OPSEXP-2382 Add reusable terraform workflow to manage EKS clusters

.github/workflows/terraform-eks.yml

@@ -0,0 +1,128 @@
+name: "Terraform"
+
+on:
+  workflow_call:
+    inputs:
+      terraform_root_path:
+        description: the path to the root module to apply
+        type: string
+        required: false
+        default: .
+    secrets:
+      AWS_ACCESS_KEY_ID:
+        required: true
+      AWS_SECRET_ACCESS_KEY:
+        required: true
+      BOT_GITHUB_TOKEN:
+        required: false
+      DOCKER_USERNAME:
+        required: false
+      DOCKER_PASSWORD:
+        required: false
+      RANCHER2_ACCESS_KEY:
+        required: false
+      RANCHER2_SECRET_KEY:
+        required: false
+
+jobs:
+  compute_basic_vars:
+    name: compute basic variables
+    runs-on: ubuntu-latest
+    steps:
+      - name: Evaluate branch name
+        id: basic_vars
+        run: |
+          BRANCH_NAME=${{ github.base_ref || github.ref_name }}
+          BRANCH_LOWER=${BRANCH_NAME,,}
+          if [ "$BRANCH_LOWER" == "main" ]; then
+            environment="production"
+          elif [ "$BRANCH_LOWER" == "develop" ]; then
+            environment="develop"
+          else
+            echo "$BRANCH_LOWER doesn't have a matching environment"
+            exit 1
+          fi
+          echo "environment_name=${environment}" >> $GITHUB_OUTPUT
+    outputs:
+      environment_name: ${{ steps.basic_vars.outputs.environment_name }}
+
+  terraform:
+    runs-on: ubuntu-latest
+    needs:
+      - compute_basic_vars
+    environment: ${{ needs.compute_basic_vars.outputs.environment_name }}
+    concurrency:
+      group: ${{ needs.compute_basic_vars.outputs.environment_name }}
+      cancel-in-progress: false
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      RANCHER2_ACCESS_KEY: ${{ secrets.RANCHER2_ACCESS_KEY }}
+      RANCHER2_SECRET_KEY: ${{ secrets.RANCHER2_SECRET_KEY }}
+      RANCHER2_URL: ${{ vars.RANCHER2_URL }}
+      RESOURCE_NAME: ${{ vars.RESOURCE_NAME }}
+      TERRAFORM_HTTP_CREDENTIALS: |
+        github.com/Alfresco=alfresco-build:${{ secrets.BOT_GITHUB_TOKEN }}
+      TERRAFORM_PRE_RUN: |
+        if [ ! -x ./aws/install ]; then
+          curl -sSf https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip
+          unzip -q awscliv2.zip
+        fi
+        ./aws/install
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Load environment variables from yml
+        uses: Alfresco/alfresco-build-tools/.github/actions/env-load-from-yaml@v5.0.0
+        with:
+          yml_path: ${{ inputs.terraform_root_path }}/tfenv.yml
+
+      - name: Check vars requirements
+        run: |
+          if [ -z "${{ vars.RESOURCE_NAME }}" ]; then
+            echo "RESOURCE_NAME must be set in the vars context to provide a unique identifier"
+            exit 1
+          fi
+          if [ -z "${{ vars.TERRAFORM_STATE_BUCKET }}" ]; then
+            echo "TERRAFORM_STATE_BUCKET must be set in the vars context"
+            exit 1
+          fi
+
+      - name: Terraform validate
+        uses: dflook/terraform-validate@433dd249ad921c19245cf361c67a57f485e2ae0b # v1.36.2
+        with:
+          path: ${{ inputs.terraform_root_path }}
+          backend_config: |
+            bucket=${{ vars.TERRAFORM_STATE_BUCKET }}
+            key=${{ vars.RESOURCE_NAME }}/${{ inputs.terraform_root_path }}/terraform.tfstate
+
+      - name: Terraform plan
+        uses: dflook/terraform-plan@e047f3fa83b945d582e0b468f4ef3c22c03e070d # v1.36.2
+        if: github.event_name == 'pull_request'
+        with:
+          label: ${{ vars.RESOURCE_NAME }} ${{ inputs.terraform_root_path }}
+          path: ${{ inputs.terraform_root_path }}
+          var_file: |
+            ${{ inputs.terraform_root_path }}/common.tfvars
+            ${{ inputs.terraform_root_path }}/${{ needs.compute_basic_vars.outputs.environment_name }}.tfvars
+          backend_config: |
+            bucket=${{ vars.TERRAFORM_STATE_BUCKET }}
+            key=${{ vars.RESOURCE_NAME }}/${{ inputs.terraform_root_path }}/terraform.tfstate
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@7a56cfb68f437341062f41afca87c71fc5b4bd5f # v1.36.2
+        if: github.event_name == 'push'
+        with:
+          label: ${{ vars.RESOURCE_NAME }} ${{ inputs.terraform_root_path }}
+          path: ${{ inputs.terraform_root_path }}
+          var_file: |
+            ${{ inputs.terraform_root_path }}/common.tfvars
+            ${{ inputs.terraform_root_path }}/${{ needs.compute_basic_vars.outputs.environment_name }}.tfvars
+          backend_config: |
+            bucket=${{ vars.TERRAFORM_STATE_BUCKET }}
+            key=${{ vars.RESOURCE_NAME }}/${{ inputs.terraform_root_path }}/terraform.tfstate

