Merge pull request #239 from dflook/test-destroy-lock-info

Test destroy lock info

Author: dflook

.github/workflows/test-unlock-state.yaml

@@ -46,36 +46,59 @@ jobs:
           fi
 
       # Check state-locked
-      - name: Try using locked state
+      - name: Try using locked state using terraform-apply
         uses: ./terraform-apply
-        id: locked-state
+        id: locked-state-apply
         continue-on-error: true
         with:
           path: tests/workflows/test-unlock-state
           auto_approve: true
 
-      - name: Check state locked failure-reason
+      - name: Check terraform-apply state locked failure-reason
+        run: |
+          if [[ "${{ steps.locked-state-apply.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.locked-state-apply.outputs.failure-reason }}" != "state-locked" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+          
+          echo '"${{ steps.locked-state-apply.outputs.lock-info }}"'
+          
+          echo 'Lock id is ${{ fromJson(steps.locked-state-apply.outputs.lock-info).ID }}'
+
+      - name: Try using locked state using terraform-destroy
+        uses: ./terraform-destroy
+        id: locked-state-destroy
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+
+      - name: Check terraform-destroy state locked failure-reason
         run: |
-          if [[ "${{ steps.locked-state.outcome }}" != "failure" ]]; then
+          if [[ "${{ steps.locked-state-destroy.outcome }}" != "failure" ]]; then
             echo "Apply did not fail correctly"
             exit 1
           fi
 
-          if [[ "${{ steps.locked-state.outputs.failure-reason }}" != "state-locked" ]]; then
+          if [[ "${{ steps.locked-state-destroy.outputs.failure-reason }}" != "state-locked" ]]; then
             echo "::error:: failure-reason not set correctly"
             exit 1
           fi
           
-          echo '"${{ steps.locked-state.outputs.lock-info }}"'
+          echo '"${{ steps.locked-state-destroy.outputs.lock-info }}"'
           
-          echo 'Lock id is ${{ fromJson(steps.locked-state.outputs.lock-info).ID }}'
+          echo 'Lock id is ${{ fromJson(steps.locked-state-destroy.outputs.lock-info).ID }}'
 
       - name: Unlock the state
         uses: ./terraform-unlock-state
         continue-on-error: true
         with:
           path: tests/workflows/test-unlock-state
-          lock_id: ${{ fromJson(steps.locked-state.outputs.lock-info).ID }}
+          lock_id: ${{ fromJson(steps.locked-state-apply.outputs.lock-info).ID }}
 
       - name: Check state is not locked
         uses: ./terraform-apply
@@ -154,6 +177,30 @@ jobs:
           
           echo 'Lock id is ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }}'
 
+      - name: Try using locked state using terraform-destroy-workspace
+        uses: ./terraform-destroy-workspace
+        id: locked-state-destroy-workspace
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+
+      - name: Check terraform-destroy-workspace state locked failure-reason
+        run: |
+          if [[ "${{ steps.locked-state-destroy-workspace.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.locked-state-destroy-workspace.outputs.failure-reason }}" != "state-locked" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+          
+          echo '"${{ steps.locked-state-destroy-workspace.outputs.lock-info }}"'
+          
+          echo 'Lock id is ${{ fromJson(steps.locked-state-destroy-workspace.outputs.lock-info).ID }}'
+
       - name: Unlock the state
         uses: ./terraform-unlock-state
         continue-on-error: true

terraform-apply/README.md

@@ -222,10 +222,28 @@ These input values must be the same as any `terraform-plan` for the same configu
 
   - `apply-failed` - The Terraform apply operation failed.
   - `plan-changed` - The approved plan is no longer accurate, so the apply will not be attempted.
+  - `state-locked` - The Terraform state lock could not be obtained because it was already locked. 
 
   If the job fails for any other reason this will not be set.
   This can be used with the Actions expression syntax to conditionally run steps.
 
+* `lock-info`
+
+  When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set.
+
+  It is a json object containing any available state lock information and typically has the form:
+  ```json
+  {
+    "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880",
+    "Path": "terraform-github-actions/test-unlock-state",
+    "Operation": "OperationTypeApply",
+    "Who": "root@e9d43b0c6478",
+    "Version": "1.3.7",
+    "Created": "2023-01-28 00:16:41.560904373 +0000 UTC",
+    "Info": ""
+  }
+  ```
+
 * `run_id`
 
   If the root module uses the `remote` or `cloud` backend in remote execution mode, this output will be set to the remote run id.

terraform-destroy-workspace/README.md

@@ -101,9 +101,30 @@ This action uses the `terraform destroy` command to destroy all resources in a t
 
 * `failure-reason`
 
-  When the job outcome is `failure` because the terraform destroy operation failed, this is set to `destroy-failed`.
+  When the job outcome is `failure`, this output may be set. The value may be one of:
+
+  - `destroy-failed` - The Terraform destroy operation failed.
+  - `state-locked` - The Terraform state lock could not be obtained because it was already locked. 
+
   If the job fails for any other reason this will not be set.
-  This can be used with the Actions expression syntax to conditionally run a step when the destroy fails.
+  This can be used with the Actions expression syntax to conditionally run a steps.
+
+* `lock-info`
+
+  When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set.
+
+  It is a json object containing any available state lock information and typically has the form:
+  ```json
+  {
+    "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880",
+    "Path": "terraform-github-actions/test-unlock-state",
+    "Operation": "OperationTypeApply",
+    "Who": "root@e9d43b0c6478",
+    "Version": "1.3.7",
+    "Created": "2023-01-28 00:16:41.560904373 +0000 UTC",
+    "Info": ""
+  }
+  ```
 
