fix: reorganize plan + add apply and indepotency tests (#10)

PaloAltoNetworks · Oct 11, 2022 · ca4cc59 · ca4cc59
1 parent d938f5d
commit ca4cc59
Show file tree

Hide file tree

Showing 3 changed files with 153 additions and 70 deletions.
diff --git a/.github/workflows/_tf_plan_apply.yml b/.github/workflows/_tf_plan_apply.yml
@@ -18,10 +18,18 @@ on:
         description: Path to module that will be tested, a space delimited list of relative paths
         type: string
         required: true
-      action:
-        description: The action to run on module, either `plan` or `apply`
-        type: string
-        required: true
+      do_apply:
+        description: When set to true runs also apply
+        type: boolean
+        default: false
+      indepotency:
+        description: When set to true runs plan to on already applied configuration
+        type: boolean
+        default: true
+      max_parallel:
+        description: Maximum parallel jobs in matrix strategy
+        type: number
+        default: 10
     secrets:
       client_id:
         required: true
@@ -44,14 +52,15 @@ jobs:
           echo "::set-output name=paths::$(echo -n "${{ inputs.paths }}" | jq -R -s -c 'split(",")')"
           echo "::set-output name=tf_versions::$(echo "${{ inputs.tf_version }} " | jq -R -s -c 'split(" ")[:-1]')"
         
-  action:
+  terraform:
     needs: [prerequisites]
     name: '${{ matrix.path }}@${{ matrix.tf_version }}'
     permissions:
       contents: read
       id-token: write
     runs-on: ubuntu-latest
     strategy:
+      max-parallel: ${{ inputs.max_parallel }}
       matrix:
         tf_version: ${{ fromJson(needs.prerequisites.outputs.tf_versions) }}
         path: ${{ fromJson(needs.prerequisites.outputs.paths) }}
@@ -64,13 +73,61 @@ jobs:
         with:
           terraform_version: ${{ matrix.tf_version }}
 
-      - name: run ${{ inputs.action }} for ${{ matrix.path }}
+      - name: set UUID value
+        id: uuid
+        run: echo "::set-output name=uuid::$(uuidgen | tr '[:upper:]' '[:lower:]')"
+
+      - name: login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.client_id }}
+          tenant-id: ${{ secrets.tenant }}
+          subscription-id: ${{ secrets.subscirption }}
+
+      - name: run plan for ${{ matrix.path }}
+        id: plan
+        env:
+          ARM_CLIENT_ID: ${{ secrets.client_id }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.subscirption }}
+          ARM_TENANT_ID: ${{ secrets.tenant }}
+          ARM_USE_OIDC: true
+          UUID: ${{ steps.uuid.outputs.uuid }}
+        run: |
+          cd "$GITHUB_WORKSPACE"/${{ matrix.path }}
+          make plan_file
+
+      - name: run apply for ${{ matrix.path }}
+        if: inputs.do_apply
+        env:
+          ARM_CLIENT_ID: ${{ secrets.client_id }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.subscirption }}
+          ARM_TENANT_ID: ${{ secrets.tenant }}
+          ARM_USE_OIDC: true
+          UUID: ${{ steps.uuid.outputs.uuid }}
+        run: |
+          cd "$GITHUB_WORKSPACE"/${{ matrix.path }}
+          make apply_file
+
+      - name: test indepotency for ${{ matrix.path }}
+        if: inputs.do_apply && inputs.indepotency
+        env:
+          ARM_CLIENT_ID: ${{ secrets.client_id }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.subscirption }}
+          ARM_TENANT_ID: ${{ secrets.tenant }}
+          ARM_USE_OIDC: true
+          UUID: ${{ steps.uuid.outputs.uuid }}
+        run: |
+          cd "$GITHUB_WORKSPACE"/${{ matrix.path }}
+          make indepotency
+
+      - name: run destroy on ${{ matrix.path }}
+        if: inputs.do_apply && always()
         env:
           ARM_CLIENT_ID: ${{ secrets.client_id }}
           ARM_SUBSCRIPTION_ID: ${{ secrets.subscirption }}
           ARM_TENANT_ID: ${{ secrets.tenant }}
           ARM_USE_OIDC: true
-          ACTION: ${{ inputs.action }}
+          UUID: ${{ steps.uuid.outputs.uuid }}
         run: |
           cd "$GITHUB_WORKSPACE"/${{ matrix.path }}
-          make "$ACTION"
+          make destroy
diff --git a/.github/workflows/pr_ci.yml b/.github/workflows/pr_ci.yml
@@ -5,6 +5,23 @@ permissions:
 
