diff --git a/.github/workflows/_test-terraform-destroy.yml b/.github/workflows/_test-terraform-destroy.yml index 4119db0..426e5b6 100644 --- a/.github/workflows/_test-terraform-destroy.yml +++ b/.github/workflows/_test-terraform-destroy.yml @@ -28,4 +28,5 @@ jobs: REPO_SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }} AWS_ROLE_NAME: ${{ secrets.TEST_AWS_ROLE_NAME }} - TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }} \ No newline at end of file + TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }} + TF_PLAN_ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/_test-terraform-plan-apply.yml b/.github/workflows/_test-terraform-plan-apply.yml index 197a66d..f0e52d3 100644 --- a/.github/workflows/_test-terraform-plan-apply.yml +++ b/.github/workflows/_test-terraform-plan-apply.yml @@ -31,4 +31,5 @@ jobs: REPO_SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }} AWS_ROLE_NAME: ${{ secrets.TEST_AWS_ROLE_NAME }} - TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }} \ No newline at end of file + TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }} + TF_PLAN_ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml index 4a505f2..190e438 100644 --- a/.github/workflows/terraform-core.yml +++ b/.github/workflows/terraform-core.yml @@ -87,6 +87,9 @@ on: SSH_DEPLOY_KEY: required: false description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead." + TF_PLAN_ENCRYPTION_PASSPHRASE: + required: true + description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts" jobs: initialise: @@ -311,6 +314,16 @@ jobs: name: "${{ env.state_name }}-artefacts" path: ${{ matrix.stack.directory }} + - name: Decrypt Terraform plan + if: steps.download_plan.conclusion == 'success' + working-directory: "${{ matrix.stack.directory }}" + env: + ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }} + run: | + pass_file=$(mktemp) + printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file" + gpg --decrypt --batch --passphrase-file "$pass_file" --out tfplan tfplan.gpg + - name: Terraform Plan id: tf_plan working-directory: "${{ matrix.stack.directory }}" @@ -399,13 +412,22 @@ jobs: cat updated_matrix.json + - name: Encrypt Terraform plan + env: + ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }} + working-directory: "${{ matrix.stack.directory }}" + run: | + pass_file=$(mktemp) + printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file" + gpg --batch --symmetric --passphrase-file "$pass_file" tfplan + - name: Upload Terraform Plan and matrix uses: actions/upload-artifact@v4 if: ${{ inputs.upload_plan }} with: name: "${{ env.state_name }}-artefacts" path: | - ${{ matrix.stack.directory }}/tfplan* + ${{ matrix.stack.directory }}/tfplan.gpg ${{ matrix.stack.directory }}/updated_matrix.json if-no-files-found: warn compression-level: 1 diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml index 91e351b..33b7733 100644 --- a/.github/workflows/terraform-destroy.yml +++ b/.github/workflows/terraform-destroy.yml @@ -51,7 +51,10 @@ on: SSH_DEPLOY_KEY: required: false description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead." - + TF_PLAN_ENCRYPTION_PASSPHRASE: + required: true + description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts" + jobs: define_matrix: name: Define directory matrix for destroy diff --git a/.github/workflows/terraform-plan-apply.yml b/.github/workflows/terraform-plan-apply.yml index 1f8638e..8d005aa 100644 --- a/.github/workflows/terraform-plan-apply.yml +++ b/.github/workflows/terraform-plan-apply.yml @@ -59,6 +59,10 @@ on: SSH_DEPLOY_KEY: required: false description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead." + TF_PLAN_ENCRYPTION_PASSPHRASE: + required: true + description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts" + jobs: define_matrix: