-
Notifications
You must be signed in to change notification settings - Fork 13
142 lines (124 loc) · 4.78 KB
/
terraform-infra-set-up.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: "Create Infrastrucutre via Terraform"
on:
workflow_call:
inputs:
terraform-dir:
type: string
required: true
description: The directory which contains terraform configuration used to create infrastrucutre.
terraform-plan-name:
type: string
required: false
default: terraform.tfplan
description: The terraform plan name used to create artifact and in apply job.
terraform-version:
type: string
required: false
default: 1.5.4
description: The terraform version used for the github action.
runner:
type: string
required: false
default: ubuntu-latest
description: The Github action runner OS , on which the action runs.
cache-hash-file:
type: string
required: false
default: '/providers.tf'
description: The file used to create common hash cache naming.
env:
##? To disable local development, not create SSH rule from the host.
TF_VAR_ENABLE_LOCAL_DEVELOPMENT: false
TERRAFORM_PLAN_NAME: "{{ inputs.terraform-plan-name }}"
##? https://developer.hashicorp.com/terraform/cli/config/environment-variables
TF_PLUGIN_CACHE_DIR: "${{ github.workspace }}/.terraform-plugin-cache"
TF_IN_AUTOMATION: true
TF_INPUT: false
## Azure Secrets
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }}
jobs:
codeScanning:
name: IaC Scanning with tfsec Stage
runs-on: "${{ inputs.runner }}"
steps:
- name: checkout the repository
uses: actions/checkout@v3
- name: tfsec pull request commentor if found vulnerabilities
if: ${{ github.event_name == 'pull_request' }}
uses: aquasecurity/[email protected]
id: tfsec-pr-commenter
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
working_directory: "${{ github.workspace }}/${{ inputs.terraform-dir }}"
- name: IaC Security Scanning with tfsec
uses: aquasecurity/[email protected]
id: tfsec
with:
working_directory: "${{ github.workspace }}/${{ inputs.terraform-dir }}"
deploymentPLan:
name: Terraform webservers deployment Plan Stage
runs-on: ${{ inputs.runner }}
needs: codeScanning
outputs:
exitCode: ${{ steps.plan.outputs.exitcode }}
steps:
- name: checkout the repository
uses: actions/checkout@v3
- name: Set up Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ inputs.terraform-version }}
- uses: actions/cache@v3
name: "Terraform cache"
id: cache
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key: ${{ runner.os }}-${{ inputs.terraform-dir }}-${{ hashFiles(format('{0}/{1}', inputs.terraform-dir , inputs.cache-hash-file)) }}
- if: ${{ steps.cache.outputs.cache-hit != 'true' }}
name: Create TF_PLUGIN_CACHE_DIR
shell: bash
run: mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }}
- name: Terraform init and plan
shell: bash
id: plan
working-directory: "${{ github.workspace }}/${{ inputs.terraform-dir }}"
run: |
terraform init
terraform validate
terraform plan -out "${{ inputs.terraform-plan-name }}" -detailed-exitcode
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: "${{ inputs.terraform-plan-name }}"
path: "${{ github.workspace }}/${{ inputs.terraform-dir }}/${{ inputs.terraform-plan-name }}"
deploymentApply:
if: ${{ !cancelled() && !failure() && needs.deploymentPLan.outputs.exitCode == 2 }}
name: Terraform webservers deployment Apply Stage
runs-on: ${{ inputs.runner }}
needs: deploymentPLan
steps:
- name: checkout the repository
uses: actions/checkout@v3
- name: Set up Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ inputs.terraform-version }}
- uses: actions/download-artifact@v3
with:
name: "${{ inputs.terraform-plan-name }}"
path: "${{ github.workspace }}/${{ inputs.terraform-dir }}"
- uses: actions/cache@v3
name: "Terraform cache"
id: cache
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key: ${{ runner.os }}-${{ inputs.terraform-dir }}-${{ hashFiles(format('{0}/{1}', inputs.terraform-dir , inputs.cache-hash-file)) }}
- name: "Terraform Apply"
shell: bash
working-directory: "${{ github.workspace }}/${{ inputs.terraform-dir }}"
run: |
terraform init
terraform apply "${{ inputs.terraform-plan-name }}"