Skip to content

Feature/terraform workflows #8

Feature/terraform workflows

Feature/terraform workflows #8

name: Terraform PR Check
on:
pull_request:
paths:
- "terraform/**"
- ".github/workflows/terraform-pr-check.yml"
push:
branches: ["main"]
paths:
- "terraform/**"
concurrency:
group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
cancel-in-progress: true
env:
DOTNET_VERSION: ${{ vars.DOTNET_VERSION }}
ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
AZ_KEYVAULT_NAME: ${{ secrets.AZ_ACA_RESOURCE_GROUP }}-kv
TF_BACKEND_STORAGE_ACCOUNT_NAME: ${{ secrets.TF_BACKEND_STORAGE_ACCOUNT_NAME }}
TF_BACKEND_CONTAINER_NAME: ${{ secrets.TF_BACKEND_CONTAINER_NAME }}
TF_BACKEND_KEY: ${{ secrets.TF_BACKEND_KEY }}
TF_BACKEND_RESOURCE_GROUP: ${{ secrets.TF_BACKEND_RESOURCE_GROUP }}
TF_VAR_project_name: ${{ secrets.DFE_PROJECT_NAME }}
TF_VAR_environment: ${{ secrets.AZ_ENVIRONMENT }}
TF_VAR_azure_location: ${{ vars.AZ_LOCATION }}
TF_VAR_az_app_kestrel_endpoint: ${{ vars.KESTRELENDPOINT }}
TF_VAR_az_tag_environment: ${{ vars.AZ_TAG_ENVIRONMENT }}
TF_VAR_az_tag_product: ${{ vars.AZ_TAG_PRODUCT }}
TF_VAR_registry_server: "ghcr.io/dfe-digital"
TF_VAR_image_tag: "latest"
TF_VAR_registry_username: ${{ github.repository_owner }}
TF_VAR_registry_password: ${{ secrets.GITHUB_TOKEN }}
TF_WORKING_DIRECTORY: terraform/container-app
jobs:
validate-terraform:
name: Validate Terraform
runs-on: ubuntu-22.04
environment: Dev
defaults:
run:
working-directory: ${{env.TF_WORKING_DIRECTORY}}
steps:
- name: Clone repo
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.2
- name: Get GitHub Runner IP
id: whats-my-ip
uses: ./.github/actions/whats-my-ip-address
- name: Set GitHub Runner IP to TF Var
shell: bash
run: |
echo "TF_VAR_github_ip=${{ steps.whats-my-ip.outputs.ip}}" >> $GITHUB_ENV
- name: Login with AZ
uses: ./.github/actions/azure-login
with:
az_tenant_id: ${{ secrets.AZ_TENANT_ID }}
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
az_client_id: ${{ secrets.AZ_CLIENT_ID }}
az_client_secret: ${{ secrets.AZ_CLIENT_SECRET }}
- name: Add Runner to KV whitelist
uses: azure/CLI@v1
with:
azcliversion: 2.45.0
inlineScript: |
az keyvault network-rule add --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null
- name: Terraform init
id: init
run: |
terraform init \
-backend-config="resource_group_name=${{ env.TF_BACKEND_RESOURCE_GROUP }}" \
-backend-config="storage_account_name=${{ env.TF_BACKEND_STORAGE_ACCOUNT_NAME }}" \
-backend-config="container_name=${{ env.TF_BACKEND_CONTAINER_NAME }}" \
-backend-config="key=${{ env.TF_BACKEND_KEY }}"
- name: Terraform Validate
id: validate
run: terraform validate -no-color -compact-warnings
- name: Terraform plan
id: plan
run: terraform plan -no-color
- name: Terraform fmt
id: fmt
run: terraform fmt -check -diff
- name: Validate Terraform docs
uses: terraform-docs/[email protected]
with:
working-dir: ${{ env.TF_WORKING_DIRECTORY }}
config-file: .terraform-docs.yml
output-file: terraform-configuration.md
output-method: inject
git-push: "true"
- name: Update PR with Terraform results
uses: ./.github/actions/post-terraform-results
if: github.event_name == 'pull_request'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
plan_stdout: ${{ steps.plan.outputs.stdout }}
plan_outcome: ${{ steps.plan.outcome }}
fmt_outcome: ${{ steps.fmt.outcome }}
init_outcome: ${{ steps.init.outcome }}
validate_outcome: ${{ steps.validate.outcome }}
validate_stdout: ${{ steps.validate.outputs.stdout }}
github_actor: ${{ github.actor }}
github_event_name: ${{ github.event_name }}
tf_working_directory: ${{ env.TF_WORKING_DIRECTORY }}
github_workflow: ${{ github.workflow }}
- name: Remove Runner to KV whitelist
uses: azure/CLI@v1
if: always()
with:
azcliversion: 2.45.0
inlineScript: |
az keyvault network-rule remove --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null
terraform-lint:
name: Terraform Lint
runs-on: ubuntu-22.04
defaults:
run:
working-directory: ${{ env.TF_WORKING_DIRECTORY }}
steps:
- name: Clone repo
uses: actions/checkout@v4
- name: Setup TFLint
uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.44.1
- name: Run TFLint
run: tflint -f compact
tfsec-pr-commenter:
name: tfsec Check
runs-on: ubuntu-22.04
steps:
- name: Clone repo
uses: actions/checkout@v4
- name: tfsec
uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}