mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The bpg/proxmox provider has to reach london-a's API and node, which only live on the tailnet, during plan and apply. Add a setup-tailnet composite action (Tailscale via the CI OAuth client + the deploy SSH key in an agent) and use it in the terraform plan/apply and validate workflows. Pin the provider's node SSH address to london-a's Tailscale IP so it isn't reached via the API-reported LAN address.
100 lines
2.7 KiB
YAML
100 lines
2.7 KiB
YAML
name: Terraform
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- "terraform/**"
|
|
- ".github/workflows/terraform.yml"
|
|
|
|
# Requires these repository secrets:
|
|
# AGE_SECRET_KEY — age private key for SOPS decryption
|
|
|
|
# Serialize Terraform runs so two merges can't apply against the state
|
|
# concurrently. Never cancel an in-flight run (an interrupted apply can
|
|
# corrupt state) — queue instead.
|
|
concurrency:
|
|
group: terraform-state
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
plan:
|
|
name: Plan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- uses: ./.github/actions/setup-tofu
|
|
|
|
- name: Decrypt secrets
|
|
uses: ./.github/actions/sops-decrypt
|
|
with:
|
|
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
|
|
|
- name: Set backend credentials
|
|
uses: ./.github/actions/tofu-backend-creds
|
|
|
|
# Proxmox (bpg) provider reaches london-a over the tailnet.
|
|
- name: Set up tailnet + SSH
|
|
uses: ./.github/actions/setup-tailnet
|
|
with:
|
|
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
|
|
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
|
|
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
|
|
- name: tofu init
|
|
working-directory: terraform/
|
|
run: tofu init
|
|
|
|
- name: tofu plan
|
|
working-directory: terraform/
|
|
run: tofu plan -out=tfplan
|
|
|
|
- name: Upload plan
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
uses: actions/upload-artifact@v7
|
|
with:
|
|
name: tfplan
|
|
path: terraform/tfplan
|
|
retention-days: 1
|
|
|
|
apply:
|
|
name: Apply
|
|
needs: plan
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
runs-on: ubuntu-latest
|
|
environment: production
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- uses: ./.github/actions/setup-tofu
|
|
|
|
- name: Decrypt secrets
|
|
uses: ./.github/actions/sops-decrypt
|
|
with:
|
|
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
|
|
|
- name: Set backend credentials
|
|
uses: ./.github/actions/tofu-backend-creds
|
|
|
|
# Proxmox (bpg) provider reaches london-a over the tailnet.
|
|
- name: Set up tailnet + SSH
|
|
uses: ./.github/actions/setup-tailnet
|
|
with:
|
|
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
|
|
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
|
|
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
|
|
- name: tofu init
|
|
working-directory: terraform/
|
|
run: tofu init
|
|
|
|
- name: Download plan
|
|
uses: actions/download-artifact@v8
|
|
with:
|
|
name: tfplan
|
|
path: terraform/
|
|
|
|
- name: tofu apply
|
|
working-directory: terraform/
|
|
run: tofu apply -auto-approve tfplan
|