{"id":26909873,"url":"https://github.com/stack-spot/edp-deploy-orchestrator-action","last_synced_at":"2026-01-11T01:35:35.349Z","repository":{"id":261819889,"uuid":"880461790","full_name":"stack-spot/edp-deploy-orchestrator-action","owner":"stack-spot","description":"This Action allow users of EDP Deploy (Formerly Runtimes) to deploy infrastructures with the plan step easilly.","archived":false,"fork":false,"pushed_at":"2025-02-19T20:44:54.000Z","size":27,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-19T21:30:46.669Z","etag":null,"topics":["code"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stack-spot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-29T19:09:53.000Z","updated_at":"2025-02-07T15:21:49.000Z","dependencies_parsed_at":"2025-02-04T21:30:11.061Z","dependency_job_id":null,"html_url":"https://github.com/stack-spot/edp-deploy-orchestrator-action","commit_stats":null,"previous_names":["stack-spot/edp-deploy-orchestrator-action"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stack-spot%2Fedp-deploy-orchestrator-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stack-spot%2Fedp-deploy-orchestrator-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stack-spot%2Fedp-deploy-orchestrator-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stack-spot%2Fedp-deploy-orchestrator-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stack-spot","download_url":"https://codeload.github.com/stack-spot/edp-deploy-orchestrator-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246647125,"owners_count":20811257,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code"],"created_at":"2025-04-01T13:29:51.102Z","updated_at":"2026-01-11T01:35:35.311Z","avatar_url":"https://github.com/stack-spot.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# edp-deploy-orchestrator-action\n\nThis Action allow users of EDP Deploy (Formerly Runtimes) to deploy infrastructures with the *plan* step easilly.\nThis GitHub Action is designed to facilitate the deployment of infrastructure using a self-hosted runtime. It supports both AWS IAM roles and AWS access keys for authentication, and it orchestrates the deployment of infrastructure using Terraform.\n\n### Requirements\n\nTo use this action, you will need the following:\n\n1. **StackSpot Account**: \n - You must have a StackSpot account with access to the EDP Deploy (formerly Runtimes) service.\n - Obtain the following credentials from the StackSpot Portal:\n - `CLIENT_ID`\n - `CLIENT_KEY`\n - `CLIENT_REALM`\n - These credentials can be generated by logging in as an **ADMIN** user on the [StackSpot Portal](https://stackspot.com) and navigating to the [Access Token](https://stackspot.com/en/settings/access-token) section.\n\n2. **AWS Credentials**:\n - You must provide either:\n - **AWS IAM Role**: Use the `aws-iam-role` input to specify the IAM role ARN so we can assume this role.\n - **AWS Access Keys**: Use the `aws-access-key-id`, `aws-secret-access-key`, and `aws-session-token` inputs to provide AWS access credentials.\n - **Important**: You must provide either the IAM role or the access keys, but not both. If both are provided, the action will fail.\n\n3. **GitHub Secrets**:\n - Store sensitive information such as `CLIENT_ID`, `CLIENT_KEY`, `CLIENT_REALM`, and AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, or `AWS_ROLE_ARN`) as GitHub Secrets to ensure security.\n\n4. **S3 Buckets**:\n - You will need two S3 buckets:\n - **tfstate-bucket-name**: For storing Terraform state files.\n - **iac-bucket-name**: For storing Infrastructure as Code (IaC) files and .tfplan files.\n - These buckets could be the same.\n - Ensure that these buckets are created and accessible in the specified AWS region, by the specified runner.