EntraID SCIM: This really is better done in Terraform #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: terraform plan (entraid-scim) | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| paths: | |
| - 'entraid-scim/terraform/**' | |
| - '.github/workflows/entraid-scim-plan.yml' | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| jobs: | |
| plan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: ./entraid-scim/terraform | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: aws-actions/[email protected] | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ROOT_ACCOUNT_ID }}:role/github-actions-plan | |
| role-session-name: GitHubActions | |
| aws-region: eu-west-2 | |
| - uses: hashicorp/[email protected] | |
| with: | |
| terraform_version: 1.7.5 | |
| - name: Run terraform fmt | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| - name: Run terraform init | |
| run: terraform init | |
| - name: Run terraform validate | |
| run: terraform validate -no-color | |
| - name: Run terraform plan and capture output | |
| run: terraform plan -no-color > plan_output.txt | |
| - name: Retrieve Slack Bot Token from AWS Secrets Manager | |
| id: get_slack_bot_token | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| SLACK_INCOMING_WEBHOOK,aws-root-account-notifications-incoming-slack-webhook | |
| - name: Send initial message to Slack | |
| id: slack_message | |
| uses: slackapi/[email protected] | |
| with: | |
| webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": ":information_source: Terraform Plan completed for *<${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>* at `${{ github.ref_name }}`.\n*Workflow:* `${{ github.workflow }}`\n*Run ID:* `${{ github.run_id }}`\n*Initiated by:* `${{ github.actor }}`" | |
| } | |
| - name: Read plan output | |
| id: read_plan_output | |
| run: | | |
| # Read the plan output | |
| CONTENT=$(cat plan_output.txt) | |
| # Escape backslashes and double quotes for JSON | |
| CONTENT_ESCAPED=$(echo "$CONTENT" | sed 's/\\/\\\\/g; s/"/\\"/g') | |
| # Save the escaped content to the GITHUB_ENV file | |
| echo "content=$CONTENT_ESCAPED" >> $GITHUB_OUTPUT | |
| - name: Send Terraform plan output to Slack | |
| uses: slackapi/[email protected] | |
| with: | |
| webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "channel": "${{ secrets.SLACK_CHANNEL_ID }}", | |
| "text": "```\n${{ steps.read_plan_output.outputs.content }}\n```", | |
| "thread_ts: "${{ steps.slack_message.outputs.ts }}" | |
| } |