-
Notifications
You must be signed in to change notification settings - Fork 3
166 lines (133 loc) · 4.3 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Terraform
on:
push:
branches:
- main
paths:
- 'terraform/**'
- '.github/workflows/terraform.yml'
pull_request:
branches:
- main
paths:
- 'terraform/**'
- '.github/workflows/terraform.yml'
permissions:
contents: read
pull-requests: write
env:
TF_INPUT: false
TF_IN_AUTOMATION: true
TF_VAR_GOOGLE_VERIFICATION_TOKEN: ${{ secrets.GOOGLE_VERIFICATION_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
jobs:
linting:
name: Linting
runs-on: ubuntu-latest
steps:
# checkout
- uses: actions/checkout@v4
# setup taskfile
- uses: arduino/setup-task@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# setup terraform
- uses: hashicorp/setup-terraform@v3
# setup tflint
- uses: terraform-linters/setup-tflint@v4
# init terraform
- name: Init Terraform
run: task tf:init -- -backend=false
# validate terraform
- name: Validate Terraform
run: task tf:validate
# lint terraform
- name: Lint Terraform
run: task tf:lint
scan:
name: Scan
runs-on: ubuntu-latest
steps:
# checkout
- uses: actions/checkout@v4
# setup tfsec
- uses: tfsec/[email protected]
with:
working_directory: terraform
sarif_file: tfsec.sarif
# upload report to github
- uses: github/codeql-action/[email protected]
with:
sarif_file: tfsec.sarif
plan:
name: Plan
runs-on: ubuntu-latest
steps:
# checkout
- uses: actions/checkout@v4
# setup taskfile
- uses: arduino/setup-task@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# setup terraform
- uses: hashicorp/setup-terraform@v3
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
# init terraform
- name: Init Terraform
id: init
run: task tf:init
# validate terraform
- name: Validate Terraform
id: validate
run: task tf:validate -- -no-color
# plan
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: task tf:plan -- -no-color
continue-on-error: true
# update comment with plan
- uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// get comments
const { owner, repo } = context.repo
const { number: issue_number } = context.issue
const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number })
// find possible existing comment
const comment = comments.find(c => c.user.type === 'Bot' && c.body.includes('Terraform Initialization'))
// prepare comment
const content = `
#### Terraform Initialization ⚙️ \`${{ steps.init.outcome }}\`
#### Terraform Validation ✅ \`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖 \`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${{ steps.plan.outputs.stdout }}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*
`;
// update existing comment or create a new one
if (comment) {
github.rest.issues.updateComment({ owner, repo, comment_id: comment.id, body: content.trim() })
} else {
github.rest.issues.createComment({ owner, repo, issue_number, body: content.trim() })
}
# plan status
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
# apply
- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: task tf:apply -- --auto-approve