\n\n5. **Terraform**:\n - This action orchestrates infrastructure deployment using Terraform. Ensure that your infrastructure code is compatible with Terraform and that the necessary Terraform modules are available.\n\n6. **GitHub Runner**:\n - The action requires a GitHub runner that has access to your cloud account (AWS) and can execute the necessary Terraform commands.\n\n## Usage\n\nHere is an example of how to use this action in your GitHub workflow:\n\n\u003e **⚠️ Important Note: This action should NOT be used on its own.** \n\u003e It is designed to work in conjunction with the following actions: \n\u003e - [stack-spot/runtime-tasks-action](https://github.com/stack-spot/runtime-tasks-action) \n\u003e - [stack-spot/runtime-cancel-run-action](https://github.com/stack-spot/runtime-cancel-run-action) \n\u003e Please refer to the example below to see how these actions are used together.\n\n```yaml\nname: Deploy Infrastructure\n\non:\n push:\n branches:\n - main\n\njobs:\n orquestrate_and_plan:\n runs-on: ubuntu-latest # Here you should use a runner that can access your cloud account\n outputs: \n apply_tasks: ${{ steps.orchestration_and_plan.outputs.apply_tasks }}\n run_id: ${{ steps.orchestration_and_plan.outputs.run_id }}\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Deploy Infrastructure\n uses: stackspot/edp-deploy-orchestration-action@v1\n id: orquestration_and_plan\n with:\n TFSTATE_BUCKET_NAME: \"my-tfstate-bucket\"\n TFSTATE_BUCKET_REGION: sa-east-1\n IAC_BUCKET_NAME: \"my-iac-bucket\"\n IAC_BUCKET_REGION: sa-east-1\n WORKSPACE: \"my-workspace\"\n ENVIRONMENT: \"production\"\n VERSION: \"v1.0.0\"\n REPOSITORY_NAME: ${{ github.event.repository.name }}\n PATH_TO_MOUNT: /home/runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}\n WORKDIR: /path/to/.stk # In case your repo has an .stk not on the repository root folder\n STK_CLIENT_ID: ${{ secrets.STK_CLIENT_ID }}\n STK_CLIENT_SECRET: ${{ secrets.STK_CLIENT_SECRET }}\n STK_REALM: ${{ secrets.STK_REALM }}\n AWS_IAM_ROLE: ${{ secrets.AWS_ROLE_ARN }}\n AWS_REGION: sa-east-1 \n FEATURES_TERRAFORM_MODULES: \u003e-\n [\n {\n \"sourceType\": \"gitHttps\",\n \"path\": \"github.com/stack-spot\",\n \"private\": true,\n \"app\": \"app\",\n \"token\": \"token\"\n },\n {\n \"sourceType\": \"terraformRegistry\",\n \"path\": \"hashicorp/stack-spot\", \n \"private\": false\n }\n ]\n\n plan_approve_and_apply:\n name: Deploy\n needs: [orquestrate_and_plan]\n runs-on: ubuntu-latest # Here you should use a runner that can access your cloud account\n environment: production # Here you set the environments that the user is supposed to aprrove the changes planned from orquestration step\n steps:\n - name: Service Provision\n id: run-task\n uses: stack-spot/runtime-tasks-action@stg\n if: needs.orquestrate_and_plan.outputs.run_id != ''\n with:\n RUN_ID: ${{ needs.orquestrate_and_plan.outputs.run_id }}\n TASK_LIST: ${{ needs.orquestrate_and_plan.outputs.apply_tasks }}\n REPOSITORY_NAME: ${{ github.event.repository.name }}\n PATH_TO_MOUNT: /home/runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}\n AWS_REGION: sa-east-1\n AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}\n FEATURES_TERRAFORM_MODULES: \u003e-\n [\n {\n \"sourceType\": \"gitHttps\",\n \"path\": \"github.com/stack-spot\",\n \"private\": true,\n \"app\": \"app\",\n \"token\": \"token\"\n },\n {\n \"sourceType\": \"terraformRegistry\",\n \"path\": \"hashicorp/stack-spot\", \n \"private\": false\n }\n ]\n CLIENT_ID: ${{ secrets.STK_CLIENT_ID }}\n CLIENT_KEY: ${{ secrets.STK_CLIENT_SECRET }}\n CLIENT_REALM: ${{ secrets.STK_REALM }}\n\n cancel: # in case something in your pipeline breaks, or someone cancels it mid deployment, its required to run this action in order to let Stackspot know that an error has ocurred and not block next deployments\n runs-on: ubuntu-latest # Here