name: Terraform Apply on: push: branches: - master concurrency: group: terraform-global cancel-in-progress: false jobs: terraform: name: "Terraform Apply" runs-on: ubuntu-latest steps: - name: Checkout repository uses: https://gitea.com/actions/checkout@v4 - name: Create secrets.tfvars working-directory: terraform run: | cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" SSH_KEY_PUBLIC = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')" EOF cat > backend.hcl << EOF bucket = "${{ secrets.B2_TF_BUCKET }}" key = "terraform.tfstate" region = "us-east-005" endpoints = { s3 = "${{ secrets.B2_TF_ENDPOINT }}" } access_key = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')" secret_key = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')" skip_credentials_validation = true skip_metadata_api_check = true skip_region_validation = true skip_requesting_account_id = true use_path_style = true EOF - name: Set up Terraform uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.6.6 terraform_wrapper: false - name: Terraform Init working-directory: terraform run: terraform init -reconfigure -backend-config=backend.hcl - name: Terraform Plan working-directory: terraform run: terraform plan -out=tfplan - name: Block accidental destroy env: ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }} working-directory: terraform run: | terraform show -json -no-color tfplan > tfplan.json DESTROY_COUNT=$(python3 -c 'import json; raw=open("tfplan.json","rb").read().decode("utf-8","ignore"); start=raw.find("{"); data=json.JSONDecoder().raw_decode(raw[start:])[0]; print(sum(1 for rc in data.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))') echo "Planned deletes: $DESTROY_COUNT" if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow." exit 1 fi - name: Terraform Apply working-directory: terraform run: terraform apply -auto-approve tfplan