Add Terraform apply job with manual approval

- New terraform-apply job runs after terraform-init - Requires manual approval via production environment gate - Only runs on push to master branch - Downloads plan file from MinIO - Applies the exact plan that was reviewed - Includes all necessary environment variables for Vault and vSphere
2025-11-02 01:45:38 +01:00 · 2025-11-02 01:45:38 +01:00 · 514136f018
commit 514136f018
parent 66e05bb105
1 changed files with 71 additions and 0 deletions
--- a/.gitea/workflows/sonarqube.yaml
+++ b/.gitea/workflows/sonarqube.yaml
@ -149,3 +149,74 @@ jobs:
          --endpoint-url="${MINIO_ENDPOINT}"

        echo "Plan uploaded to: s3://${MINIO_BUCKET}/${PLAN_PATH}/"
+
+  terraform-apply:
+    name: Terraform Apply
+    runs-on: ubuntu-latest
+    needs: terraform-init
+    if: github.ref == 'refs/heads/master' && github.event_name == 'push'
+    environment:
+      name: production
+    steps:
+    - name: Checking out
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: latest
+
+    - name: Install AWS CLI
+      run: |
+        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+        unzip -q awscliv2.zip
+        sudo ./aws/install
+
+    - name: Terraform Init
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
+        TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
+        TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }}
+        TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }}
+        TF_BACKEND_REGION: "main"
+        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
+        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
+        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
+      run: |
+        terraform init \
+          -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \
+          -backend-config="bucket=${TF_BACKEND_BUCKET}" \
+          -backend-config="key=${TF_BACKEND_KEY}" \
+          -backend-config="region=${TF_BACKEND_REGION}" \
+          -backend-config="skip_credentials_validation=true" \
+          -backend-config="skip_metadata_api_check=true" \
+          -backend-config="skip_requesting_account_id=true" \
+          -backend-config="skip_region_validation=true" \
+          -backend-config="use_path_style=true"
+
+    - name: Download Terraform Plan from MinIO
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
+        MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
+        MINIO_BUCKET: ${{ secrets.MINIO_BUCKET }}
+      run: |
+        PLAN_PATH="terraform-plans/${{ github.repository }}/${{ github.run_number }}"
+        aws s3 cp "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" tfplan \
+          --endpoint-url="${MINIO_ENDPOINT}"
+        echo "Plan downloaded from: s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan"
+
+    - name: Terraform Apply
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
+        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
+        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
+        TF_VAR_datacenter: ${{ secrets.VSPHERE_DATACENTER }}
+        TF_VAR_cluster_name: ${{ secrets.VSPHERE_CLUSTER }}
+        TF_VAR_environment: ${{ secrets.ENVIRONMENT }}
+        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
+      run: terraform apply -auto-approve tfplan