Skip to content

Workflow file for this run

name: Pipelines
run-name: Run Gruntwork Pipelines
on:
workflow_call:
inputs:
# This field can be overriden to customize the runner used for pipelines
# workflows.
#
# IMPORTANT: To use self-hosted runners this workflow must be hosted in
# the same GitHub organization as your infra-live repository.
# See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners
#
# The value must be an escaped JSON string that will be decoded to the
# jobs.runs-on field
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
#
# For example:
# - A simple github runner: "\"ubuntu-22.04\""
# - A list of labels: "[\"self-hosted\", \"linux\"]"
# - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}"
runner:
type: string
default: "\"ubuntu-latest\""
secrets:
PIPELINES_READ_TOKEN:
required: true
INFRA_ROOT_WRITE_TOKEN:
required: true
ORG_REPO_ADMIN_TOKEN:
required: false
env:
PIPELINES_CLI_VERSION: v0.21.0
PIPELINES_ACTIONS_VERSION: 2024-07-19_get-job-id
BOILERPLATE_VERSION: v0.5.16
GRUNTWORK_INSTALLER_VERSION: v0.0.40
jobs:
pipelines_orchestrate:
name: Detect Infrastructure Changes
runs-on: ${{ fromJSON(inputs.runner) }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Preflight Checks
uses: ./pipelines-actions/.github/actions/pipelines-preflight-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Pipelines Orchestrate
id: orchestrate
uses: ./pipelines-actions/.github/actions/pipelines-orchestrate
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
outputs:
pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }}
pipelines_execute:
env:
JOB_NAME: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }}
name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }}
needs: [pipelines_orchestrate]
runs-on: ${{ fromJSON(inputs.runner) }}
# GHA can't check for length, so we just check if there is an item in the 0 index
if: fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0] != null
strategy:
fail-fast: false
matrix:
jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Bootstrap Workflow
id: gruntwork_context
uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
change_type: ${{ matrix.jobs.ChangeType }}
branch: ${{ matrix.jobs.Ref }}
working_directory: ${{ matrix.jobs.WorkingDirectory }}
account_id: ${{ matrix.jobs.AccountId }}
terragrunt_command: ${{ matrix.jobs.Action.Command }} ${{ matrix.jobs.Action.Args }}
additional_data: ${{ toJson(matrix.jobs.AdditionalData) }}
child_account_id: ${{ matrix.jobs.AdditionalData.ChildAccountId }}
account_names: ${{ matrix.jobs.AdditionalData.AccountNames }}
# TODO: This should be "first_new_account_name".
new_account_name: ${{ matrix.jobs.NewAccounts[0].Name }}
# To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/
- name: "[Baseline]: Pre Provision New Account Custom Action"
uses: ./pipelines-actions/.github/custom-actions/pre-provision-new-account
if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }}
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[ProvisionAccount]: Provision New Account"
id: provision_new_account
if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }}
uses: ./pipelines-actions/.github/actions/pipelines-provision-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[Baseline]: Post Provision New Account Custom Action"
uses: ./pipelines-actions/.github/custom-actions/post-provision-new-account
if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }}
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
baseline_pull_request_url: ${{ steps.provision_new_account.outputs.pull_request_url }}
- name: "[Baseline]: Pre Baseline Core Account Action"
uses: ./pipelines-actions/.github/custom-actions/pre-baseline-core-accounts
if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT'
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
# Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly)
- name: "Run core accounts baselines"
id: core_accounts_baselines
if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT'
# TODO: Rename this as pipelines-apply-core-baselines or something similar
uses: ./pipelines-actions/.github/actions/pipelines-baseline-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[Baseline]: Post Baseline Core Account Action"
uses: ./pipelines-actions/.github/custom-actions/post-baseline-core-accounts
if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT'
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt"
id: terragrunt
if: ${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' }}
uses: ./pipelines-actions/.github/actions/pipelines-execute
env:
TERRAGRUNT_AUTH_PROVIDER_CMD: 'pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd .'
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }}
working_directory: ${{ steps.gruntwork_context.outputs.working_directory }}
terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }}
infra_live_repo_branch: ${{ steps.gruntwork_context.outputs.branch }}
gruntwork_config_file: ${{ steps.gruntwork_context.outputs.gruntwork_config_file }}
infra_live_repo: "."
infra_live_directory: "."
deploy_branch_name: ${{ steps.gruntwork_context.outputs.deploy_branch_name }}
- name: Get Logs URL
id: get_logs_url
uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url
if: always()
with:
job_name: ${{ env.JOB_NAME }}
step_name_prefix: ${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' && '[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt' || (steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' && 'Run core accounts baselines' || '[ProvisionAccount]: Provision New Account') }}

Check failure on line 188 in .github/workflows/pipelines-root.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/pipelines-root.yml

