diff --git a/examples/snippets/.github/workflows/atmos-components-updater.yml b/examples/snippets/.github/workflows/atmos-components-updater.yml index 8ab4ce285..2799e0f9b 100644 --- a/examples/snippets/.github/workflows/atmos-components-updater.yml +++ b/examples/snippets/.github/workflows/atmos-components-updater.yml @@ -19,7 +19,7 @@ jobs: - name: Generate a token id: github-app - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.ATMOS_APP_ID }} private-key: ${{ secrets.ATMOS_PRIVATE_KEY }} diff --git a/examples/snippets/.github/workflows/atmos-pro-list-instances.yaml b/examples/snippets/.github/workflows/atmos-pro-list-instances.yaml index fa765b2cd..1c4e3d3ca 100644 --- a/examples/snippets/.github/workflows/atmos-pro-list-instances.yaml +++ b/examples/snippets/.github/workflows/atmos-pro-list-instances.yaml @@ -1,4 +1,4 @@ -name: 👽 Atmos Pro List instances +name: "👽 Atmos Pro List instances" run-name: list instances on: @@ -6,15 +6,14 @@ on: - cron: '0 0 * * *' workflow_dispatch: -# Avoid running the same stack in parallel mode (from different workflows) -# This applied to across workflows to both plan and apply +# Avoid running the same workflow in parallel. concurrency: group: ${{ github.workflow }} cancel-in-progress: false permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + id-token: write # Required for requesting the JWT (OIDC) token + contents: read # Required for actions/checkout jobs: atmos-list-instances: @@ -27,27 +26,20 @@ jobs: - "private=false" steps: - - uses: runs-on/action@v1 - - uses: unfor19/install-aws-cli-action@v1 - - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set atmos cli config path vars - shell: bash - run: |- - echo "ATMOS_CLI_CONFIG_PATH=$(realpath ${{ vars.ATMOS_CONFIG_PATH }})" >> $GITHUB_ENV + - uses: runs-on/action@v2 - name: Install Atmos uses: cloudposse/github-action-setup-atmos@v3 with: - atmos-version: ${{ vars.ATMOS_VERSION }} - token: ${{ github.token }} install-wrapper: false + atmos-version: ${{ vars.ATMOS_VERSION }} - # We need to assume AWS credentials to read the Terraform state + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + # We need to assume AWS credentials to read the Terraform state. - name: Assume Planner Role uses: aws-actions/configure-aws-credentials@v6 with: @@ -57,9 +49,11 @@ jobs: mask-aws-account-id: "no" - name: List instances and upload to Atmos Pro + shell: bash env: ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} ATMOS_PROFILE: "github-plan" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | atmos list instances \ --upload diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml index 9fa3e1d6f..23d81784e 100644 --- a/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml +++ b/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml @@ -1,5 +1,5 @@ -name: 👽 Atmos Pro Terraform Apply -run-name: apply ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} +name: Atmos Pro Terraform Apply +run-name: apply ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id }} on: workflow_dispatch: @@ -23,22 +23,23 @@ on: required: true type: string -# Avoid running the same stack in parallel mode (from different workflows) -# This applied to across workflows to both plan and apply +# Avoid running the same stack in parallel mode (from different workflows). +# This applies across workflows to both plan and apply. concurrency: group: "${{ inputs.stack }}-${{ inputs.component }}" cancel-in-progress: false permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + id-token: write # Required for requesting the JWT (OIDC) token + contents: read # Required for actions/checkout + statuses: write # Required for CI commit status checks jobs: atmos-apply: name: ${{ inputs.component }}-${{ inputs.stack }} # The GitHub environment is defined in Atmos Pro settings. - # Typically this is - + # Typically this is -. environment: ${{ inputs.github_environment }} runs-on: @@ -48,18 +49,26 @@ jobs: - "private=true" steps: - - uses: runs-on/action@v1 - - uses: unfor19/install-aws-cli-action@v1 + - uses: runs-on/action@v2 - - name: Apply Atmos Component - uses: cloudposse/github-action-atmos-terraform-apply@v7 - env: - ATMOS_PROFILE: "github-apply" + - name: Checkout + uses: actions/checkout@v6 + with: + ref: ${{ inputs.sha }} + + - name: Install Atmos + uses: cloudposse/github-action-setup-atmos@v3 with: - # Atmos Pro args - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - sha: ${{ inputs.sha }} - # Atmos required configuration + install-wrapper: false atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + + - name: Apply Atmos Component + shell: bash + env: + ATMOS_PROFILE: github-apply + ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} + ATMOS_PRO_RUN_ID: ${{ inputs.atmos_pro_run_id }} + GITHUB_SHA: ${{ inputs.