This repository has been archived by the owner on Oct 9, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
109 lines (95 loc) · 3.84 KB
/
google-container-registry.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: "google-administer-artifact-registry"
on:
workflow_call:
inputs:
region:
description: "The Google Cloud region where the Artifact Registry will be available"
type: string
required: true
action:
required: true
type: string
description: "Create (new) or destroy (existing)"
secrets:
GOOGLE_PROJECT_ID:
required: true
GOOGLE_SERVICE_ACCOUNT_KEY:
required: true
TF_BACKEND_GCS_BUCKET_NAME:
required: true
GOOGLE_KMS_KEYRING:
required: true
outputs:
admin_username:
description: "The username associated with the Artifact Registry admin account"
value: ${{ jobs.terraform.outputs.admin_username }}
admin_password:
description: "The password associated with the Artifact Registry admin account"
value: ${{ jobs.terraform.outputs.admin_password }}
endpoint:
description: "The URL that can be used to log into the container image registry (typically {region}-docker.pkg.dev)"
value: ${{ jobs.terraform.outputs.endpoint }}
jobs:
terraform:
env:
GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }}
GOOGLE_APPLICATION_CREDENTIALS: "/tmp/gcloud/sa.json"
TF_VAR_project: ${{ secrets.GOOGLE_PROJECT_ID }}
TF_VAR_location: "${{ inputs.region }}"
TF_VAR_keyring: ${{ secrets.GOOGLE_KMS_KEYRING}}
runs-on: ubuntu-22.04
outputs:
endpoint: ${{ steps.set_outputs.outputs.endpoint }}
admin_username: ${{ steps.set_outputs.outputs.admin_username }}
admin_password: ${{ steps.set_outputs.outputs.admin_password }}
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-22.04, macos-latest, or windows-latest
defaults:
run:
shell: bash
working-directory: terraform/google/registry
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v4
# Install the latest version of Terraform CLI
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
terraform_version: 1.5.7
- name: Generate backend configuration
run: |
cp ../backend/backend.tf .
echo "bucket = \"${{ secrets.TF_BACKEND_GCS_BUCKET_NAME }}\"" > config.gcs.tfbackend
echo "prefix = \"registry\"" >> config.gcs.tfbackend
- name: Decrypt service account keyfile contents and write to /tmp/gcloud/sa.json
run: |
mkdir -p /tmp/gcloud
echo "$GOOGLE_SERVICE_ACCOUNT_KEY" | base64 -d > /tmp/gcloud/sa.json
chmod 600 /tmp/gcloud/sa.json
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform init -upgrade -backend-config=./config.gcs.tfbackend
# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
run: terraform fmt -check
# Generates an execution plan for Terraform
- name: Terraform Plan
if: inputs.action == 'create'
run: terraform plan
- name: Terraform Apply
if: inputs.action == 'create'
run: terraform apply -auto-approve
- name: Terraform Destroy
if: inputs.action == 'destroy'
run: terraform destroy -auto-approve
- name: Set Outputs
id: set_outputs
if: inputs.action == 'create'
run: |
endpoint=$(terraform output --raw endpoint | sed 's/https\?:\/\///')
echo "endpoint=${endpoint}" >> $GITHUB_OUTPUT
admin_username=$(terraform output --raw admin_username)
echo "admin_username=${admin_username}" >> $GITHUB_OUTPUT
admin_password=$(terraform output --raw admin_password)
echo "admin_password=${admin_password}" >> $GITHUB_OUTPUT