-
Notifications
You must be signed in to change notification settings - Fork 0
143 lines (121 loc) · 4.2 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
---
name: Terraform
on:
pull_request:
permissions:
contents: write
pull-requests: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
fmt-lint-validate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Setup Terraform Linters
uses: terraform-linters/setup-tflint@v4
with:
github_token: ${{ env.GITHUB_TOKEN }}
- name: Terraform Format
id: fmt
run: terraform fmt -check -recursive
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Lint
id: lint
run: tflint --no-color --recursive --format compact
- uses: actions/github-script@v6
if: github.event_name == 'pull_request' || always()
with:
github-token: ${{ env.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
})
// 2. Prepare format of the comment
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Lint 📖\`${{ steps.lint.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
tfsec:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Terraform security scan
uses: aquasecurity/[email protected]
with:
github_token: ${{ env.GITHUB_TOKEN }}
soft_fail: false
- name: Terraform pr commenter
uses: aquasecurity/[email protected]
with:
github_token: ${{ env.GITHUB_TOKEN }}
tfsec_args: --concise-output --force-all-dirs
checkov:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run Checkov
uses: bridgecrewio/[email protected]
with:
container_user: 1000
directory: "/"
download_external_modules: false
framework: terraform
output_format: sarif
quiet: true
skip_check: "CKV_TF_1,CKV_AWS_108,CKV_AWS_109,CKV_AWS_111,CKV_AWS_356"
soft_fail: false
docs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/[email protected]
with:
args: --sort-by required
git-commit-message: "docs(readme): update module usage"
git-push: true
output-file: README.md
output-method: inject
working-dir: .
continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow