From e0a933fa9d8859e3ee97b4536ef1a0d3381f2354 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 29 Nov 2024 18:47:17 +0300 Subject: [PATCH 1/5] Add skip checkout input --- action.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 83ba0b4..0d8317e 100644 --- a/action.yml +++ b/action.yml @@ -9,6 +9,10 @@ inputs: description: The head ref to checkout. If not provided, the head default branch is used. required: false default: ${{ github.sha }} + skip-checkout: + description: "Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions" + required: false + default: 'false' default-branch: description: The default branch to use for the base ref. required: false @@ -92,6 +96,7 @@ runs: node-version: 20 - uses: actions/checkout@v4 + if: ${{ inputs.skip-checkout != 'true' }} with: ref: ${{ inputs.head-ref }} @@ -159,7 +164,7 @@ runs: steps.config.outputs.aws-region != 'null' && steps.config.outputs.terraform-plan-role != '' && steps.config.outputs.terraform-plan-role != 'null' }} - uses: aws-actions/configure-aws-credentials@v4.0.2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ steps.config.outputs.aws-region }} role-to-assume: ${{ steps.config.outputs.terraform-plan-role }} From 06e2d6e530c8704fbaf23ad3b987a0a7bfa89c5d Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 29 Nov 2024 19:04:09 +0300 Subject: [PATCH 2/5] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 0d8317e..f752357 100644 --- a/action.yml +++ b/action.yml @@ -27,7 +27,7 @@ inputs: atmos-version: description: The version of atmos to install required: false - default: ">= 1.96.0" + default: ">= 1.99.0" atmos-config-path: description: The path to the atmos.yaml file required: true From 13e6e9e1eb079dff78d9561e0d30f8761dc53deb Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 29 Nov 2024 19:39:11 +0300 Subject: [PATCH 3/5] Update atmos.yaml --- tests/atmos.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/tests/atmos.yaml b/tests/atmos.yaml index 2e0f99a..4904507 100644 --- a/tests/atmos.yaml +++ b/tests/atmos.yaml @@ -263,20 +263,4 @@ integrations: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") -# Validation schemas (for validating atmos stacks and components) -schemas: - # https://json-schema.org - jsonschema: - # Can also be set using 'ATMOS_SCHEMAS_JSONSCHEMA_BASE_PATH' ENV var, or '--schemas-jsonschema-dir' command-line arguments - # Supports both absolute and relative paths - base_path: "stacks/schemas/jsonschema" - # https://www.openpolicyagent.org - opa: - # Can also be set using 'ATMOS_SCHEMAS_OPA_BASE_PATH' ENV var, or '--schemas-opa-dir' command-line arguments - # Supports both absolute and relative paths - base_path: "stacks/schemas/opa" - # https://cuelang.org - cue: - # Can also be set using 'ATMOS_SCHEMAS_CUE_BASE_PATH' ENV var, or '--schemas-cue-dir' command-line arguments - # Supports both absolute and relative paths base_path: "stacks/schemas/cue" From fef612e862efa54594653bf93afd4a82706259c0 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 29 Nov 2024 19:46:27 +0300 Subject: [PATCH 4/5] Update test.yaml --- tests/stacks/orgs/test/test.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/stacks/orgs/test/test.yaml b/tests/stacks/orgs/test/test.yaml index 9d4c1f4..ddb6404 100644 --- a/tests/stacks/orgs/test/test.yaml +++ b/tests/stacks/orgs/test/test.yaml @@ -7,4 +7,5 @@ vars: components: terraform: test: - seed: 1 + vars: + seed: 1 From 4cd445a22547d62201a955bf7803e83cd12920cd Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 29 Nov 2024 19:33:55 +0100 Subject: [PATCH 5/5] Rebuild readme --- README.md | 112 +++++++++++++++++++++++++++++++++++++----- README.yaml | 109 ++++++++++++++++++++++++++++++++++++---- docs/github-action.md | 10 +++- 3 files changed, 208 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index f2adc5f..486aa1f 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,21 @@ raw list of affected stacks as an output as well as a matrix that can be used fu ### Config +> [!IMPORTANT] +> **Please note!** This GitHub Action only works with `atmos >= 1.99.0`. +> If you are using `atmos >= 1.80.0, < 1.99.0` please use `v5` version of this action. +> If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` or `v4` version of this action. +> If you are using `atmos < 1.63.0` please use `v2` version of this action. + + The action expects the atmos configuration file `atmos.yaml` to be present in the repository. + +The action supports AWS and Azure to store Terraform plan files. +You can read more about plan storage in the [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage?tab=readme-ov-file#aws-default) documentation. +Depends of cloud provider the following fields should be set in the `atmos.yaml`: + +#### AWS + The config should have the following structure: ```yaml @@ -63,16 +77,63 @@ integrations: role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha role: plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops + # Set `apply` empty if you don't want to assume IAM role before terraform apply apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops matrix: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") ``` - + +#### Azure + +The config should have the following structure: + +```yaml +integrations: + github: + gitops: + opentofu-version: 1.7.3 + terraform-version: 1.5.2 + infracost-enabled: false + artifact-storage: + plan-repository-type: azureblob + blob-account-name: tfplans + blob-container-name: plans + metadata-repository-type: cosmos + cosmos-container-name: terraform-plan-storage + cosmos-database-name: terraform-plan-storage + cosmos-endpoint: "https://my-cosmo-account.documents.azure.com:443/" + # We remove the `role` section as it is AWS specific + matrix: + sort-by: .stack_slug + group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") +``` + +### Stack level configuration + > [!IMPORTANT] -> **Please note!