 bucket where the Terraform state is stored

| `true` | `""` | +| `s3-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on aws-region

| `false` | `""` | +| `awscli-version` |

Version of the aws cli to use

| `true` | `2.15.52` | +| `tf-modules-revision` |

Git revision of the tf modules to use

| `true` | `main` | +| `tf-modules-path` |

Path where the tf rosa modules will be cloned

| `true` | `./.action-tf-modules/rosa/` | +| `tf-cli-config-credentials-hostname` |

The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to app.terraform.io.

| `false` | `app.terraform.io` | +| `tf-cli-config-credentials-token` |

The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file.

| `false` | `""` | +| `tf-terraform-version` |

The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example <1.13.0) to install the latest version satisfying the constraint. A value of latest will install the latest version of Terraform CLI. Defaults to latest.

| `false` | `latest` | +| `tf-terraform-wrapper` |

Whether or not to install a wrapper to wrap subsequent calls of the terraform binary and expose its STDOUT, STDERR, and exit code as outputs named stdout, stderr, and exitcode respectively. Defaults to true.

| `false` | `true` | -## Usage -For this destruction action, it is not necessary to have called the creation action just before, as the state will be retrieved via the bucket. +## Runs + +This action is a `composite` action. -Create a file in your repository's `.github/workflows` directory, for example `delete-rosa-hcp.yml`, with the following content: +## Usage ```yaml -name: Delete ROSA HCP Cluster - -on: - pull_request: - -jobs: - delete: - runs-on: ubuntu-latest - steps: - - name: Delete ROSA HCP Cluster - uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@main - with: - rh-token: ${{ secrets.RH_OPENSHIFT_TOKEN }} - cluster-name: "my-ocp-cluster" - aws-region: "us-west-2" - s3-backend-bucket: ${{ secrets.TF_S3_BUCKET }} +- uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@main + with: + rh-token: + # Red Hat Hybrid Cloud Console Token + # + # Required: true + # Default: "" + + cluster-name: + # Name of the ROSA cluster to delete + # + # Required: true + # Default: "" + + aws-region: + # AWS region where the ROSA cluster is deployed + # + # Required: true + # Default: "" + + s3-backend-bucket: + # Name of the S3 bucket where the Terraform state is stored + # + # Required: true + # Default: "" + + s3-bucket-region: + # Region of the bucket containing the resources states, if not set, will fallback on aws-region + # + # Required: false + # Default: "" + + awscli-version: + # Version of the aws cli to use + # + # Required: true + # Default: 2.15.52 + + tf-modules-revision: + # Git revision of the tf modules to use + # + # Required: true + # Default: main + + tf-modules-path: + # Path where the tf rosa modules will be cloned + # + # Required: true + # Default: ./.action-tf-modules/rosa/ + + tf-cli-config-credentials-hostname: + # The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to `app.terraform.io`. + # + # Required: false + # Default: app.terraform.io + + tf-cli-config-credentials-token: + # The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. + # + # Required: false + # Default: "" + + tf-terraform-version: + # The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform CLI. Defaults to `latest`. + # + # Required: false + # Default: latest + + tf-terraform-wrapper: + # Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + # + # Required: false + # Default: true ``` diff --git a/.github/actions/rosa-delete-cluster/action.yml b/.github/actions/rosa-delete-cluster/action.yml index 23a9ab9..b72dcc3 100644 --- a/.github/actions/rosa-delete-cluster/action.yml +++ b/.github/actions/rosa-delete-cluster/action.yml @@ -1,131 +1,145 @@ +--- name: Delete ROSA HCP Cluster description: | - This GitHub Action automates the deletion of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. - This action will also install awscli. + This GitHub Action automates the deletion of a ROSA (Red Hat OpenShift Service on AWS) cluster using Terraform. + This action will also install awscli. inputs: - rh-token: - description: 'Red Hat Hybrid Cloud Console Token' - required: true - cluster-name: - description: 'Name of the ROSA cluster to delete' - required: true - aws-region: - description: 'AWS region where the ROSA cluster is deployed' - required: true - s3-backend-bucket: - description: 'Name of the S3 bucket where the Terraform state is stored' - required: true - s3-bucket-region: - description: 'Region of the bucket containing the resources states, if not set, will fallback on aws-region' - awscli-version: - description: 'Version of the aws cli to use' - required: true - # renovate: datasource=github-releases depName=aws/aws-cli - default: "2.15.52" - tf-modules-revision: - description: 'Git revision of the tf modules to use' - default: 'main' - required: true - tf-modules-path: - description: 'Path where the tf rosa modules will be cloned' - default: './.action-tf-modules/rosa/' - required: true - - # inherited from https://github.com/hashicorp/setup-terraform/blob/main/action.yml - tf-cli-config-credentials-hostname: - description: 'The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to `app.terraform.io`.' - default: 'app.terraform.io' - required: false - tf-cli-config-credentials-token: - description: 'The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file.' - required: false - tf-terraform-version: - description: 'The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform CLI. Defaults to `latest`.' - default: 'latest' - required: false - tf-terraform-wrapper: - description: 'Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`.' - default: 'true' - required: false + rh-token: + description: Red Hat Hybrid Cloud Console Token + required: true + cluster-name: + description: Name of the ROSA cluster to delete + required: true + aws-region: + description: AWS region where the ROSA cluster is deployed + required: true + s3-backend-bucket: + description: Name of the S3 bucket where the Terraform state is stored + required: true + s3-bucket-region: + description: Region of the bucket containing the resources states, if not set, will fallback on aws-region + awscli-version: + description: Version of the aws cli to use + required: true + # renovate: datasource=github-releases depName=aws/aws-cli + default: 2.15.52 + tf-modules-revision: + description: Git revision of the tf modules to use + default: main + required: true + tf-modules-path: + description: Path where the tf rosa modules will be cloned + default: ./.action-tf-modules/rosa/ + required: true + + # inherited from https://github.com/hashicorp/setup-terraform/blob/main/action.yml + tf-cli-config-credentials-hostname: + description: The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + file. Defaults to `app.terraform.io`. + default: app.terraform.io + required: false + tf-cli-config-credentials-token: + description: The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration + file. + required: false + tf-terraform-version: + description: The version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for + example `<1.13.0`) to install the latest version satisfying the constraint. A value of `latest` will install the latest version of Terraform + CLI. Defaults to `latest`. + default: latest + required: false + tf-terraform-wrapper: + description: Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary and expose its STDOUT, STDERR, and exit code + as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + default: 'true' + required: false runs: - using: 'composite' - steps: - - name: Install Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 - with: - cli_config_credentials_hostname: ${{ inputs.tf-cli-config-credentials-hostname }} - cli_config_credentials_token: ${{ inputs.tf-cli-config-credentials-token }} - terraform_version: ${{ inputs.tf-terraform-version }} - terraform_wrapper: ${{ inputs.tf-terraform-wrapper }} - - - name: Install aws-cli v2 - shell: bash - run: | - sudo rm -rf /usr/local/aws-cli - mkdir -p /tmp/awscli && cd /tmp/awscli - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${{ inputs.awscli-version }}.zip" -o "awscliv2.zip" - unzip -qq awscliv2.zip - sudo ./aws/install - cd - && rm -Rf /tmp/awscli - - - name: Set Terraform variables - shell: bash - id: set-terraform-variables - run: | - export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" - export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" - - if [ -z "${{ inputs.s3-bucket-region }}" ]; then - export TFSTATE_REGION="${{ inputs.aws-region }}" - else - export TFSTATE_REGION="${{ inputs.s3-bucket-region }}" - fi - - echo "TFSTATE_BUCKET=${TFSTATE_BUCKET}" >> "$GITHUB_OUTPUT" - echo "TFSTATE_REGION=${TFSTATE_REGION}" >> "$GITHUB_OUTPUT" - echo "TFSTATE_KEY=${TFSTATE_KEY}" >> "$GITHUB_OUTPUT" - - - name: Checkout Repository rosa modules - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - repository: "camunda/camunda-tf-rosa" - ref: ${{ inputs.tf-modules-revision }} - path: ${{ inputs.tf-modules-path }} - fetch-depth: 0 - - - name: Terraform Init - shell: bash - id: init - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform version - terraform init -backend-config="bucket=${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}" -backend-config="key=${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }}" -backend-config="region=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }}" - terraform validate -no-color - - - name: Terraform Plan Destroy - shell: bash - id: plan-destroy - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform plan -destroy -no-color -out rosa-destroy.plan -var "cluster_name=${{ inputs.cluster-name }}" -var "offline_access_token=${{ inputs.rh-token }}" -var "htpasswd_password=dUmmyPassword$123!" - - - name: Terraform Apply Destroy - shell: bash - id: apply-destroy - working-directory: "${{ inputs.tf-modules-path }}/modules/rosa-hcp/" - run: | - terraform apply -destroy -no-color rosa-destroy.plan - - - name: Clean up cloned modules - shell: bash - if: always() - run: | - rm -rf "${{ inputs.tf-modules-path }}" - - - name: Delete Terraform State - shell: bash - run: | - aws s3 rm s3://${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}/${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }} + using: composite + steps: + - name: Install Terraform + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 + with: + cli_config_credentials_hostname: ${{ inputs.tf-cli-config-credentials-hostname }} + cli_config_credentials_token: ${{ inputs.tf-cli-config-credentials-token }} + terraform_version: ${{ inputs.tf-terraform-version }} + terraform_wrapper: ${{ inputs.tf-terraform-wrapper }} + + - name: Install aws-cli v2 + shell: bash + run: | + sudo rm -rf /usr/local/aws-cli + mkdir -p /tmp/awscli && cd /tmp/awscli + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${{ inputs.awscli-version }}.zip" -o "awscliv2.zip" + unzip -qq awscliv2.zip + sudo ./aws/install + cd - && rm -Rf /tmp/awscli + + - name: Set Terraform variables + shell: bash + id: set-terraform-variables + run: | + export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" + export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" + + if [ -z "${{ inputs.s3-bucket-region }}" ]; then + export TFSTATE_REGION="${{ inputs.aws-region }}" + else + export TFSTATE_REGION="${{ inputs.s3-bucket-region }}" + fi + + echo "TFSTATE_BUCKET=${TFSTATE_BUCKET}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_REGION=${TFSTATE_REGION}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_KEY=${TFSTATE_KEY}" >> "$GITHUB_OUTPUT" + + - name: Checkout Repository rosa modules + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + repository: camunda/camunda-tf-rosa + ref: ${{ inputs.tf-modules-revision }} + path: ${{ inputs.tf-modules-path }} + fetch-depth: 0 + + - name: Terraform Init + shell: bash + id: init + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform version + + terraform init \ + -backend-config="bucket=${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}" \ + -backend-config="key=${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }}" \ + -backend-config="region=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }}" + + terraform validate -no-color + + - name: Terraform Plan Destroy + shell: bash + id: plan-destroy + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform plan -destroy -no-color -out rosa-destroy.plan \ + -var "cluster_name=${{ inputs.cluster-name }}" \ + -var "offline_access_token=${{ inputs.rh-token }}" \ + -var "htpasswd_password=dUmmyPassword$123!" + + - name: Terraform Apply Destroy + shell: bash + id: apply-destroy + working-directory: ${{ inputs.tf-modules-path }}/modules/rosa-hcp/ + run: | + terraform apply -destroy -no-color rosa-destroy.plan + + - name: Clean up cloned modules + shell: bash + if: always() + run: | + rm -rf "${{ inputs.tf-modules-path }}" + + - name: Delete Terraform State + shell: bash + run: | + aws s3 rm s3://${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}/${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }} diff --git a/.github/labeler.yml b/.github/labeler.yml index c0978e3..92c8994 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,17 +1,18 @@ +--- # Add 'feature' label to any PR where the head branch name starts with `feature` or has a `feature` section in the name feature: - - head-branch: ['^feature', 'feature'] + - head-branch: [^feature, feature] # Add 'test' label to any changes within 'test' folder or any subfolders test: - - changed-files: - - any-glob-to-any-file: - - test/**.go - - test/**/go.mod - - modules/fixtures/** + - changed-files: + - any-glob-to-any-file: + - test/**.go + - test/**/go.mod + - modules/fixtures/** terraform: - - changed-files: - - any-glob-to-any-file: - - modules/**.tf - - .tool-versions + - changed-files: + - any-glob-to-any-file: + - modules/**.tf + - .tool-versions diff --git a/.github/workflows/artifact-rosa-versions.yml b/.github/workflows/artifact-rosa-versions.yml index 7954d3d..a1070e9 100644 --- a/.github/workflows/artifact-rosa-versions.yml +++ b/.github/workflows/artifact-rosa-versions.yml @@ -1,66 +1,67 @@ +--- # This workflow updates an artifact containing the ROSA versions, it's used by renovate and published at https://camunda.github.io/camunda-tf-rosa/rosa_versions.txt name: Save ROSA Versions as an artifact on: - schedule: - - cron: '0 0 * * *' - workflow_dispatch: - pull_request: - paths: - - .github/workflows/artifact-rosa-versions.yml + schedule: + - cron: 0 0 * * * + workflow_dispatch: + pull_request: + paths: + - .github/workflows/artifact-rosa-versions.yml jobs: - save-rosa-versions: - runs-on: ubuntu-latest + save-rosa-versions: + runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - ref: "gh-pages" + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: gh-pages - - name: Import Secrets - id: secrets - uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 - with: - url: ${{ secrets.VAULT_ADDR }} - method: approle - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - exportEnv: false - secrets: | - secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; - - name: Install ROSA CLI and output rosa versions - shell: bash - run: | - curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz" - tar -xvf rosa-linux.tar.gz - sudo mv rosa /usr/local/bin/rosa - chmod +x /usr/local/bin/rosa - rm -f rosa-linux.tar.gz - rosa version - rosa login --token=${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} - mkdir -p docs - rosa list versions --output json | jq '.[].raw_id' --raw-output > docs/rosa_versions.txt + - name: Install ROSA CLI and output rosa versions + shell: bash + run: | + curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz" + tar -xvf rosa-linux.tar.gz + sudo mv rosa /usr/local/bin/rosa + chmod +x /usr/local/bin/rosa + rm -f rosa-linux.tar.gz + rosa version + rosa login --token=${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + mkdir -p docs + rosa list versions --output json | jq '.[].raw_id' --raw-output > docs/rosa_versions.txt - - name: Commit and push ROSA versions file to gh-pages - shell: bash - run: | - git diff --exit-code docs/rosa_versions.txt || { - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git add docs/rosa_versions.txt - git commit -m "Update ROSA versions" - git push origin gh-pages - } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Commit and push ROSA versions file to gh-pages + shell: bash + run: | + git diff --exit-code docs/rosa_versions.txt || { + git config --local user.name "github-actions[bot]" + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git add docs/rosa_versions.txt + git commit -m "Update ROSA versions" + git push origin gh-pages + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/daily-cleanup.yml b/.github/workflows/daily-cleanup.yml index 35f6646..79190bf 100644 --- a/.github/workflows/daily-cleanup.yml +++ b/.github/workflows/daily-cleanup.yml @@ -2,85 +2,85 @@ name: Daily cleanup cluster on: - workflow_dispatch: - inputs: - max_age_hours_cluster: - description: "Maximum age of clusters in hours" - required: true - default: "20" - pull_request: - # the paths should be synced with ../labeler.yml - paths: - - .github/workflows/daily-cleanup.yml - - .github/actions/rosa-cleanup-clusters/** + workflow_dispatch: + inputs: + max_age_hours_cluster: + description: Maximum age of clusters in hours + required: true + default: '20' + pull_request: + # the