 on:
   workflow_call:
+    inputs:
+      do_apply:
+        description: When set to true runs also apply
+        type: boolean
+        default: false
+      indepotency:
+        description: When set to true runs plan to on already applied configuration
+        type: boolean
+        default: true
+      max_parallel:
+        description: Maximum parallel jobs in matrix strategy
+        type: number
+        default: 10
+      tf_version:
+        description: A space delimited list of TF versions used to run the code with
+        type: string
+        default: latest
     secrets:
       client_id:
         required: true
@@ -14,7 +31,7 @@ on:
         required: true
 
 jobs:
-  pre-commit:
+  pre_commit:
     name: Pre-Commit
     uses: ./.github/workflows/_pre_commit.yml
 
@@ -38,7 +55,7 @@ jobs:
 
       - name: get diff with base branch
         id: diff
-        uses: tj-actions/changed-files@v31
+        uses: tj-actions/changed-files@v32
         with:
           separator: "\n"
           files: |
@@ -76,22 +93,26 @@ jobs:
     if: ${{ needs.tf_prereqs.outputs.validate_paths != '' }}
     uses: ./.github/workflows/_tf_validate.yml
     with:
-      tf_version: 0.15 1.0 1.1 1.2 1.3
+      tf_version: ${{ inputs.tf_version }}
       paths: ${{ needs.tf_prereqs.outputs.validate_paths }}
 
 
-  plan:
+  plan_apply:
     name: run plan changed examples and dependencies
-    needs: [tf_prereqs]
+    needs: 
+      - tf_prereqs
+      - validate
     if: ${{ needs.tf_prereqs.outputs.plan_paths != '' }}
     uses: ./.github/workflows/_tf_plan_apply.yml
     permissions:
       contents: read
       id-token: write
     with:
-      tf_version: 0.15 1.0 1.1 1.2 1.3
+      tf_version: ${{ inputs.tf_version }}
       paths: ${{ needs.tf_prereqs.outputs.plan_paths }}
-      action: "plan"
+      do_apply: ${{ inputs.do_apply }}
+      indepotency: ${{ inputs.indepotency }}
+      max_parallel: ${{ inputs.max_parallel }}
     secrets:
       client_id: ${{ secrets.client_id }}
       subscirption: ${{ secrets.subscirption }}
@@ -102,9 +123,9 @@ jobs:
     name: junction point for branch protection
     needs:
       - validate
-      - pre-commit
+      - pre_commit
       - checkov
-      - plan
+      - plan_apply
     if: always()
     permissions:
       actions: read

diff --git a/.github/workflows/release_ci.yml b/.github/workflows/release_ci.yml
@@ -5,6 +5,30 @@ permissions:
 
 on:
   workflow_call:
+    inputs:
+      do_apply:
+        description: When set to true runs also apply
+        type: boolean
+        default: false
+      indepotency:
+        description: When set to true runs plan to on already applied configuration
+        type: boolean
+        default: true
+      max_parallel:
+        description: Maximum parallel jobs in matrix strategy
+        type: number
+        default: 10
+      tf_version:
+        description: A space delimited list of TF versions used to run the code with
+        type: string
+        default: latest
+    secrets:
+      client_id:
+        required: true
+      subscirption:
+        required: true
+      tenant:
+        required: true
 
 jobs:
   release-prereqs:
@@ -38,7 +62,7 @@ jobs:
           echo last_release_version - ${{ steps.rc.outputs.last_release_version }}
 
