Move TF + Ansible Here #54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
pull_request: | |
push: | |
branches: | |
- james/move | |
workflow_dispatch: | |
branches: | |
- main | |
permissions: read-all | |
env: | |
# Secrets | |
TF_VAR_meshdb_prod_proxmox_host: ${{ secrets.TF_VAR_MESHDB_PROD_PROXMOX_HOST }} | |
TF_VAR_meshdb_prod_proxmox_token_id: ${{ secrets.TF_VAR_MESHDB_PROD_PROXMOX_TOKEN_ID }} | |
TF_VAR_meshdb_prod_proxmox_token_secret: ${{ secrets.TF_VAR_MESHDB_PROD_PROXMOX_TOKEN_SECRET }} | |
TF_VAR_meshdb_proxmox_host: ${{ secrets.TF_VAR_MESHDB_PROXMOX_HOST }} | |
TF_VAR_meshdb_proxmox_token_id: ${{ secrets.TF_VAR_MESHDB_PROXMOX_TOKEN_ID }} | |
TF_VAR_meshdb_proxmox_token_secret: ${{ secrets.TF_VAR_MESHDB_PROXMOX_TOKEN_SECRET }} | |
TF_VAR_meshdb_local_password: ${{ secrets.TF_VAR_MESHDB_LOCAL_PASSWORD }} | |
TF_VAR_k3s_token: ${{ secrets.TF_VAR_K3S_TOKEN }} | |
# Credentials for deployment to AWS | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
# S3 bucket for the Terraform state | |
BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}} | |
jobs: | |
deploy: | |
runs-on: ubuntu-latest | |
environment: prod | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # @v4 | |
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #@v5 | |
with: | |
python-version: '3.11' | |
- name: Setup ansible | |
run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform && ansible-galaxy collection install git+https://github.com/k3s-io/k3s-ansible.git | |
- name: Setup Terraform with specified version on the runner | |
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 | |
with: | |
terraform_version: 1.8.3 | |
- name: Terraform init | |
id: init | |
run: terraform init -backend-config="bucket=$BUCKET_TF_STATE" | |
working-directory: ./terraform/ | |
- name: Terraform format | |
id: fmt | |
run: terraform fmt -check | |
working-directory: ./terraform/ | |
- name: Terraform validate | |
id: validate | |
run: terraform validate | |
working-directory: ./terraform/ | |
- name: Setup WireGuard | |
run: | | |
sudo apt-get update && sudo apt-get install -y wireguard | |
echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey | |
sudo ip link add dev wg0 type wireguard | |
sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }} | |
sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }} | |
sudo ip link set up dev wg0 | |
rm privatekey | |
- name: Terraform plan | |
id: plan | |
if: github.event_name == 'pull_request' | |
run: terraform plan -no-color -input=false | |
continue-on-error: true | |
working-directory: ./terraform/ | |
- name: Terraform Plan Status | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 | |
- name: Terraform Apply | |
if: github.ref == 'refs/heads/james/move' && github.event_name == 'push' | |
run: | | |
echo "${{ secrets.SSH_PRIVATE_KEY }}" > meshdb_cluster/meshdbprod1 | |
echo "${{ secrets.SSH_PUBLIC_KEY }}" > meshdb_cluster/meshdbprod1.pub | |
chmod 600 meshdb_cluster/meshdbprod1 | |
chmod 600 meshdb_cluster/meshdbprod1.pub | |
cp meshdb_cluster/meshdbprod1 meshdb_cluster/meshdbdev3 | |
cp meshdb_cluster/meshdbprod1.pub meshdb_cluster/meshdbdev3.pub | |
terraform apply -auto-approve -input=false | |
working-directory: ./terraform/ | |
- name: Run playbook | |
if: github.ref == 'refs/heads/james/move' && github.event_name == 'push' | |
run: sleep 10 && export PATH="$HOME/.local/bin:$PATH" && ansible-playbook -i inventory.yaml k8s_infra.yaml | |
working-directory: ./ansible/ |