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + atmos terraform deploy ${{ inputs.component }} -s ${{ inputs.stack }} --upload-status diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml index db2f62107..0ec68cdbb 100644 --- a/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml +++ b/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml @@ -1,5 +1,5 @@ -name: 👽 Atmos Pro Terraform Plan -run-name: plan ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} +name: Atmos Pro Terraform Plan +run-name: plan ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id }} on: workflow_dispatch: @@ -18,21 +18,22 @@ on: description: "Stack" required: true type: string - upload_status: - description: "Upload status to Atmos Pro" + upload: + description: "Upload plan status to Atmos Pro" + type: string required: false - type: boolean - default: false + default: "false" -# Avoid running the same stack in parallel mode (from different workflows) -# This applied to across workflows to both plan and apply +# Avoid running the same stack in parallel mode (from different workflows). +# This applies across workflows to both plan and apply. concurrency: group: "${{ inputs.stack }}-${{ inputs.component }}" cancel-in-progress: false permissions: - id-token: write # This is required for requesting the JWT (OIDC) token - contents: read # This is required for actions/checkout + id-token: write # Required for requesting the JWT (OIDC) token + contents: read # Required for actions/checkout + statuses: write # Required for CI commit status checks jobs: atmos-plan: @@ -45,21 +46,26 @@ jobs: - "private=true" steps: - - uses: runs-on/action@v1 - - uses: unfor19/install-aws-cli-action@v1 + - uses: runs-on/action@v2 + + - name: Checkout + uses: actions/checkout@v6 + with: + ref: ${{ inputs.sha }} + + - name: Install Atmos + uses: cloudposse/github-action-setup-atmos@v3 + with: + install-wrapper: false + atmos-version: ${{ vars.ATMOS_VERSION }} - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v5 + shell: bash env: - ATMOS_PROFILE: "github-plan" + ATMOS_PROFILE: github-plan ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} - with: - # Atmos Pro args - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - sha: ${{ inputs.sha }} - # Upload the status to Atmos Pro - atmos-pro-upload-status: ${{ inputs.upload_status }} - # Atmos required configuration - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + ATMOS_PRO_RUN_ID: ${{ inputs.atmos_pro_run_id }} + GITHUB_SHA: ${{ inputs.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + atmos terraform plan ${{ inputs.component }} -s ${{ inputs.stack }} --upload-status diff --git a/examples/snippets/.github/workflows/atmos-pro.yaml b/examples/snippets/.github/workflows/atmos-pro.yaml index 35f92cbeb..1aee803ca 100644 --- a/examples/snippets/.github/workflows/atmos-pro.yaml +++ b/examples/snippets/.github/workflows/atmos-pro.yaml @@ -1,11 +1,11 @@ -name: 👽 Atmos Pro Determine Affected Stacks -run-name: 👽 Atmos Pro Determine Affected Stacks +name: Atmos Pro +run-name: Atmos Pro # Atmos Pro reacts to events defined in the Atmos stack settings # and will trigger the appropriate workflows for the given event. # # For example, pull requests opened, synchronize, and reopened will trigger plan workflows. -# Whereas pull requests merged will trigger apply workflows +# Whereas pull requests merged will trigger apply workflows. on: pull_request: types: @@ -17,14 +17,14 @@ on: - main # Avoid conflicting workflow triggers. -# For example, wait to trigger apply until plan has been triggered +# For example, wait to trigger apply until plan has been triggered. concurrency: group: "${{ github.ref }}" cancel-in-progress: false permissions: - id-token: write # This is required for requesting the JWT (OIDC) token - contents: read # This is required for actions/checkout + id-token: write # Required for requesting the JWT (OIDC) token + contents: read # Required for actions/checkout jobs: affected: @@ -36,39 +36,41 @@ jobs: - "tag=affected-stacks" - "private=false" - # Trigger Atmos Pro for Pull Request plan events and specifically closed PRs that have been merged (not just closed) - # Skip if the PR has the "no-apply" label + # Trigger for PR plan events and specifically closed PRs that have been merged (not just closed). + # Skip if the PR has the "no-apply" label. if: | !contains(github.event.pull_request.labels.*.name, 'no-apply') && (github.event.action != 'closed' || (github.event.action == 'closed' && github.event.pull_request.merged == true)) steps: - - uses: runs-on/action@v1 + - uses: runs-on/action@v2 + + # Checkout the PR head SHA so the uploaded HeadSHA matches the webhook trigger event. - name: Checkout - # For merged PRs, we will need to checkout the base branch to get the correct base branch SHA. - # This isn't necessary for other events. - if: github.event.action == 'closed' uses: actions/checkout@v6 with: - fetch-depth: 0 # Fetch all history for all branches and tags + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Install Atmos + uses: cloudposse/github-action-setup-atmos@v3 + with: + install-wrapper: false + atmos-version: ${{ vars.ATMOS_VERSION }} - # For merged PRs, we want to use 1 previous commit from the base branch SHA - # This is because by the time this workflow runs, the PR branch has already been merged. - # It's critical to use the base branch SHA to get the correct changes, not the previous commit from the PR branch. - - name: Determine previous commit on base branch - id: get_parent - if: github.event.action == 'closed' + # For merged