paths should be synced with ../labeler.yml + paths: + - .github/workflows/daily-cleanup.yml + - .github/actions/rosa-cleanup-clusters/** - schedule: - - cron: '0 1 * * *' # At 01:00 everyday. + schedule: + - cron: 0 1 * * * # At 01:00 everyday. env: - MAX_AGE_HOURS_CLUSTER: "${{ github.event.inputs.max_age_hours_cluster || '20' }}" - AWS_PROFILE: "infex" + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + AWS_PROFILE: infex - # please keep those variables synced with tests.yml - TESTS_AWS_REGION: "eu-west-2" - TF_S3_BUCKET: "tests-rosa-tf-state-eu-central-1" - TF_S3_REGION: "eu-central-1" + # please keep those variables synced with tests.yml + TESTS_AWS_REGION: eu-west-2 + TF_S3_BUCKET: tests-rosa-tf-state-eu-central-1 + TF_S3_REGION: eu-central-1 jobs: - cleanup-clusters: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - ref: ${{ github.head_ref }} - fetch-depth: 0 + cleanup-clusters: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 - - name: Install tooling using asdf - uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 + - name: Install tooling using asdf + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - name: Use repo .tool-version as global version - run: cp .tool-versions ~/.tool-versions + - name: Use repo .tool-version as global version + run: cp .tool-versions ~/.tool-versions - - name: Import Secrets - id: secrets - uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 - with: - url: ${{ secrets.VAULT_ADDR }} - method: approle - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - exportEnv: false - secrets: | - secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; - secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; - secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; # Official action does not support profiles - - name: Add profile credentials to ~/.aws/credentials - run: | - aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set region ${{ env.TESTS_AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.TESTS_AWS_REGION }} --profile ${{ env.AWS_PROFILE }} - - name: Delete clusters - id: delete_clusters - timeout-minutes: 125 - uses: ./.github/actions/rosa-cleanup-clusters - env: - RH_TOKEN: "${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }}" - AWS_REGION: "${{ env.TESTS_AWS_REGION }}" - with: - tf-bucket: "${{ env.TF_S3_BUCKET }}" - tf-bucket-region: "${{ env.TF_S3_REGION }}" - max-age-hours-cluster: "${{ env.MAX_AGE_HOURS_CLUSTER }}" + - name: Delete clusters + id: delete_clusters + timeout-minutes: 125 + uses: ./.github/actions/rosa-cleanup-clusters + env: + RH_TOKEN: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + AWS_REGION: ${{ env.TESTS_AWS_REGION }} + with: + tf-bucket: ${{ env.TF_S3_BUCKET }} + tf-bucket-region: ${{ env.TF_S3_REGION }} + max-age-hours-cluster: ${{ env.MAX_AGE_HOURS_CLUSTER }} - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 0af3464..86b93f3 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,26 +1,27 @@ -name: "Pull Request Labeler" +--- +name: Pull Request Labeler on: - pull_request_target: - schedule: - - cron: "0 1 * * 1" - pull_request: - paths: - - .github/workflows/labeler.yml + pull_request_target: + schedule: + - cron: 0 1 * * 1 + pull_request: + paths: + - .github/workflows/labeler.yml jobs: - labeler: - permissions: - contents: read - pull-requests: write - runs-on: ubuntu-latest - steps: - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 + labeler: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index f961770..67316bb 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -1,52 +1,53 @@ +--- name: Check external links on: - push: - workflow_dispatch: - schedule: - - cron: "0 3 1 * *" - pull_request: - paths: - - .github/workflows/links.yml + push: + workflow_dispatch: + schedule: + - cron: 0 3 1 * * + pull_request: + paths: + - .github/workflows/links.yml jobs: - lint: - name: links-check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + lint: + name: links-check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Get Current Timestamp - id: timestamp - run: echo "TIMESTAMP=$(date +%s)" >> "$GITHUB_ENV" + - name: Get Current Timestamp + id: timestamp + run: echo "TIMESTAMP=$(date +%s)" >> "$GITHUB_ENV" - - name: Restore lychee cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 - with: - path: .lycheecache - key: "cache-lychee-${{ env.TIMESTAMP }}" - restore-keys: cache-lychee- + - name: