github-action-apply-on-merge icon indicating copy to clipboard operation
github-action-apply-on-merge copied to clipboard

Published 20 hours ago verified publisher icon GorillaStack

Metadata

Cost-Optimization, Backup & Security Alerting for the AWS Cloud with Terraform templates living in your repository

GitHub Action: Validate & Apply GorillaStack Config

GorillaStack provides cost-optimization, backup and security superpowers for users to employ in their AWS environments. Customers drive configuration through the web application, API and more recently through a Terraform provider.

This action allows customers to keep the source of truth for their GorillaStack config in their repository, automatically validate templates on every push and apply them on a merge to master.

Prerequisite - Create CloudFormation Stack to Persist tfstate

To maintain state in the .tfstate files generated by Terraform, we have provided a CloudFormation template to help users create an S3 bucket and a user with minimal privileges required to read/write to that bucket created.

Note Please do not modify the region or the stack name. When the action runs, it needs to look for a stack of that name in that region in order to get the generated bucket name from the CloudFormation outputs.

Deploy via AWSCLI

aws cloudformation deploy \
  --template-file https://gorillastack-cloudformation-templates.s3.amazonaws.com/github-action-bucket-template.yml \
  --stack-name github-actions-gorillastack-tfstate \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1

Deploy via AWS Console

Click this button launch this stack in the AWS CloudFormation Console.

Launch Stack

You will need to check the box to confirm the creation of IAM resources in the template.

Configuration - GitHub Secrets

There are 4 secrets that you will need to set in your GitHub repository to configure this action:

Secret Name Purpose
AWS_ACCESS_KEY_ID AWS Creds required to access the created S3 bucket to store and retrieve tfstate
AWS_SECRET_ACCESS_KEY AWS Creds required to access the created S3 bucket to store and retrieve tfstate
GORILLASTACK_API_KEY GorillaStack API Key, scoped as read-write or read-only, tied to your user identity
GORILLASTACK_TEAM_ID GorillaStack Team Id, sets context of which team/tenant you are targeting

Within your GitHub repository, navigate to Settings > Secrets to set the secrets for this action.

1. Create AWS Access Key

A user was created as part of the CloudFormation Stack deployed above. You will need to create access keys for this user, that you will then set as secrets in your GitHub repository.

Do this either via AWS CLI:

aws iam create-access-key --user-name github-actions-gorillastack-tfstate-user

or via AWS Console:

  1. Navigate to the IAM User configuration for the github-actions-gorillastack-tfstate-user
  2. Click on the "Create Access Key" button
  3. Copy the "Access Key Id" and "Secret Access Key" from the modal

2. Create GorillaStack API Key and finding your Team Id

If you have not used the GorillaStack API yet, please follow this documentation to generate a key and retrieve the Team Id.

Usage

Create workflow .yml files under .github/workflows, or integrate these steps into your own workflows.

Inputs

Use these inputs to customise the action.

Input Name Default Required? Description
action validate Y Can be validate or apply to either validate or apply the templates in the repo
stack_name github-actions-gorillastack-tfstate N If you customised the name of the stack when deploying it, please specify that name for the stack in this input
aws_default_region us-east-1 N If you deployed the stack in a region other than us-east-1, please specify it in this input
aws_access_key_id N/A Only for action=apply Set this to be ${{ secrets.AWS_ACCESS_KEY_ID }}. See purpose in section above
aws_secret_access_key N/A Only for action=apply Set this to be ${{ secrets.AWS_SECRET_ACCESS_KEY }}. See purpose in section above
gorillastack_api_key N/A Only for action=apply Set this to be ${{ secrets.GORILLASTACK_API_KEY }}. See purpose in section above
gorillastack_team_id N/A Only for action=apply Set this to be ${{ secrets.GORILLASTACK_TEAM_ID }}. See purpose in section above

Outputs

None.

Example workflow: Validate templates on every push

on: [push]

jobs:
  run:
    name: Validate GorillaStack config templates
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
      uses: actions/checkout@master

    - name: Validate templates
      uses: 'GorillaStack/github-action-apply-on-merge'

Example workflow: Apply templates on every push to master

on:
  push:
    branches:
      - master

jobs:
  run:
    name: Apply GorillaStack config templates
    runs-on: ubuntu-latest
    steps:

    - name: Check out code
      uses: actions/checkout@master

    - name: Apply templates
      uses: 'GorillaStack/github-action-apply-on-merge'
      with:
        action: apply
        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        gorillastack_api_key: ${{ secrets.GORILLASTACK_API_KEY }}
        gorillastack_team_id: ${{ secrets.GORILLASTACK_TEAM_ID }}

Metadata

16
Stars
14
Forks
Watchers

Owner

verified publisher icon GorillaStack

Metadata

Cost-Optimization, Backup & Security Alerting for the AWS Cloud with Terraform templates living in your repository

Back