perf: add tf_plan_apply_gh

andhreljaKern · andhreljaKern · commit 69ef4f35dd3a · 2025-09-08T16:09:23.000+02:00
diff --git a/.github/workflows/tf_plan_apply_gh.yml b/.github/workflows/tf_plan_apply_gh.yml
@@ -0,0 +1,133 @@
+name: 'OpenTofu: Plan/Apply'
+
+on:
+  workflow_call:
+    outputs:
+      tf_plan_exit_code:
+        description: 'OpenTofu Plan exit code'
+        value: ${{ jobs.tofu-plan.outputs.tf_plan_exit_code }}
+      tf_destroy:
+        description: 'Destroy flag'
+        value: ${{ jobs.tofu-plan.outputs.tf_destroy }}
+
+# Special permissions required for OIDC authentication
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+env:
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
+
+jobs:
+  tofu-plan:
+    name: 'OpenTofu Plan'
+    runs-on: ubuntu-latest
+    environment: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || github.ref_name }}
+    env:
+      ENVIRONMENT_NAME: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || github.ref_name }}
+      #this is needed since we are running tofu with read-only permissions
+      # ARM_SKIP_PROVIDER_REGISTRATION: true
+      ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+      ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+      ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+      ARM_USE_OIDC: true
+      TF_DESTROY: "${{ vars.TF_DESTROY }}"
+    outputs:
+      tf_plan_exit_code: ${{ steps.tf-plan.outputs.exitcode }}
+      tf_destroy: ${{ steps.tf-plan.outputs.tf_destroy }}
+
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GH_TOKEN }}
+
+    # Install the latest version of the OpenTofu CLI
+    - name: Setup OpenTofu
+      uses: opentofu/setup-opentofu@v1
+      with:
+        tofu_wrapper: false
+
+    # Initialize a new or existing OpenTofu working directory by creating initial files, loading any remote state, downloading modules, etc.
+    - name: OpenTofu Init
+      run: |
+        tofu init \
+          -backend-config="resource_group_name=${{ env.ENVIRONMENT_NAME }}-tf-azure-admin" \
+          -backend-config="storage_account_name=${{ env.ENVIRONMENT_NAME }}kernaiadmin" \
+          -backend-config="container_name=tfstate" \
+          -backend-config="key=${{ github.event.repository.name }}/${{ env.ENVIRONMENT_NAME }}.tfstate"
+
+    # Generates an execution plan for OpenTofu
+    # An exit code of 0 indicated no changes, 1 a tofu failure, 2 there are pending changes.
+    - name: OpenTofu Plan
+      id: tf-plan
+      run: |
+        export exitcode=0
+        
+        tofu plan ${{ env.TF_DESTROY }} \
+          -detailed-exitcode \
+          -var-file vars-${{ env.ENVIRONMENT_NAME }}.tfvars \
+          -out tfplan || export exitcode=$?
+
+        echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
+        echo "tf_destroy=${{ env.TF_DESTROY }}" >> $GITHUB_OUTPUT
+        
+        if [ $exitcode -eq 1 ]; then
+          echo OpenTofu Plan Failed!
+          exit 1
+        else 
+          exit 0
+        fi
+        
+    # Save plan to artifacts  
+    - name: Publish OpenTofu Plan
+      if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.merged }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: tfplan
+        path: tfplan
+                
+  tofu-apply:
+    name: 'OpenTofu Apply'
+    needs: [tofu-plan]
+    if: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.merged) && needs.tofu-plan.outputs.tf_plan_exit_code == 2 }}
+    runs-on: ubuntu-latest
+    environment: ${{ github.ref_name }}
+    env:
+      ENVIRONMENT_NAME: ${{ github.ref_name }}
+      #this is needed since we are running tofu with read-only permissions
+      # ARM_SKIP_PROVIDER_REGISTRATION: true
+      ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+      ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+      ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+      ARM_USE_OIDC: true
+      TF_DESTROY: "${{ vars.TF_DESTROY }}"
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    # Install the latest version of OpenTofu CLI and configure the OpenTofu CLI configuration file with a OpenTofu Cloud user API token
+    - name: Setup OpenTofu
+      uses: opentofu/setup-opentofu@v1
+
+    # Initialize a new or existing OpenTofu working directory by creating initial files, loading any remote state, downloading modules, etc.
+    - name: OpenTofu Init
+      run: |
+        tofu init \
+          -backend-config="resource_group_name=${{ env.ENVIRONMENT_NAME }}-tf-azure-admin" \
+          -backend-config="storage_account_name=${{ env.ENVIRONMENT_NAME }}kernaiadmin" \
+          -backend-config="container_name=tfstate" \
+          -backend-config="key=${{ github.event.repository.name }}/${{ github.ref_name }}.tfstate"
+
+    # Download saved plan from artifacts  
+    - name: Download OpenTofu Plan
+      uses: actions/download-artifact@v4
+      with:
+        name: tfplan
+
+    # OpenTofu Apply
+    - name: OpenTofu Apply
+      run: tofu apply ${{ env.TF_DESTROY }} -auto-approve tfplan
