-
Notifications
You must be signed in to change notification settings - Fork 6
170 lines (145 loc) · 5.16 KB
/
terraform-validation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: "terraform"
on:
pull_request:
permissions:
contents: write
pull-requests: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TF_IN_AUTOMATION: 1
jobs:
fmt-lint-validate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Setup Terraform Linters
uses: terraform-linters/setup-tflint@v4
with:
github_token: ${{ github.token }}
- name: Terraform Format
id: fmt
run: terraform fmt -check -recursive
- name: Terraform Lint
id: lint
run: |
echo "Checking ."
tflint --format compact
for d in examples/*/; do
echo "Checking ${d} ..."
tflint --chdir=$d --format compact
done
- name: Terraform Validate
id: validate
if: ${{ !vars.SKIP_TERRAFORM_VALIDATE }}
run: |
for d in examples/*/; do
echo "Checking ${d} ..."
terraform -chdir=$d init
terraform -chdir=$d validate -no-color
done
env:
AWS_DEFAULT_REGION: eu-west-1
- name: Terraform Test
id: test
if: ${{ !vars.SKIP_TERRAFORM_TESTS }}
run: |
terraform init
terraform test
- uses: actions/github-script@v6
if: github.event_name == 'pull_request' || always()
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
})
// 2. Prepare format of the comment
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Lint 📖\`${{ steps.lint.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
docs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/[email protected]
with:
args: --sort-by required
git-commit-message: "docs(readme): update module usage"
git-push: true
output-file: README.md
output-method: inject
working-dir: .
continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
tfsec:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Terraform security scan
uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}
soft_fail: false
tfsec_args: --concise-output --force-all-dirs
- name: Terraform pr commenter
uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}
tfsec_args: --concise-output --force-all-dirs
checkov:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
with:
container_user: 1000
directory: "/"
download_external_modules: false
framework: terraform
output_format: sarif
quiet: true
skip_check: "CKV_GIT_5,CKV_GLB_1,CKV_TF_1"
soft_fail: false
skip_path: "examples/"
### SKIP REASON ###
# Check | Description | Reason
# CKV_GIT_5 | Ensure GitHub pull requests have at least 2 approvals | We strive for at least 1 approval
# CKV_GLB_1 | Ensure at least two approving reviews are required to merge a GitLab MR | We strive for at least 1 approval
# CKV_TF_1 | Ensure Terraform module sources use a commit hash | We think this check is too restrictive and that versioning should be preferred over commit hash