PRs, use HEAD~1 to get the commit before the merge. + # For open PRs, use the PR base SHA directly. + - name: Determine base ref + id: refs shell: bash run: | - # For squash merges, github.event.pull_request.base.sha represents the state of the base branch - # when the PR was created (or last updated). This may be stale compared to the actual commit - # on the main branch at the time of the merge. Using 'HEAD~1' after the merge ensures we get - # the commit that was the tip of main immediately before the squash merge commit was added. - echo "Merge commit: $(git rev-parse HEAD)" - PARENT=$(git rev-parse HEAD~1) - echo "Parent (base) commit: $PARENT" - echo "merge_commit=$MERGE_COMMIT" >> "$GITHUB_OUTPUT" - echo "parent_commit=$PARENT" >> "$GITHUB_OUTPUT" + if [[ "${{ github.event.action }}" == "closed" ]]; then + PARENT=$(git rev-parse HEAD~1) + echo "base_ref=$PARENT" >> "$GITHUB_OUTPUT" + else + echo "base_ref=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" + fi + echo "head_ref=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT" - name: Assume Planner Role uses: aws-actions/configure-aws-credentials@v6 @@ -79,16 +81,13 @@ jobs: mask-aws-account-id: "no" - name: Determine Affected Stacks - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v6 + shell: bash env: ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} ATMOS_PROFILE: "github-plan" - with: - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - atmos-pro-upload: true - # Compare the head of the PR to the base of the PR if the PR is not merged. - # If the PR is merged, compare the head of the PR to 1 previous commit on the base branch. - head-ref: ${{ github.event.pull_request.head.sha }} - base-ref: ${{ github.event.action == 'closed' && steps.get_parent.outputs.parent_commit || github.event.pull_request.base.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + atmos describe affected \ + --ref ${{ steps.refs.outputs.head_ref }} \ + --sha ${{ steps.refs.outputs.base_ref }} \ + --upload diff --git a/examples/snippets/stacks/catalog/iam-role/example-app.yaml b/examples/snippets/stacks/catalog/iam-role/example-app.yaml deleted file mode 100644 index 534e2e56a..000000000 --- a/examples/snippets/stacks/catalog/iam-role/example-app.yaml +++ /dev/null @@ -1,62 +0,0 @@ - import: - - catalog/iam-role/defaults - - components: - terraform: - example-app/iam-role: - metadata: - component: iam-role - inherits: - - iam-role/defaults - vars: - name: example-app - attributes: - - "terraform" - role_description: | - Role for GitHub Actions to access the GitOps resources, such as the S3 Bucket and DynamoDB Table. - github_oidc_provider_enabled: true - github_oidc_provider_arn: !terraform.state github-oidc-provider oidc_provider_arn - trusted_github_org: acme - trusted_github_repos: - - example-app - policy_statements: - AllowECRAccess: - effect: "Allow" - actions: - - "ecr:GetAuthorizationToken" - - "ecr:BatchCheckLayerAvailability" - - "ecr:GetDownloadUrlForLayer" - - "ecr:BatchGetImage" - - "ecr:InitiateLayerUpload" - - "ecr:UploadLayerPart" - - "ecr:CompleteLayerUpload" - - "ecr:PutImage" - - "ecr:CreatePullThroughCacheRule" - - "ecr:BatchImportUpstreamImage" - - "ecr:CreateRepository" - resources: - - "*" - AllowAssumeRole: - effect: "Allow" - actions: - - "sts:AssumeRole" - - "sts:TagSession" - - "sts:SetSourceIdentity" - resources: - - "*" - AllowServicesAccess: - effect: "Allow" - actions: - - "s3:*" - - "iam:*" - - "ecs:*" - - "ecr:*" - - "logs:*" - - "ssm:*" - - "ec2:*" - - "elasticloadbalancing:*" - - "application-autoscaling:*" - - "cloudwatch:*" - - "kms:Decrypt" - resources: - - "*" diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml deleted file mode 100644 index f7b8cce1b..000000000 --- a/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Atmos Pro Layer Workflows -# -# These workflows are used for the quickstart setup of Atmos Pro integration. -# They automate the deployment of S3 bucket for plan storage, DynamoDB for -# plan tracking, and IAM roles for GitOps automation. -# -# Documentation: https://docs.cloudposse.com/layers/atmos-pro/ -# -# Usage: -# atmos workflow all -f quickstart/foundation/atmos-pro -# atmos workflow deploy -f quickstart/foundation/atmos-pro -# -# Prerequisites: -# - GitHub OIDC Provider must be deployed (see identity layer) -# -# Available workflows: -# - all: Deploy complete Atmos Pro integration -# - vendor: Pull required components -# - deploy: Deploy all GitOps infrastructure -# -workflows: - all: - description: Run all Atmos Pro workflows - steps: - - command: workflow vendor -f quickstart/foundation/atmos-pro - - command: workflow deploy -f quickstart/foundation/atmos-pro - - vendor: - description: Vendor Atmos Pro required components. - steps: - - command: vendor pull --component iam-role - - command: vendor pull --component dynamodb - - command: vendor pull --component s3-bucket - - deploy: - description: Deploy Atmos Pro infrastructure (S3, DynamoDB, IAM role) - steps: - - command: terraform deploy gitops/s3-bucket --stack core-use1-auto - - command: terraform deploy gitops/dynamodb --stack core-use1-auto - - command: terraform deploy iam-role/gitops --stack core-gbl-auto