Split production and staging validation

cal-itp · Feb 19, 2025 · bb90772 · bb90772
1 parent 7c8cd54
commit bb90772
Show file tree

Hide file tree

Showing 8 changed files with 393 additions and 146 deletions.
diff --git a/.github/workflows/terraform-validation.yml b/.github/workflows/terraform-validation.yml
@@ -9,16 +9,64 @@ jobs:
   targets:
     runs-on: ubuntu-latest
     outputs:
-      paths: ${{ steps.ls.outputs.paths }}
+      staging: ${{ steps.staging.outputs.paths }}
+      production: ${{ steps.production.outputs.paths }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Discover Terraform targets
-        id: ls
-        run: echo "paths=$(ls -d iac/*/*/* | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT}
+      - name: Staging Terraform targets
+        id: staging
+        run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra-staging/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT}
 
-  validate:
+      - name: Production Terraform targets
+        id: production
+        run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT}
+
+  staging:
+    needs: targets
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        path: ${{ fromJson(needs.targets.outputs.staging) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: cal-itp-data-infra-staging
+          workload_identity_provider: 'projects/473674835135/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Terraform Formatting
+        uses: dflook/terraform-fmt-check@v1
+        with:
+          path: ${{ matrix.path }}
+
+      - name: Terraform Validation
+        uses: dflook/terraform-validate@v1
+        with:
+          path: ${{ matrix.path }}
+
+      - name: Terraform Plan
+        uses: dflook/terraform-plan@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          add_github_comment: changes-only
+          path: ${{ matrix.path }}
+
+  production:
     needs: targets
 
     runs-on: ubuntu-latest
@@ -30,15 +78,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        path: ${{ fromJson(needs.targets.outputs.paths) }}
+        path: ${{ fromJson(needs.targets.outputs.production) }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - uses: 'google-github-actions/auth@v2'
         with:
-          project_id: 'cal-itp-data-infra'
+          project_id: cal-itp-data-infra
           workload_identity_provider: 'projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
 
       - uses: google-github-actions/setup-gcloud@v2

diff --git a/iac/.gitignore b/iac/.gitignore
@@ -1,4 +1,5 @@
 .terraform/
 .terraform.tfstate.*.backup
+terraform.tfstate.backup
 /.terraform.lock.hcl
 /provider.tf
diff --git a/iac/cal-itp-data-infra-staging/iam/us/iam_worklkoad_identity.tf b/iac/cal-itp-data-infra-staging/iam/us/iam_worklkoad_identity.tf
@@ -0,0 +1,26 @@
+resource "google_iam_workload_identity_pool" "github-actions--pool" {
+  workload_identity_pool_id = "github-actions-pool"
+}
+
+resource "google_iam_workload_identity_pool_provider" "github-actions--provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.github-actions--pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "github-actions-provider"
+  attribute_mapping = {
+    "google.subject"       = "assertion.sub"
+    "attribute.actor"      = "assertion.actor"
+    "attribute.aud"        = "assertion.aud"
+    "attribute.repository" = "assertion.repository"
+  }
+  attribute_condition = <<EOT
+    attribute.repository == "cal-itp/data-infra"
+  EOT
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+}
+
+resource "google_service_account_iam_member" "github-actions--service-account" {
+  service_account_id = google_service_account.tfer--terraform.id
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/473674835135/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github-actions--pool.workload_identity_pool_id}/attribute.repository/cal-itp/data-infra"
+}
diff --git a/iac/cal-itp-data-infra-staging/iam/us/service_account.tf b/iac/cal-itp-data-infra-staging/iam/us/service_account.tf
@@ -25,3 +25,11 @@ resource "google_service_account" "tfer--111881979116192190399" {
   display_name = "metabase"
   project      = "cal-itp-data-infra-staging"
 }
+
+resource "google_service_account" "tfer--terraform" {
+  account_id   = "github-actions-terraform"
+  description  = "Service account for Github Actions to run Terraform"
+  disabled     = "false"
+  display_name = "Terraform"
+  project      = "cal-itp-data-infra-staging"
+}