setup-terraform/action.yaml

---
name: setup-terraform
description: Install and configure Terraform and AWS for the correct environment

inputs:
  role-to-assume:
    description: AWS IAM role to assume when running Terraform operations.
    required: true
  aws-account-id:
    description: AWS account ID to use to create resources.
    required: true
  batch-container-image-name:
    description: The name of the container image to use for the Batch job.
    required: true
  batch-job-definition-vcpu:
    description: >
      Count of vCPUs to provision for the container. Per AWS requirements,
      this parameter must be formatted as a float in increments of 0.25 when
      the backend is "fargate" (e.g. 1.0 for 1 vCPU), but it must be
      formatted as an integer when the backend is "ec2" (e.g. 1 for 1 vCPU).
      The minimum is 1 vCPU.
    required: true
  batch-job-definition-gpu:
    description: >
      Count of GPUs to provision for the container. Per AWS requirements,
      must be formatted as an integer. This parameter is only available when
      the backend is "ec2", otherwise Terraform will raise an error. An
      empty string indicates a null value, and is also the default.
    required: false
    type: string
    default: ""
  batch-job-definition-memory:
    description: Count of megabytes of RAM to provision for the container.
    required: true
  batch-compute-environment-backend:
    description: >
      The type of AWS Batch compute environment to provision. Must
      be one of "fargate" or "ec2". Fargate allows for provisioning
      fractional amounts of vCPU and tends to start up jobs faster, but EC2
      allows GPU instances to be configured using the `gpu` parameter.
    required: false
    type: choice
    options:
      - fargate
      - ec2
    default: fargate
  role-duration-seconds:
    description: How long the role specified by role-to-assume should be valid.
    required: false
    default: 3600
  tfvars-file:
    description: File to store Terraform variables.
    required: false
    default: terraform.tfvars
  working-directory:
    description: Directory where the Terraform configuration is stored.
    required: false
    default: .

runs:
  using: composite
  steps:
    - name: Mask sensitive AWS IDs from Terraform logs
      run: |
        echo "::add-mask::${{ inputs.role-to-assume }}"
        echo "::add-mask::${{ inputs.aws-account-id }}"
      shell: bash

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ inputs.role-to-assume }}
        aws-region: us-east-1
        role-duration-seconds: ${{ inputs.role-duration-seconds }}

    - name: Set up Terraform
      uses: hashicorp/setup-terraform@v3

    - name: Initialize Terraform
      run: |
        terraform init \
          -backend-config "bucket=ccao-terraform-state-us-east-1" \
          -backend-config "key=terraform.tfstate" \
          -backend-config "region=us-east-1" \
          -backend-config "workspace_key_prefix=$REPO/workspaces"
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      env:
        REPO: ${{ github.event.repository.name }}

    - name: Set Terraform variables
      id: set-vars
      # yamllint disable rule:line-length
      run: |
        # GITHUB_HEAD_REF is only set on pull_request events, so if it's
        # present, we must be in a PR context
        if [ -n "$GITHUB_HEAD_REF" ]; then
          echo "On pull request branch, setting terraform workspace to CI"
          # Replace special characters with hyphens in the workspace name
          # and force it to lowercase, since we use it to name resources and
          # we want to follow a consistent naming scheme
          WORKSPACE="$(echo $GITHUB_HEAD_REF | \
                      sed -e 's/\//-/g' -e 's/_/-/g' -e 's/\./-/g' | \
                      tr '[:upper:]' '[:lower:]')"
          BATCH_JOB_NAME="z_ci_${WORKSPACE}_${GITHUB_REPOSITORY//\//-}"

        elif [[ "$GITHUB_REF_NAME" != "master" && \
                "$GITHUB_REF_NAME" != "main" && \
                "$GITHUB_EVENT_NAME" == 'workflow_dispatch' ]]; then
          # Run for workflows dispatched using a pull request branch
          echo "Manually dispatched from pull request branch, "
          echo "setting terraform workspace to CI"

          WORKSPACE="$(echo $GITHUB_REF_NAME | \
                      sed -e 's/\//-/g' -e 's/_/-/g' -e 's/\./-/g' | \
                      tr '[:upper:]' '[:lower:]')"
          BATCH_JOB_NAME="z_ci_${WORKSPACE}_${GITHUB_REPOSITORY//\//-}"

        elif [[ "$GITHUB_REF_NAME" == "master" || \
                "$GITHUB_REF_NAME" == "main" ]]; then
          # Make sure the branch is protected, since it's common for only one
          # of 'main' or 'master' to be protected in a given repo
          if [[ "$GITHUB_REF_PROTECTED" != "true" ]]; then
            echo "Cannot deploy to prod since branch $GITHUB_REF_NAME "
            echo "is not protected"
            exit 1
          fi
          echo "On main branch, setting terraform workspace to prod"
          WORKSPACE="prod"
          BATCH_JOB_NAME="${GITHUB_REPOSITORY//\//-}"

        else
          echo "CI context did not match any of the expected environments"
          exit 1
        fi

        {
          echo "batch_job_name = \"$BATCH_JOB_NAME\"";
          echo "batch_container_image_name = \"$BATCH_CONTAINER_IMAGE_NAME\"";
          echo "batch_job_definition_vcpu = \"$BATCH_JOB_DEFINITION_VCPU\"";
          echo "batch_job_definition_gpu = \"$BATCH_JOB_DEFINITION_GPU\"";
          echo "batch_job_definition_memory = \"$BATCH_JOB_DEFINITION_MEMORY\"";
          echo "batch_compute_environment_backend = \"$BATCH_COMPUTE_ENVIRONMENT_BACKEND\"";
        } > "$TFVARS_FILE"

        echo "workspace=$WORKSPACE" >> "$GITHUB_OUTPUT"
      # yamllint enable rule:line-length
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      env:
        TFVARS_FILE: ${{ inputs.tfvars-file }}
        BATCH_CONTAINER_IMAGE_NAME: ${{ inputs.batch-container-image-name }}
        BATCH_JOB_DEFINITION_VCPU: ${{ inputs.batch-job-definition-vcpu }}
        BATCH_JOB_DEFINITION_GPU: ${{ inputs.batch-job-definition-gpu }}
        BATCH_JOB_DEFINITION_MEMORY: ${{ inputs.batch-job-definition-memory }}
        # yamllint disable-line rule:line-length
        BATCH_COMPUTE_ENVIRONMENT_BACKEND: ${{ inputs.batch-compute-environment-backend}}

    - name: Select Terraform workspace
      run: terraform workspace select -or-create "$WORKSPACE"
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      env:
        WORKSPACE: ${{ steps.set-vars.outputs.workspace }}