Provide github oidc role to apply tf

tbsklg · Aug 15, 2024 · d4ebaf6 · d4ebaf6
1 parent 87b517f
commit d4ebaf6
Showing 1 changed file with 29 additions and 4 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -4,15 +4,40 @@ defaults:
     working-directory: infrastructure
 name: Deploy
 on: [push, pull_request]
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 jobs:
   deploy-infrastructure:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: hashicorp/setup-terraform@v3
 
-      - name: Prepare
-        run: |
-          terraform init
-          terraform plan
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ASSUME_ROLE_ARN }}
+          aws-region: eu-central-1
+          role-session-name: GitHub-OIDC-TF
+
+      - name: Terraform Init
+        id: init
+        env:
+          AWS_BUCKET_NAME: ${{ secrets.AWS_STATE_BUCKET_NAME }}
+        run: terraform init --backend-config="bucket=${AWS_BUCKET_NAME}"
+
+      - name: Terraform Validation
+        id: validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: plan
+        #if: github.event.name == 'pull_request'
+        run: terraform plan
 
+      - name: Terraform Apply
+        id: apply
+        #if: github.ref == 'refs/head/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve