name: OpenTofu Plan on: pull_request: branches: [main, develop] paths: - 'infrastructure/**' - '.gitea/workflows/terraform-plan.yml' env: TOFU_VERSION: "1.10.6" jobs: plan: runs-on: ubuntu-latest strategy: matrix: environment: [dev, staging, production] provider: [oracle-cloud, huawei-cloud, google-cloud, digitalocean, aws] steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: tofu_version: ${{ env.TOFU_VERSION }} - name: Configure credentials run: | # 设置各云服务商的认证信息 echo "Setting up credentials for ${{ matrix.provider }}" case "${{ matrix.provider }}" in "oracle-cloud") mkdir -p ~/.oci echo "${{ secrets.OCI_PRIVATE_KEY }}" > ~/.oci/oci_api_key.pem chmod 600 ~/.oci/oci_api_key.pem ;; "huawei-cloud") export HW_ACCESS_KEY="${{ secrets.HW_ACCESS_KEY }}" export HW_SECRET_KEY="${{ secrets.HW_SECRET_KEY }}" ;; "google-cloud") echo "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" > /tmp/gcp-key.json export GOOGLE_APPLICATION_CREDENTIALS="/tmp/gcp-key.json" ;; "digitalocean") export DIGITALOCEAN_TOKEN="${{ secrets.DO_TOKEN }}" ;; "aws") export AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID }}" export AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY }}" ;; esac - name: Create terraform.tfvars run: | cd infrastructure/environments/${{ matrix.environment }} cat > terraform.tfvars << EOF environment = "${{ matrix.environment }}" project_name = "mgmt" owner = "ben" # Oracle Cloud 配置 oci_config = { tenancy_ocid = "${{ secrets.OCI_TENANCY_OCID }}" user_ocid = "${{ secrets.OCI_USER_OCID }}" fingerprint = "${{ secrets.OCI_FINGERPRINT }}" private_key_path = "~/.oci/oci_api_key.pem" region = "ap-seoul-1" } # 华为云配置 huawei_config = { access_key = "${{ secrets.HW_ACCESS_KEY }}" secret_key = "${{ secrets.HW_SECRET_KEY }}" region = "cn-north-4" } # Google Cloud 配置 gcp_config = { project_id = "${{ secrets.GCP_PROJECT_ID }}" region = "asia-northeast3" zone = "asia-northeast3-a" credentials = "/tmp/gcp-key.json" } # DigitalOcean 配置 do_config = { token = "${{ secrets.DO_TOKEN }}" region = "sgp1" } # AWS 配置 aws_config = { access_key = "${{ secrets.AWS_ACCESS_KEY_ID }}" secret_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}" region = "ap-northeast-1" } EOF - name: OpenTofu Init run: | cd infrastructure/providers/${{ matrix.provider }} tofu init - name: OpenTofu Validate run: | cd infrastructure/providers/${{ matrix.provider }} tofu validate - name: OpenTofu Plan run: | cd infrastructure/providers/${{ matrix.provider }} tofu plan \ -var-file="../../../environments/${{ matrix.environment }}/terraform.tfvars" \ -out=tfplan-${{ matrix.environment }}-${{ matrix.provider }} - name: Upload Plan uses: actions/upload-artifact@v4 with: name: tfplan-${{ matrix.environment }}-${{ matrix.provider }} path: infrastructure/providers/${{ matrix.provider }}/tfplan-${{ matrix.environment }}-${{ matrix.provider }} retention-days: 30 - name: Comment PR uses: actions/github-script@v7 if: github.event_name == 'pull_request' with: script: | const fs = require('fs'); const path = 'infrastructure/providers/${{ matrix.provider }}/tfplan-${{ matrix.environment }}-${{ matrix.provider }}'; github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: `## OpenTofu Plan Results **Environment:** ${{ matrix.environment }} **Provider:** ${{ matrix.provider }} **Status:** ✅ Plan generated successfully Plan artifact uploaded: \`tfplan-${{ matrix.environment }}-${{ matrix.provider }}\` Please review the plan before merging.` });