name: Terraform on: push: branches: - main paths: - 'terraform/**' - '.gitea/workflows/terraform.yml' pull_request: branches: - main paths: - 'terraform/**' - '.gitea/workflows/terraform.yml' env: TF_VERSION: "1.7.0" TF_VAR_hcloud_token: ${{ secrets.HCLOUD_TOKEN }} TF_VAR_s3_access_key: ${{ secrets.S3_ACCESS_KEY }} TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }} jobs: validate: name: Validate runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - name: Terraform Format Check working-directory: terraform run: terraform fmt -check -recursive - name: Terraform Init working-directory: terraform run: | terraform init \ -backend-config="endpoint=${{ secrets.S3_ENDPOINT }}" \ -backend-config="bucket=${{ secrets.S3_BUCKET }}" \ -backend-config="region=auto" \ -backend-config="access_key=${{ secrets.S3_ACCESS_KEY }}" \ -backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" - name: Terraform Validate working-directory: terraform run: terraform validate plan: name: Plan runs-on: ubuntu-latest needs: validate steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - name: Terraform Init working-directory: terraform run: | terraform init \ -backend-config="endpoint=${{ secrets.S3_ENDPOINT }}" \ -backend-config="bucket=${{ secrets.S3_BUCKET }}" \ -backend-config="region=auto" \ -backend-config="access_key=${{ secrets.S3_ACCESS_KEY }}" \ -backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" - name: Terraform Plan id: plan working-directory: terraform run: | terraform plan \ -var="ssh_public_key=${{ secrets.SSH_PUBLIC_KEY }}" \ -var="ssh_private_key=${{ secrets.SSH_PRIVATE_KEY }}" \ -out=tfplan \ -no-color continue-on-error: true - name: Post Plan to PR if: github.event_name == 'pull_request' uses: actions/github-script@v7 with: script: | const output = `#### Terraform Plan \`\`\` ${{ steps.plan.outputs.stdout }} \`\`\``; github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: output }); - name: Fail if plan failed if: steps.plan.outcome == 'failure' run: exit 1 apply: name: Apply runs-on: ubuntu-latest needs: plan if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - name: Terraform Init working-directory: terraform run: | terraform init \ -backend-config="endpoint=${{ secrets.S3_ENDPOINT }}" \ -backend-config="bucket=${{ secrets.S3_BUCKET }}" \ -backend-config="region=auto" \ -backend-config="access_key=${{ secrets.S3_ACCESS_KEY }}" \ -backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" - name: Terraform Apply working-directory: terraform run: | terraform apply \ -var="ssh_public_key=${{ secrets.SSH_PUBLIC_KEY }}" \ -var="ssh_private_key=${{ secrets.SSH_PRIVATE_KEY }}" \ -auto-approve - name: Save Terraform Outputs working-directory: terraform run: terraform output -json > ../outputs/terraform_outputs.json - name: Upload Outputs uses: actions/upload-artifact@v4 with: name: terraform-outputs path: outputs/terraform_outputs.json