 ## Environment Variables
 

terraform-destroy/README.md

@@ -108,9 +108,30 @@ This action uses the `terraform destroy` command to destroy all resources in a t
 
 * `failure-reason`
 
-  When the job outcome is `failure` because the terraform destroy operation failed, this is set to `destroy-failed`.
+  When the job outcome is `failure`, this output may be set. The value may be one of:
+
+  - `destroy-failed` - The Terraform destroy operation failed.
+  - `state-locked` - The Terraform state lock could not be obtained because it was already locked. 
+
   If the job fails for any other reason this will not be set.
-  This can be used with the Actions expression syntax to conditionally run a step when the destroy fails.
+  This can be used with the Actions expression syntax to conditionally run a steps.
+
+* `lock-info`
+
+  When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set.
+
+  It is a json object containing any available state lock information and typically has the form:
+  ```json
+  {
+    "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880",
+    "Path": "terraform-github-actions/test-unlock-state",
+    "Operation": "OperationTypeApply",
+    "Who": "root@e9d43b0c6478",
+    "Version": "1.3.7",
+    "Created": "2023-01-28 00:16:41.560904373 +0000 UTC",
+    "Info": ""
+  }
+  ```
 
 ## Environment Variables
 

terraform-unlock-state/README.md

@@ -2,75 +2,35 @@
 
 This is one of a suite of terraform related actions - find them at [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions).
 
-This actions is intially planned to manually unlock the state for the defined configuration.
-
-The `GITHUB_TOKEN` environment variable must be set for the PR comment to be added.
-The action can be run on other events, which prints the plan to the workflow log.
+Force unlocks a Terraform remote state.
 
 ## Inputs
 
 * `path`
 
-  Path to the terraform root module to apply
+  Path to the terraform root module that defines the remote state to unlock
 
   - Type: string
   - Optional
   - Default: The action workspace
 
 * `workspace`
 
-  Terraform workspace to run
+  Terraform workspace to unlock the remote state for
 
   - Type: string
   - Optional
   - Default: `default`
 
 * `lock_id`
 
-  Lock id from the defined configuration
+  The ID of the state lock to release
 
   - Type: string
   - Required
 
 ## Environment Variables
 
-* `GITHUB_TOKEN`
-
-  The GitHub authorization token to use to create comments on a PR.
-  The token provided by GitHub Actions can be used - it can be passed by
-  using the `${{ secrets.GITHUB_TOKEN }}` expression, e.g.
-
-  ```yaml
-  env:
-    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  ```
-
-  The token provided by GitHub Actions will work with the default permissions.
-  The minimum permissions are `pull-requests: write`.
-  It will also likely need `contents: read` so the job can checkout the repo.
-
-  You can also use any other App token that has `pull-requests: write` permission.
-
-  You can use a fine-grained Personal Access Token which has repository permissions:
-  - Read access to metadata
-  - Read and Write access to pull requests
-
-  You can also use a classic Personal Access Token which has the `repo` scope.
-
-  The GitHub user or app that owns the token will be the PR comment author.
-
-  - Type: string
-  - Optional
-
-* `TERRAFORM_ACTIONS_GITHUB_TOKEN`
-
-  When this is set it is used instead of `GITHUB_TOKEN`, with the same behaviour.
-  The GitHub terraform provider also uses the `GITHUB_TOKEN` environment variable, 
-  so this can be used to make the github actions and the terraform provider use different tokens.
-
-  - Type: string
-  - Optional
-
 * `TERRAFORM_CLOUD_TOKENS`
 
   API tokens for terraform cloud hosts, of the form `<host>=<token>`. Multiple tokens may be specified, one per line.
@@ -133,22 +93,6 @@ The action can be run on other events, which prints the plan to the workflow log
   - Type: string
   - Optional
 
-* `TF_PLAN_COLLAPSE_LENGTH`
-
-  When PR comments are enabled, the terraform output is included in a collapsable pane.
-  
-  If a terraform plan has fewer lines than this value, the pane is expanded
-  by default when the comment is displayed.
-
-  ```yaml
-  env:
-    TF_PLAN_COLLAPSE_LENGTH: 30
-  ```
-
-  - Type: integer
-  - Optional
-  - Default: 10
-
 * `TERRAFORM_PRE_RUN`
 
   A set of commands that will be ran prior to `terraform init`. This can be used to customise the environment before running terraform. 
@@ -181,26 +125,26 @@ on:
   workflow_dispatch:
     inputs:
       path:
-        description: "Path to the terraform files configuration"
+        description: "Path to the terraform root module"
         required: true
       lock_id:
         description: "Lock ID to be unlocked"
         required: true
 
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
 jobs:
   unlock:
-    name: Setup and unlock
+    name: Unlock
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout current branch
         uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
 
       - name: Terraform Unlock
-        uses: patricktalmeida/terraform-github-actions/terraform-unlock-state@add-unlock-state
+        uses: dflook/terraform-unlock-state@v1
         with:
           path: ${{ github.event.inputs.path }}
           lock_id: ${{ github.event.inputs.lock_id }}