you should use a runner that can access your cloud account\n needs: [orquestrate_and_plan, plan_approve_and_apply]\n if: ${{ always() \u0026\u0026 (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }} \n steps:\n - name: Cancel run\n if: needs.orquestrate_and_plan.outputs.run_id != '' \n id: run-cancel\n uses: stack-spot/runtime-cancel-run-action@stg\n with:\n CLIENT_ID: ${{ secrets.STK_CLIENT_ID }}\n CLIENT_KEY: ${{ secrets.STK_CLIENT_SECRET }}\n CLIENT_REALM: ${{ secrets.STK_REALM }}\n RUN_ID: ${{ needs.orquestrate_and_plan.outputs.run_id }}\n\n```\n\n\n## Inputs\n| Name | Description | Required | Default | Secret is Recommended |\n|-----------------------------|-----------------------------------------------------------------------------|----------|------------------------------------------|-----------------------|\n| `LEVEL_LOG` | The runtime log level. | No | `info` | No |\n| `TFSTATE_BUCKET_NAME` | The bucket for runtime inventory. | Yes | N/A | No |\n| `TFSTATE_BUCKET_REGION` | The region of the bucket for runtime inventory. | No | `sa-east-1` | No |\n| `IAC_BUCKET_NAME` | The bucket for storing IaC (Infrastructure as Code) files. | Yes | N/A | No |\n| `IAC_BUCKET_REGION` | The region of the bucket for IaC files. | No | `sa-east-1` | No |\n| `CONTAINER_IAC_VERSION` | The container version for IaC tasks. | No | `stackspot/runtime-job-iac:latest` | No |\n| `CONTAINER_DEPLOY_VERSION` | The container version for deployment tasks. | No | `stackspot/runtime-job-deploy:latest` | No |\n| `CONTAINER_DESTROY_VERSION` | The container version for destroy tasks. | No | `stackspot/runtime-job-destroy:latest` | No |\n| `CONTAINER_UNIFIED_VERSION` | The container version for unified tasks. | No | `stackspot/runtime-job-unified:latest` | No |\n| `DYNAMIC_INPUTS` | Dynamic inputs for the action. | No | `\"\"` | No |\n| `WORKSPACE` | The slug of the workspace. | Yes | N/A | No |\n| `ENVIRONMENT` | The environment for the deployment. | Yes | `\"\"` | No |\n| `VERSION` | The version of the deployment. | Yes | N/A | No |\n| `TERRAFORM_PARALLELISM` | The parallelism level for Terraform. | No | `10` | No |\n| `WORKDIR` | The path to the directory where the `.stk` is located. | No | `./` | No |\n| `CHECKOUT_BRANCH` | Whether or not to enable branch checkout. | No | `false` | No |\n| `REPOSITORY_NAME` | The name of the Git repository. | Yes | N/A | No |\n| `PATH_TO_MOUNT` | The path to mount inside the provisioning Docker container. | Yes | N/A | No |\n| `AWS_REGION` | The AWS where infrastructure will be deployed. | Yes | `sa-east-1` | No |\n| `AWS_IAM_ROLE` | The AWS IAM role to use for deploying infrastructure. | No | N/A | Yes |\n| `AWS_ACCESS_KEY_ID` | The AWS access key ID for deploying infrastructure. | No | N/A | Yes |\n| `AWS_SECRET_ACCESS_KEY` | The AWS secret access key for deploying infrastructure. | No | N/A | Yes |\n| `AWS_SESSION_TOKEN` | The AWS session token for deploying infrastructure. | No | N/A | Yes |\n| `STK_CLIENT_ID` | The client identifier of the account. | Yes | N/A | Yes |\n| `STK_CLIENT_SECRET` | The client secret of the account. | Yes | N/A | Yes |\n| `STK_REALM` | The realm of the account. | Yes | N/A | No |\n| `FEATURES_TERRAFORM_MODULES`| Terraform modules to be used. | No | N/A | No |\n| `TF_LOG_PROVIDER` | The log level for Terraform (info, debug, warn, trace). | No | N/A | No |\n| `BASE_PATH_OUTPUT` | The file name to save outputs. | No | `outputs.json` | No |\n| `LOCAL_EXEC_ENABLED` | Whether to allow execution of the `local-exec` command within Terraform. | No | `false` | No |\n| `VERBOSE` | Whether to show extra logs during execution. | No | `false` | No |\n| `OPEN_API_PATH` | The path to the OpenAPI/Swagger file within the repository. | No | N/A | No |\n\n## Outputs\n| Name | Description |\n|---------------|----------------------------|\n| `APPLY_TASKS` | Post-plan tasks. |\n| `RUN_ID` | The ID of the current run. |\n\n\n### AWS Authentication\nThis action supports two methods of AWS authentication:\n\nUsing an AWS IAM Role: Provide the aws-iam-role input.