** This GitHub Action only works with `atmos >= 1.80.0`. -> If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` version of this action. -> If you are using `atmos < 1.63.0` please use `v2` version of this action. +> Wherever it is possible to specify `integration.github.gitops` on stack level +> it is required to define default values in `atmos.yaml` + +It is possible to override integration settings on a stack level by defining `settings.integrations`. + +```yaml +components: + terraform: + foobar: + settings: + integrations: + github: + gitops: + artifact-storage: + bucket: cptest-plat-ue2-auto-gitops + table: cptest-plat-ue2-auto-gitops-plan-storage + role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-plat-ue2-auto-gitops-gha + role: + # Set `plan` empty if you don't want to assume IAM role before terraform plan + plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops +``` ### Support OpenTofu @@ -101,8 +162,8 @@ integrations: gitops: opentofu-version: 1.7.3 ... -``` - +``` + ### Workflow example ```yaml @@ -117,10 +178,10 @@ jobs: runs-on: ubuntu-latest steps: - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v3 + uses: cloudposse/github-action-atmos-affected-stacks@v6 with: atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 nested-matrices-count: 1 outputs: @@ -143,13 +204,41 @@ jobs: cancel-in-progress: false steps: - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v2 + uses: cloudposse/github-action-atmos-terraform-plan@v4 with: component: ${{ matrix.component }} stack: ${{ matrix.stack }} atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 ``` + +### Migrating from `v5` to `v6` + +The notable changes in `v6` are: + +- `v6` works only with `atmos >= 1.99.0` +- `v6` allow to skip internal checkout with `skip-checkout` input + + +The only required migration step is updating atmos version to `>= 1.80.0` + + +### Migrating from `v4` to `v5` + +The notable changes in `v5` are: + +- `v5` works only with `atmos >= 1.80.0` +- `v5` supports atmos templating + +The only required migration step is updating atmos version to `>= 1.80.0` + +### Migrating from `v3` to `v4` + +The notable changes in `v4` are: + +- `v4` perform aws authentication assuming `integrations.github.gitops.role.plan` IAM role + +No special migration steps required ### Migrating from `v2` to `v3` @@ -312,7 +401,7 @@ Which would produce the same behavior as in `v1`, doing this: | atmos-pro-token | The API token to allow Atmos Pro to upload affected stacks | | false | | atmos-pro-upload | Whether to upload affected stacks directly to Atmos Pro | false | false | | atmos-stack | The stack to operate on | | false | -| atmos-version | The version of atmos to install | >= 1.96.0 | false | +| atmos-version | The version of atmos to install | >= 1.99.0 | false | | base-ref | The base ref to checkout. If not provided, the head default branch is used. | N/A | false | | default-branch | The default branch to use for the base ref. | ${{ github.event.repository.default\_branch }} | false | | head-ref | The head ref to checkout. If not provided, the head default branch is used. | ${{ github.sha }} | false | @@ -321,6 +410,7 @@ Which would produce the same behavior as in `v1`, doing this: | jq-force | Whether to force the installation of jq | true | false | | jq-version | The version of jq to install if install-jq is true | 1.7 | false | | nested-matrices-count | Number of nested matrices that should be returned as the output (from 1 to 3) | 2 | false | +| skip-checkout | Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions | false | false | ## Outputs diff --git a/README.yaml b/README.yaml index 7f72aff..8b73258 100644 --- a/README.yaml +++ b/README.yaml @@ -46,7 +46,21 @@ usage: |- ### Config + > [!IMPORTANT] + > **Please note!** This GitHub Action only works with `atmos >= 1.99.0`. + > If you are using `atmos >= 1.80.0, < 1.99.0` please use `v5` version of this action. + > If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` or `v4` version of this action. + > If you are using `atmos < 1.63.0` please use `v2` version of this action. + + The action expects the atmos configuration file `atmos.yaml` to be present in the repository. + + The action supports AWS and Azure to store Terraform plan files. + You can read more about plan storage in the [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage?tab=readme-ov-file#aws-default) documentation. + Depends of cloud provider the following fields should be set in the `atmos.yaml`: + + #### AWS + The config should have the following structure: ```yaml @@ -63,16 +77,63 @@ usage: |- role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha role: plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops + # Set `apply` empty if you don't want to assume IAM role before terraform apply apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops matrix: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") ``` - + + #### Azure + + The config should have the following structure: + + ```yaml + integrations: + github: + gitops: + opentofu-version: 1.7.3 + terraform-version: 1.5.2 + infracost-enabled: false + artifact-storage: + plan-repository-type: azureblob + blob-account-name: tfplans + blob-container-name: plans + metadata-repository-type: cosmos + cosmos-container-name: terraform-plan-storage + cosmos-database-name: terraform-plan-storage + cosmos-endpoint: "https://my-cosmo-account.documents.azure.com:443/" + # We remove the `role` section as it is AWS specific + matrix: + sort-by: .stack_slug + group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") + ``` + + ### Stack level configuration + > [!IMPORTANT] - > **Please note!** This GitHub Action only works with `atmos >= 1.80.0`. - > If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` version of this action. - > If you are using `atmos < 1.63.0` please use `v2` version of this action. + > Wherever it is possible to specify `integration.github.gitops` on stack level + > it is required to define default values in `atmos.yaml` + + It is possible to override integration settings on a stack level by defining `settings.integrations`. + + ```yaml + components: + terraform: + foobar: + settings: + integrations: + github: + gitops: + artifact-storage: + bucket: cptest-plat-ue2-auto-gitops + table: cptest-plat-ue2-auto-gitops-plan-storage + role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-plat-ue2-auto-gitops-gha + role: + # Set `plan` empty if you don't want to assume IAM role before terraform plan + plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + ``` ### Support OpenTofu @@ -101,8 +162,8 @@ usage: |- gitops: opentofu-version: 1.7.3 ... - ``` - + ``` + ### Workflow example ```yaml @@ -117,10 +178,10 @@ usage: |- runs-on: ubuntu-latest steps: - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v3 + uses: cloudposse/github-action-atmos-affected-stacks@v6 with: atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 nested-matrices-count: 1 outputs: @@ -143,13 +204,41 @@ usage: |- cancel-in-progress: false steps: - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v2 + uses: cloudposse/github-action-atmos-terraform-plan@v4 with: component: ${{ matrix.component }} stack: ${{ matrix.stack }} atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 ``` + + ### Migrating from `v5` to `v6` + + The notable changes in `v6` are: + + - `v6` works only with `atmos >= 1.99.0` + - `v6` allow to skip internal checkout with `skip-checkout` input + + + The only required migration step is updating atmos version to `>= 1.80.0` + + + ### Migrating from `v4` to `v5` + + The notable changes in `v5` are: + + - `v5` works only with `atmos >= 1.80.0` + - `v5` supports atmos templating + + The only required migration step is updating atmos version to `>= 1.80.0` + + ### Migrating from `v3` to `v4` + + The notable changes in `v4` are: + + - `v4` perform aws authentication assuming `integrations.github.gitops.role.plan` IAM role + + No special migration steps required ### Migrating from `v2` to `v3` diff --git a/docs/github-action.md b/docs/github-action.md index 0ffa9cb..b61f2b3 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -6,16 +6,22 @@ |------|-------------|---------|----------| | atmos-config-path | The path to the atmos.yaml file | N/A | true | | atmos-include-dependents | Whether to include dependents of affected stacks in the output | false | false | +| atmos-include-settings | Include the `settings` section for each affected component | false | false | | atmos-include-spacelift-admin-stacks | Whether to include the Spacelift admin stacks of affected stacks in the output | false | false | -| atmos-version | The version of atmos to install | >= 1.63.0 | false | +| atmos-pro-base-url | The base URL of Atmos Pro | https://app.cloudposse.com | false | +| atmos-pro-token | The API token to allow Atmos Pro to upload affected stacks | | false | +| atmos-pro-upload | Whether to upload affected stacks directly to Atmos Pro | false | false | +| atmos-stack | The stack to operate on | | false | +| atmos-version | The version of atmos to install | >= 1.99.0 | false | | base-ref | The base ref to checkout. If not provided, the head default branch is used. | N/A | false | | default-branch | The default branch to use for the base ref. | ${{ github.event.repository.default\_branch }} | false | | head-ref | The head ref to checkout. If not provided, the head default branch is used. | ${{ github.sha }} | false | | install-atmos | Whether to install atmos | true | false | | install-jq | Whether to install jq | false | false | | jq-force | Whether to force the installation of jq | true | false | -| jq-version | The version of jq to install if install-jq is true | 1.6 | false | +| jq-version | The version of jq to install if install-jq is true | 1.7 | false | | nested-matrices-count | Number of nested matrices that should be returned as the output (from 1 to 3) | 2 | false | +| skip-checkout | Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions | false | false | ## Outputs