--- name: Continuous Delivery on: workflow_call: inputs: terraform_action: description: 'Terraform Action to perform' default: 'apply' type: string root_module_folder_relative_path: description: 'Root Module Folder Relative Path' default: '.' type: string terraform_cli_version: description: 'Terraform CLI Version' default: 'latest' type: string jobs: plan: name: Plan with Terraform runs-on: ${runner_name} concurrency: ${backend_azure_storage_account_container_name} environment: ${environment_name_plan} permissions: id-token: write contents: read env: ARM_CLIENT_ID: "$${{ vars.AZURE_CLIENT_ID }}" ARM_SUBSCRIPTION_ID: "$${{ vars.AZURE_SUBSCRIPTION_ID }}" ARM_TENANT_ID: "$${{ vars.AZURE_TENANT_ID }}" ARM_USE_AZUREAD: true ARM_USE_OIDC: true steps: - name: Checkout Code uses: actions/checkout@v4 - name: Install Terraform uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: false terraform_version: $${{ inputs.terraform_cli_versions }} - name: Terraform Init run: | terraform \ -chdir="$${{inputs.root_module_folder_relative_path}}" \ init \ -backend-config="resource_group_name=$${{vars.BACKEND_AZURE_RESOURCE_GROUP_NAME}}" \ -backend-config="storage_account_name=$${{vars.BACKEND_AZURE_STORAGE_ACCOUNT_NAME}}" \ -backend-config="container_name=$${{vars.BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME}}" \ -backend-config="key=terraform.tfstate" - name: Terraform Plan for $${{ inputs.terraform_action == 'destroy' && 'Destroy' || 'Apply' }} run: | # shellcheck disable=SC2086 terraform \ -chdir="$${{inputs.root_module_folder_relative_path}}" \ plan \ -out=tfplan \ -input=false \ $${{ inputs.terraform_action == 'destroy' && '-destroy' || '' }} - name: Create Module Artifact run: | $stagingDirectory = "staging" $rootModuleFolder = "$${{inputs.root_module_folder_relative_path}}" New-Item -Path . -Name $stagingDirectory -ItemType "directory" Copy-Item -Path "./*" -Exclude @(".git", ".terraform", ".github", $stagingDirectory) -Recurse -Destination "./$stagingDirectory" $rootModuleFolderTerraformFolder = Join-Path -Path "./$stagingDirectory" -ChildPath $rootModuleFolder -AdditionalChildPath ".terraform" if(Test-Path -Path $rootModuleFolderTerraformFolder) { Remove-Item -Path $rootModuleFolderTerraformFolder -Recurse -Force } shell: pwsh - name: Publish Module Artifact uses: actions/upload-artifact@v4 with: name: module path: ./staging/ - name: Show the Plan for Review run: | terraform \ -chdir="$${{inputs.root_module_folder_relative_path}}" \ show \ tfplan apply: needs: plan name: Apply with Terraform runs-on: ${runner_name} concurrency: ${backend_azure_storage_account_container_name} environment: ${environment_name_apply} permissions: id-token: write contents: read env: ARM_CLIENT_ID: "$${{ vars.AZURE_CLIENT_ID }}" ARM_SUBSCRIPTION_ID: "$${{ vars.AZURE_SUBSCRIPTION_ID }}" ARM_TENANT_ID: "$${{ vars.AZURE_TENANT_ID }}" ARM_USE_AZUREAD: true ARM_USE_OIDC: true AZAPI_RETRY_GET_AFTER_PUT_MAX_TIME: "60m" # Accounts for eventually consistent management group permissions propagation steps: - name: Download a Build Artifact uses: actions/download-artifact@v4 with: name: module - name: Install Terraform uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: false terraform_version: $${{ inputs.terraform_cli_versions }} - name: Terraform Init run: | terraform \ -chdir="$${{inputs.root_module_folder_relative_path}}" \ init \ -backend-config="resource_group_name=$${{vars.BACKEND_AZURE_RESOURCE_GROUP_NAME}}" \ -backend-config="storage_account_name=$${{vars.BACKEND_AZURE_STORAGE_ACCOUNT_NAME}}" \ -backend-config="container_name=$${{vars.BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME}}" \ -backend-config="key=terraform.tfstate" - name: Terraform $${{ inputs.terraform_action == 'destroy' && 'Destroy' || 'Apply' }} run: | terraform \ -chdir="$${{inputs.root_module_folder_relative_path}}" \ apply \ -input=false \ -auto-approve \ tfplan