Invalid workflow file

You have an error in your yaml syntax on line 188
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
if: always()
with:
step_name: ${{ matrix.jobs.ChangeType }}
step_working_directory: ${{ matrix.jobs.WorkingDirectory }}
step_status: ${{ (steps.provision_new_account.conclusion == 'success' || steps.terragrunt.conclusion == 'success' || steps.core_accounts_baselines.conclusion == 'success') && 'success' || 'failed' }}
step_details: ${{ steps.terragrunt.outputs.formatted_plan_output }}
step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }}
pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }}
step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }}
outputs:
account_id: ${{ matrix.jobs.AccountId }}
branch: ${{ steps.gruntwork_context.outputs.branch }}
action: ${{ steps.gruntwork_context.outputs.action }}
working_directory: ${{ steps.gruntwork_context.outputs.working_directory }}
terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }}
additional_data: ${{ steps.gruntwork_context.outputs.additional_data }}
child_account_id: ${{ steps.gruntwork_context.outputs.child_account_id }}
pr_number: ${{ steps.gruntwork_context.outputs.pr_number }}
delegate_management: ${{ steps.gruntwork_context.outputs.delegate_management }}
pipelines_apply_baselines:
name: Baseline Child Account ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }})
needs: [pipelines_orchestrate, pipelines_execute]
runs-on: ${{ fromJSON(inputs.runner) }}
# GHA can't check for length, so we just check if there is an item in the 0 index
if: fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null
strategy:
fail-fast: false
matrix:
jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
with:
step_name: Baseline Child Account ${{ matrix.jobs.Name }}
step_status: "in_progress"
pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }}
- name: Bootstrap Workflow
id: gruntwork_context
uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }}
branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }}
working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }}
account_id: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AccountId }}
terragrunt_command: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command }} ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Args }}
additional_data: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData) }}
account_names: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }}
child_account_id: ${{ matrix.jobs.ID }}
new_account_name: ${{ matrix.jobs.Name }}
# To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/
- name: "[Baseline]: Pre Baseline Child Account Action"
uses: ./pipelines-actions/.github/custom-actions/pre-baseline-child-account
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
account_id: ${{ matrix.jobs.ID }}
account_name: ${{ matrix.jobs.Name }}
job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[Baseline]: Baseline the Child Account"
id: baseline_child_account
uses: ./pipelines-actions/.github/actions/pipelines-baseline-child-account-action
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
account_id: ${{ matrix.jobs.ID }}
account_name: ${{ matrix.jobs.Name }}
job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: "[Baseline]: Post Baseline Child Account Action"
uses: ./pipelines-actions/.github/custom-actions/post-baseline-child-account
with:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
account_id: ${{ matrix.jobs.ID }}
account_name: ${{ matrix.jobs.Name }}
job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }}
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
- name: Update comment
uses: ./pipelines-actions/.github/actions/pipelines-status-update
if: always()
with:
step_name: Baseline Child Account ${{ matrix.jobs.Name }}
step_status: ${{ steps.baseline_child_account.conclusion == 'success' && 'success' || 'failed' }}
step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || 'Check the logs for more details.' }}
step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }}
pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }}
pipelines_setup_delegated_repo:
name: "Setup Delegated Repo"
needs: [pipelines_orchestrate, pipelines_apply_baselines, pipelines_execute]
runs-on: ${{ fromJSON(inputs.runner) }}
# GHA can't check for length, so we just check if there is an item in the 0 index
if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }}
steps:
- name: Checkout Pipelines Actions
uses: actions/checkout@v4
with:
path: pipelines-actions
repository: gruntwork-io/pipelines-actions
ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
token: ${{ secrets.PIPELINES_READ_TOKEN }}
- name: Check out repo code
uses: actions/checkout@v4
with:
path: infra-live-repo
fetch-depth: 0
- name: Bootstrap Workflow
id: gruntwork_context
uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
with:
token: ${{ secrets.PIPELINES_READ_TOKEN }}
change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }}
branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }}
working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }}
account_id: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AccountId }}
terragrunt_command: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command }} ${{ needs.pipelines_orchestrate.outputs.pipelines_jobs[0].Action.Args }}
additional_data: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData) }}
child_account_id: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData.ChildAccountId }}
account_names: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }}
# This is just to help bootstrap find one of the (possibly several) new account request files
# Inside those files is some shared config that we need to setup access control such as
# the delegated_repo_name (which is the same in all the new request files)
new_account_name: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0].Name }}
- name: "Create Access Control PR"
id: access_control_pr
uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action
with:
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
- name: "Create and bootstrap delegated Repo"
id: provision_delegated_repo
uses: ./pipelines-actions/.github/actions/pipelines-provision-repo-action
with:
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }}
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
# To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/
- name: "Post create delegated repo custom actions"
uses: ./pipelines-actions/.github/custom-actions/post-create-delegated-repo
with:
gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }}
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
delegated_repo_pull_request_url: ${{ steps.provision_delegated_repo.outputs.pull_request_url }}