 
-  pre-commit:
+  pre_commit:
     name: Pre-Commit
     uses: ./.github/workflows/_pre_commit.yml
     needs: [release-prereqs]
@@ -52,83 +76,64 @@ jobs:
     if: needs.release-prereqs.outputs.rc  == 'true'
 
 
-  validate_prereqs:
+  tf_prereqs:
     name: validate prerequisites
     needs: [release-prereqs]
     if: needs.release-prereqs.outputs.rc  == 'true'
     runs-on: ubuntu-latest
     outputs:
-      paths: ${{ steps.paths.outputs.paths }}
+      modules: ${{ steps.paths.outputs.modules }}
+      examples: ${{ steps.paths.outputs.examples }}
     steps:
       - name: checkout code
         uses: actions/checkout@v3
       - name: set outputs
         id: paths
         shell: bash
         run: |
-          echo "::set-output name=paths::$(echo $(ls -d1 examples/* modules/*) | tr ' ' ',')"
+          echo "::set-output name=modules::$(echo $(ls -d1 examples/* modules/*) | tr ' ' ',')"
+          echo "::set-output name=examples::$(echo $(ls -d1 examples/*) | tr ' ' ',')"
 
 
   validate:
     name: validate terraform code
-    needs: [validate_prereqs]
-    if: ${{ needs.validate_prereqs.outputs.paths != '' }}
+    needs: [tf_prereqs]
+    if: ${{ needs.tf_prereqs.outputs.modules != '' }}
     uses: ./.github/workflows/_tf_validate.yml
     with:
-      tf_version: 0.15 1.0 1.1 1.2 1.3
-      paths: ${{ needs.validate_prereqs.outputs.paths }}
-
-
-  # plan_prereqs:
-  #   name: plan prerequisites
-  #   needs: [validate]
-  #   runs-on: ubuntu-latest
-  #   outputs:
-  #     paths: ${{ steps.paths.outputs.paths }}
-  #   steps:
-  #     - name: checkout code
-  #       uses: actions/checkout@v3
-  #     - name: set outputs
-  #       id: paths
-  #       shell: bash
-  #       run: |
-  #         echo "::set-output name=paths::$(echo -n $(ls -d1 examples/*) | jq -R -s -c 'split(" ")')"
-
-
-  # plan:
-  #   name: 'plan: ${{ matrix.path }}'
-  #   needs: [plan_prereqs]
-  #   if: ${{ needs.plan_prereqs.outputs.paths != '' }}
-  #   strategy:
-  #     matrix:
-  #       path: ${{ fromJson(needs.plan_prereqs.outputs.paths) }}
-  #   runs-on: ubuntu-latest
-  #   permissions:
-  #     contents: read
-  #     id-token: write
-  #   steps:
-  #     - name: checkout code
-  #       uses: actions/checkout@v3
-
-  #     - name: run plan
-  #       uses: ./.github/actions/tf_plan
-  #       env:
-  #         ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-  #         ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  #         ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-  #         ARM_USE_OIDC: true
-  #       with:
-  #         path: ${{ matrix.path }}
-  #         tf_version: '1.2'
+      tf_version: ${{ inputs.tf_version }}
+      paths: ${{ needs.tf_prereqs.outputs.modules }}
+
+
+  plan_apply:
+    name: run plan and/or apply on examples
+    needs: 
+      - tf_prereqs
+      - validate
+    if: ${{ needs.tf_prereqs.outputs.examples != '' }}
+    uses: ./.github/workflows/_tf_plan_apply.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      tf_version: ${{ inputs.tf_version }}
+      paths: ${{ needs.tf_prereqs.outputs.examples }}
+      do_apply: ${{ inputs.do_apply }}
+      indepotency: ${{ inputs.indepotency }}
+      max_parallel: ${{ inputs.max_parallel }}
+    secrets:
+      client_id: ${{ secrets.client_id }}
+      subscirption: ${{ secrets.subscirption }}
+      tenant: ${{ secrets.tenant }}
 
 
   release:
     name: release sem version
     needs: 
       - validate
       - checkov
-      - pre-commit
-      # - plan
+      - pre_commit
+      - plan_apply
     runs-on: ubuntu-latest
     permissions:
       contents: write