Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manual approval doesn't work between steps of terraform plan and apply #50

Closed
xiaoanne opened this issue Oct 20, 2022 · 8 comments · Fixed by #57
Closed

Manual approval doesn't work between steps of terraform plan and apply #50

xiaoanne opened this issue Oct 20, 2022 · 8 comments · Fixed by #57
Labels
documentation Improvements or additions to documentation

Comments

@xiaoanne
Copy link

xiaoanne commented Oct 20, 2022
edited
Loading

Hi,

I am trying to use trstringer/manual-approval@v1 between terraform plan and apply, however it complains:
Attempting to expand user xiaoanne/xiaoanne as a group (may not succeed)
GET https://api.github.com/orgs/xiaoanne/teams/xiaoanne/members: 404 Not Found []
Creating issue in repo xiaoanne/aws-h1 with the following content:
Title: Manual approval required for workflow run 3286175439
Approvers: [xiaoanne]
Body:
Workflow is pending manual review.
URL: https://github.com/xiaoanne/aws-h1/actions/runs/3286[17](https://github.com/xiaoanne/aws-h1/actions/runs/3286175439/jobs/5414000367#step:7:18)5439

Required approvers: [xiaoanne]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
error creating issue: POST https://api.github.com/repos/xiaoanne/aws-h1/issues: 403 Resource not accessible by integration []

Here is the workflow:

name: 'Terraform'
on:
push:
branches: #[ "main" ]
- 'main'
- 'test'
pull_request:

permissions:
contents: read

jobs:
setup:
name: 'Terraform'
runs-on: ubuntu-latest
environment: dev

# Use the Bash shell, set working directory
defaults:
  run:
    shell: bash
    working-directory: ./website_s3

steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
  uses: actions/checkout@v3

# Set the AWS access key and secret access key
- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ap-southeast-2

# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
  uses: hashicorp/setup-terraform@v1
  with:
    cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

# Initialize a new or existing Terraform working directory, run the plan to generate tfplan.out for terraform apply to use
- name: Terraform Init/Plan
  run: |
    terraform fmt -check
    terraform init
    terraform plan -input=false -out=tfplan.out

# The assigned approvers need to manually approve to proceed with terraform apply
**- name: Manual approve**     # Failed in here
  uses: trstringer/manual-approval@v1
  with:
    secret: ${{ github.TOKEN }}
    approvers: xiaoanne
    minimum-approvals: 1

# Apply and/or destroy the infrastructure
- name: Terraform Apply/Destroy
  run: |
    terraform apply tfplan.out
    sleep 10
    terraform destroy -auto-approve
@trstringer
Copy link
Owner

So it looks like you're getting a 403 when trying to create the issue. Can you make sure the job has the correct permissions to create the issue?

@trstringer trstringer added the needs-info Needs more information from the author label Oct 27, 2022
@xiaoanne
Copy link
Author

Hi Trstringer, Thanks a lot for your reply, I tried with both permissions: read-all and permissions: write-all.
real-all permission still game me the same 403 error.
with write-all permission, the manual approval steps get stuck with pending status without seeing anywhere I can find and click approve:
2m 38s
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending
Workflow status: Pending

Could you please help with this? Thank you very much.

@trstringer
Copy link
Owner

Ah that's great news! I think that was likely the issue. So the way to approve the workflow is to make a comment on the issue that was created. Navigate to the issues section of the repo and hopefully you see a new issue there.

On a related note, I plan on adding a link to the created issue in the job output, as suggested by #51.

@xiaoanne
Copy link
Author

aha that is true, thank you so much for your help, can I ask why write-all permission is required for the manual approval step to run please?

@trstringer
Copy link
Owner

write-all is not needed, the least privileges should be:

permissions:
  issues: write

That's so the job can create (i.e. write) an issue in the repo.

@xiaoanne
Copy link
Author

Awesome, thank you so much @trstringer , it works perfect. It would be great if this can be mentioned somewhere in the README from my personal's point of view.

@trstringer
Copy link
Owner

Great suggestion! Reopening this issue so that I can track this work (adding the documentation to the README).

@trstringer trstringer reopened this Oct 31, 2022
@trstringer trstringer added documentation Improvements or additions to documentation and removed needs-info Needs more information from the author labels Oct 31, 2022
@trstringer trstringer mentioned this issue Nov 6, 2022
Merged
@xiaoanne
Copy link
Author

xiaoanne commented Nov 6, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add documentation for required permissions trstringer/manual-approval
2 participants
@trstringer @xiaoanne