Restore lychee cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + with: + path: .lycheecache + key: cache-lychee-${{ env.TIMESTAMP }} + restore-keys: cache-lychee- - - name: Link Checker - uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0 - with: - fail: true - args: -c ./lychee-links.toml --base . --cache --max-cache-age 1d . --verbose --no-progress '*.md' './**/*.md' - token: "${{ secrets.GITHUB_TOKEN }}" + - name: Link Checker + uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0 + with: + fail: true + args: -c ./lychee-links.toml --base . --cache --max-cache-age 1d . --verbose --no-progress '*.md' './**/*.md' + token: ${{ secrets.GITHUB_TOKEN }} - - name: Create Issue From File - if: failure() && github.event_name == 'schedule' - uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5 - with: - title: Link Checker Report - content-filepath: ./lychee/out.md - labels: report, automated issue + - name: Create Issue From File + if: failure() && github.event_name == 'schedule' + uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5 + with: + title: Link Checker Report + content-filepath: ./lychee/out.md + labels: report, automated issue - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 00d2a99..678fde3 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,132 +2,132 @@ name: Cluster creation and destruction test on: - schedule: - - cron: '0 1 * * 1' # At 01:00 on Monday. - - workflow_dispatch: - inputs: - cluster_name: - description: "Cluster name." - required: false - type: string - delete_cluster: - description: "Whether to delete the cluster." - required: false - type: boolean - default: true - - pull_request: - # the paths should be synced with ../labeler.yml - paths: - - modules/fixtures/**/*.tf - - modules/**.tf - - .tool-versions - - .github/workflows/tests.yml - - .github/actions/**/*.yml - - justfile + schedule: + - cron: 0 1 * * 1 # At 01:00 on Monday. + + workflow_dispatch: + inputs: + cluster_name: + description: Cluster name. + required: false + type: string + delete_cluster: + description: Whether to delete the cluster. + required: false + type: boolean + default: true + + pull_request: + # the paths should be synced with ../labeler.yml + paths: + - modules/fixtures/**/*.tf + - modules/**.tf + - .tool-versions + - .github/workflows/tests.yml + - .github/actions/**/*.yml + - justfile # limit to a single execution per actor of this workflow concurrency: - group: "${{ github.workflow }}-${{ github.ref }}" - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true env: - AWS_PROFILE: "infex" + AWS_PROFILE: infex - # please keep those variables synced with daily-cleanup.yml - TESTS_AWS_REGION: "eu-west-2" - TF_S3_BUCKET: "tests-rosa-tf-state-eu-central-1" - TF_S3_REGION: "eu-central-1" + # please keep those variables synced with daily-cleanup.yml + TESTS_AWS_REGION: eu-west-2 + TF_S3_BUCKET: tests-rosa-tf-state-eu-central-1 + TF_S3_REGION: eu-central-1 - OCP_ADMIN_USERNAME: "kube-admin" - OCP_NAMESPACE: "myns" + OCP_ADMIN_USERNAME: kube-admin + OCP_NAMESPACE: myns jobs: - action-test: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - ref: ${{ github.head_ref }} - fetch-depth: 0 - - - name: Install tooling using asdf - uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - - name: Get OCP Cluster Name - id: commit_info - run: | - if [[ -n "${{ inputs.cluster_name }}" ]]; then - cluster_name="${{ inputs.cluster_name }}" - else - cluster_name="cl-$(git rev-parse --short HEAD)" - fi - - echo "cluster_name=$cluster_name" >> "$GITHUB_OUTPUT" - - - name: Import Secrets - id: secrets - uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 - with: - url: ${{ secrets.VAULT_ADDR }} - method: approle - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - exportEnv: false - secrets: | - secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; - secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; - secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; - secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; + action-test: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 + + - name: Install tooling using asdf + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 + + - name: Get OCP Cluster Name + id: commit_info + run: | + if [[ -n "${{ inputs.cluster_name }}" ]]; then + cluster_name="${{ inputs.cluster_name }}" + else + cluster_name="cl-$(git rev-parse --short