\nUsing AWS Access Keys: Provide the aws-access-key-id, aws-secret-access-key, and aws-session-token inputs.\nNote: You must provide either the IAM role or the access keys, but not both. If both are provided, the action will fail.\n\n#### Example with AWS Access Keys\n\n```yaml\n- name: Deploy Infrastructure with AWS Access Keys\n uses: stackspot/edp-deploy-orchestration-action@v1\n with:\n # AWS_IAM_ROLE: ${{ secrets.AWS_ROLE_ARN }}\n AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}\n AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}\n AWS_REGION: sa-east-1\n```\n\n\n### Complex Inputs\n\n#### `CHECKOUT_BRANCH`\n\nWhen the input `CHECKOUT_BRANCH` is used, within the IAC step of the tasks, the repository will be cloned within the `iac.zip` with the following structure, in case repository files are necessary within terraform. it works in tandem with `PATH_TO_MOUNT` input, which should point to your repository after checkout, the value we indicate using for `PATH_TO_MOUNT` is `/home/runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}`, so terraform has access to the files, but you can change this however you wish.\n\n_**Note**: the contents of the branch input don't really matter, the branch cloned will be the branch used to dispatch the workflow as long as it is not empty_\n\n```\n├── main.tf\n├── outputs.tf\n├── repodir\n│ ├── .git/\n│ ├── .stk/\n│ │ └── stk.yaml\n│ ├── src/\n│ ├── tests/\n│ └── ... {repository-files}\n└── variables.tf\n└── ... {templates-deploy}\n```\n\n#### `DYNAMIC_INPUTS`\n\nWhen the input `DYNAMIC_INPUTS` is used, the flags passes in these inputs will be added to every plugin applied as their input, and could be used by Jinja engine to modify the IaC file created\n\n**e.g:**\n\n`DYNAMIC_INPUTS = --app_repository=\"https:#github.com/stack-spot/edp-deploy-orchestrator-action\"`\n\n_main.tf_\n```jinja\n{% if app_repository is defined %}\n resource_source = {{ app_repository }}\n{% else %}\n resource_source = \"default\"\n{% endif %}\n```\n\n#### `FEATURES_TERRAFORM_MODULES`\n\nWhen `FEATURES_TERRAFORM_MODULES` is used, the application will allow the modules provided in this inputs to be executed. This is a security measurement to only allow trusted modules to be used.\n\nIt should follow this structure:\n\n```yaml\nFEATURES_TERRAFORM_MODULES: \u003e-\n [\n {\n \"sourceType\": \"gitHttps\",\n \"path\": \"github.com/stack-spot\", # Allows all repositories on stack-spot org\n \"private\": true,\n \"app\": \"app\", # Substitute with appName\n \"token\": \"token\" # Substitute with GitHub access token\n },\n {\n \"sourceType\": \"terraformRegistry\",\n \"path\": \"hashicorp/stack-spot\", # Allows all modules on stack-spot org\n \"private\": false\n }\n ]\n```\n\n\n### Error Handling\nIf both AWS IAM role and AWS access keys are provided, the action will fail with an error.\n\nIf neither AWS IAM role nor AWS access keys are provided, the action will fail with an error.\n\nIn case of a Deployment error, please look at [Stackspot EDP Portal](https:#app.stackspot.com/) at your workspace and application/shared infrastructure within the environment deployed and look at activities tab, there should be the error messages.\n\n\n## License\nThis project is licensed under the MIT License.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstack-spot%2Fedp-deploy-orchestrator-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstack-spot%2Fedp-deploy-orchestrator-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstack-spot%2Fedp-deploy-orchestrator-action/lists"}