docs/README.md

@@ -77,8 +77,10 @@ Here follows the list of GitHub Actions topics available in the current document
     - [update-project-base-tag](#update-project-base-tag)
     - [validate-maven-versions](#validate-maven-versions)
     - [veracode](#veracode)
+    - [github cache cleanup](#github-cache-cleanup)
   - [Reusable workflows provided by us](#reusable-workflows-provided-by-us)
     - [helm-publish-new-package-version.yml](#helm-publish-new-package-versionyml)
+    - [terraform-eks](#terraform-eks)
   - [Cookbook](#cookbook)
     - [Conditional job/step depending on PR labels](#conditional-jobstep-depending-on-pr-labels)
     - [Serialize pull request builds](#serialize-pull-request-builds)
@@ -1323,6 +1325,61 @@ Calculates the new alpha version, creates new git tag and publishes the new pack
     secrets: inherit
 ```
 
+### terraform-eks
+
+Reusable workflow which implement an opinionated workflow to manage EKS clusters
+reusing [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions),
+optionally allowing a multi-state approach for managing resources.
+
+Assume having a GitHub environment named `production` when executing on the
+`main` branch, and a `develop` GitHub environment named `develop` when executing
+on the `develop` branch.
+
+GitHub environments must be configured with the following variables:
+
+- AWS_DEFAULT_REGION: where the aws resources will be created
+- RANCHER2_URL (optional): automatically register cluster on this rancher instance
+- RESOURCE_NAME: used to namespace every resource created, e.g. the cluster name
+- TERRAFORM_STATE_BUCKET: the name of the S3 bucket where to store the terraform state
+
+and the following secrets:
+
+- AWS_ACCESS_KEY_ID: AWS credentials
+- AWS_SECRET_ACCESS_KEY: AWS credentials
+- BOT_GITHUB_TOKEN (to access private terraform module of the Alfresco org)
+- DOCKER_USERNAME (optional): Docker Hub credentials
+- DOCKER_PASSWORD (optional): Docker Hub credentials
+- RANCHER2_ACCESS_KEY (optional): automatically register cluster on your rancher instance
+- RANCHER2_SECRET_KEY (optional): automatically register cluster on your rancher instance
+
+```yaml
+name: "terraform"
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+  push:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+jobs:
+  invoke-terraform-infra:
+    uses: Alfresco/alfresco-build-tools/.github/workflows/terraform-eks.yml@ref
+    with:
+      terraform_root_path: infra
+    secrets: inherit
+  invoke-terraform-k8s:
+    needs: invoke-terraform-infra
+    uses: Alfresco/alfresco-build-tools/.github/workflows/terraform-eks.yml@ref
+    with:
+      terraform_root_path: k8s
+    secrets: inherit
+```
+
 ## Cookbook
 
 This section contains a list of recipes and common patterns organized by desired

version.txt

@@ -1 +1 @@
-v5.0.1
+v5.1.0