HEAD)" + fi + + echo "cluster_name=$cluster_name" >> "$GITHUB_OUTPUT" + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; # Official action does not support profiles - - name: Add profile credentials to ~/.aws/credentials - run: | - aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set region ${{ env.TESTS_AWS_REGION }} --profile ${{ env.AWS_PROFILE }} - - - name: Create Cluster - timeout-minutes: 125 - uses: ./.github/actions/rosa-create-cluster - id: create_cluster - with: - rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} - cluster-name: ${{ steps.commit_info.outputs.cluster_name }} - admin-username: ${{ env.OCP_ADMIN_USERNAME }} - admin-password: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_PASSWORD }} - aws-region: ${{ env.TESTS_AWS_REGION }} - s3-backend-bucket: ${{ env.TF_S3_BUCKET }} - s3-bucket-region: ${{ env.TF_S3_REGION }} - - - name: Create namespace if not exists - shell: bash - run: | - if ! oc get namespace "${{ env.OCP_NAMESPACE }}"; then - oc new-project "${{ env.OCP_NAMESPACE }}" - else - echo "Namespace '${{ env.OCP_NAMESPACE }}' already exists" - fi - - - name: Delete Cluster - timeout-minutes: 125 - if: always() && !(github.event_name == 'workflow_dispatch' && github.event.inputs.delete_cluster == 'false') - uses: ./.github/actions/rosa-delete-cluster - with: - rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} - cluster-name: "${{ steps.commit_info.outputs.cluster_name }}" - aws-region: ${{ env.TESTS_AWS_REGION }} - s3-backend-bucket: ${{ env.TF_S3_BUCKET }} - s3-bucket-region: ${{ env.TF_S3_REGION }} - - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.TESTS_AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + - name: Create Cluster + timeout-minutes: 125 + uses: ./.github/actions/rosa-create-cluster + id: create_cluster + with: + rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + cluster-name: ${{ steps.commit_info.outputs.cluster_name }} + admin-username: ${{ env.OCP_ADMIN_USERNAME }} + admin-password: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_PASSWORD }} + aws-region: ${{ env.TESTS_AWS_REGION }} + s3-backend-bucket: ${{ env.TF_S3_BUCKET }} + s3-bucket-region: ${{ env.TF_S3_REGION }} + + - name: Create namespace if not exists + shell: bash + run: | + if ! oc get namespace "${{ env.OCP_NAMESPACE }}"; then + oc new-project "${{ env.OCP_NAMESPACE }}" + else + echo "Namespace '${{ env.OCP_NAMESPACE }}' already exists" + fi + + - name: Delete Cluster + timeout-minutes: 125 + if: always() && !(github.event_name == 'workflow_dispatch' && github.event.inputs.delete_cluster == 'false') + uses: ./.github/actions/rosa-delete-cluster + with: + rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + cluster-name: ${{ steps.commit_info.outputs.cluster_name }} + aws-region: ${{ env.TESTS_AWS_REGION }} + s3-backend-bucket: ${{ env.TF_S3_BUCKET }} + s3-bucket-region: ${{ env.TF_S3_REGION }} + + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@fe25bf36edcc03717275a4e05969cdb5483388df # main + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.lint/terraform_docs/.terraform-docs.yml b/.lint/terraform_docs/.terraform-docs.yml index edd51d8..7cfe2d3 100644 --- a/.lint/terraform_docs/.terraform-docs.yml +++ b/.lint/terraform_docs/.terraform-docs.yml @@ -1,42 +1,42 @@ --- # Configuration documentation https://terraform-docs.io/user-guide/configuration/ -formatter: "markdown table" # Required -version: "" # version is managed by asdf +formatter: markdown table # Required +version: '' # version is managed by asdf header-from: main.tf -footer-from: "" +footer-from: '' recursive: - enabled: false + enabled: false content: |- - {{ .Modules }} - {{ .Resources }} - {{ .Inputs }} - {{ .Outputs }} + {{ .Modules }} + {{ .Resources }} + {{ .Inputs }} + {{ .Outputs }} sections: - hide: [] - show: [] + hide: [] + show: [] output-values: - enabled: false - from: "" + enabled: false + from: '' sort: - enabled: true - by: name + enabled: true + by: name settings: - anchor: true - color: true - default: true - description: true - escape: true - hide-empty: false - html: true - indent: 2 - lockfile: false - read-comments: true - required: true - sensitive: true - type: true + anchor: true + color: true + default: true + description: true + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: false + read-comments: true + required: true + sensitive: true + type: true