Repository Sync #334
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Repository Sync | |
| on: | |
| repository_dispatch: | |
| workflow_dispatch: | |
| inputs: | |
| repositories: | |
| description: 'Override the target repositories, use a comma separated list. Leave as All to run on all repositories.' | |
| default: 'All' | |
| type: string | |
| plan_only: | |
| description: 'Whether to only plan the changes' | |
| default: true | |
| type: boolean | |
| force_user_removal: | |
| description: 'Force removal of users with direct access, even if they are JIT elevated.' | |
| default: false | |
| type: boolean | |
| schedule: | |
| - cron: '30 15 * * 1-5' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: ./tf-repo-mgmt | |
| jobs: | |
| generate-matrix: | |
| name: Generate Matrix | |
| runs-on: ubuntu-latest | |
| environment: avm | |
| outputs: | |
| matrix: ${{ steps.matrix.outputs.matrix }} | |
| matrixParallel: ${{ steps.matrix.outputs.matrixParallel }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Generate Matrix | |
| uses: ./.github/actions/avm-repos | |
| id: matrix | |
| with: | |
| repositories: ${{ inputs.repositories }} | |
| first_run: ${{ inputs.first_run }} | |
| clientId: ${{ secrets.AVM_APP_CLIENT_ID }} | |
| privateKey: ${{ secrets.AVM_APP_PRIVATE_KEY }} | |
| run-sync: | |
| name: ${{ matrix.repoId }} (${{ matrix.repoUrl }}) | |
| runs-on: ubuntu-latest | |
| environment: avm | |
| needs: generate-matrix | |
| strategy: | |
| fail-fast: false | |
| max-parallel: ${{ fromJson(needs.generate-matrix.outputs.matrixParallel) }} | |
| matrix: | |
| include: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: latest | |
| terraform_wrapper: false | |
| - name: Create GitHub App Token | |
| id: app-token | |
| uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 | |
| with: | |
| app-id: ${{ secrets.AVM_APP_CLIENT_ID }} | |
| private-key: ${{ secrets.AVM_APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| - name: Download Labels CSV File | |
| run: | | |
| ./scripts/Get-AvmLabels.ps1 | |
| shell: pwsh | |
| - name: Run Sync for ${{ matrix.repoId }} | |
| run: | | |
| $triggerType = "${{ github.event_name }}" | |
| $planOnly = $false | |
| $forceUserRemoval = $false | |
| if($triggerType -eq "workflow_dispatch") { | |
| $planOnly = "${{ inputs.plan_only }}".ToLower() -eq "true" | |
| $forceUserRemoval = "${{ inputs.force_user_removal }}".ToLower() -eq "true" | |
| } | |
| Write-Output "Token: $env:GH_TOKEN" | |
| Write-Output "Repositories: $repositories" | |
| Write-Output "Plan Only: $planOnly" | |
| Write-Output "Force User Removal: $forceUserRemoval" | |
| $testSubscriptionIds = $env:TEST_SUBSCRIPTION_IDS | ConvertFrom-Json | |
| Write-Host "Authenticating gh cli" | |
| gh auth login -h "GitHub.com" | |
| Write-Host "Running repo sync" | |
| ./scripts/Invoke-RepositorySync.ps1 ` | |
| -planOnly $planOnly ` | |
| -managementGroupId "${{ secrets.MANAGEMENT_GROUP_ID }}" ` | |
| -testSubscriptionIds $testSubscriptionIds ` | |
| -stateStorageAccountName "${{ secrets.STORAGE_ACCOUNT_NAME }}" ` | |
| -stateResourceGroupName "${{ secrets.STORAGE_ACCOUNT_RESOURCE_GROUP_NAME }}" ` | |
| -stateContainerName "${{ secrets.STORAGE_ACCOUNT_CONTAINER_NAME }}" ` | |
| -identityResourceGroupName "${{ secrets.IDENTITY_RESOURCE_GROUP_NAME }}" ` | |
| -repoId "${{ matrix.repoId }}" ` | |
| -repoUrl "${{ matrix.repoUrl }}" ` | |
| -outputDirectory "${{ github.workspace }}" ` | |
| -forceUserRemoval:$forceUserRemoval | |
| shell: pwsh | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} | |
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | |
| ARM_USE_AZUREAD: true | |
| ARM_USE_OIDC: true | |
| TEST_SUBSCRIPTION_IDS: ${{ secrets.TEST_SUBSCRIPTION_IDS }} | |
| - name: Upload Issue Logs Json | |
| if: always() && hashFiles('issue.log.json') != '' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: ${{ matrix.repoId }}.issue.log.json | |
| path: issue.log.json | |
| - name: Issue Error | |
| if: always() && hashFiles('issue.log.json') != '' | |
| run: | | |
| $issueLogJson = Get-Content -Path "${{ github.workspace }}/issue.log.json" -Raw | |
| $issueLog = ConvertFrom-Json $issueLogJson | |
| $issueLog | ForEach-Object { | |
| echo "::error title=${{ matrix.repoId }} has issues::$($_.message) Check the log file artifact for ${{ matrix.repoId }} to see the full details." | |
| } | |
| exit 1 | |
| shell: pwsh |