.github/workflows/terraform-checks.yml

name: Lint-Format-Scan
on: [push]
jobs:
  terraform_fmt:
    name: Run terraform fmt
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.10.4"
      - name: Terraform fmt
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_fmt --all-files
  terraform_lint:
    name: Run tflint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.10.4"
      - name: Install tflint
        uses: nick-fields/retry@v3.0.0
        with:
          timeout_seconds: 30
          max_attempts: 5
          retry_on: error
          command: >-
            curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
      - uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_tflint --all-files
  terraform_trivy:
    name: Run trivy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Install trivy
        uses: nick-fields/retry@v3.0.0
        with:
          timeout_seconds: 60
          max_attempts: 5
          retry_wait_seconds: 20
          retry_on: error
          command: |
            apt-get install wget apt-transport-https gnupg lsb-release
            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
            echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
            sudo apt-get update
            sudo apt-get install trivy
            trivy version
      - uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_trivy --all-files
  terraform_validate:
    name: Run terraform validate
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.10.4"
      - name: Generate pvt key
        run: >-
          ssh-keygen -q -P '' -t rsa -b 4096 -m PEM -f tests/domino.pem
      - name: Terraform validate
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_validate --all-files
  terraform_providers_lock:
    name: Run terraform providers_lock
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Generate pvt key
        run: ssh-keygen -q -P '' -t rsa -b 4096 -m PEM -f tests/domino.pem
      - name: Terraform providers_lock
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_providers_lock --all-files
  terraform_docs:
    name: Run terraform docs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Install terraform docs
        uses: nick-fields/retry@v3.0.0
        with:
          timeout_seconds: 60
          max_attempts: 5
          retry_wait_seconds: 20
          retry_on: error
          command: >-
            curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-$(uname)-amd64.tar.gz | tar -C /tmp -xzf - && chmod +x /tmp/terraform-docs && sudo mv /tmp/terraform-docs /usr/local/bin
      - name: Terraform docs
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_docs --all-files
  checkov:
    name: Run checkov scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: actions/setup-python@v5
      - name: Install checkov
        run: pip3 install checkov
      - name: Run Checkov scan
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: terraform_checkov --all-files
  check_aws_partition:
    name: Check for hardcoded aws partition
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Check for hardcoded aws partition
        uses: pre-commit/action@v3.0.1
        with:
          extra_args: check_aws_partition --all-files
  test-examples:
    runs-on: ubuntu-latest
    steps:
      - name: Test-Examples-Plan
        id: examples-plan-test-workflow
        uses: CircleCI-Public/trigger-circleci-pipeline-action@v1.2.0
        env:
          CCI_TOKEN: ${{ secrets.CIRCLE_PERSONAL_TOKEN }}
  validate-iam-bootstrap:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Validate IAM bootstrap
        run: bin/pre-commit/validate-iam-bootstrap.py