-
Notifications
You must be signed in to change notification settings - Fork 2
88 lines (84 loc) · 2.7 KB
/
terraform.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Terraform
on:
push:
branches:
- main
paths-ignore:
- '**.md'
tags-ignore:
- '**'
workflow_dispatch:
permissions: write-all
concurrency:
group: terraform
cancel-in-progress: false
env:
ARM_USE_OIDC: true
ARM_USE_AZUREAD: true
ARM_TENANT_ID: ${{ secrets.azure_tenant_id }}
ARM_SUBSCRIPTION_ID: ${{ secrets.azure_subscription_id }}
ARM_CLIENT_ID: ${{ secrets.azure_client_id }}
jobs:
terraform-workflow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Cache Terraform modules
uses: actions/cache@v3
id: cache
with:
path: ./terraform
key: ${{ runner.os }}-terraform-${{ hashFiles('terraform/**/*.tf') }}
- name: Az CLI login
uses: azure/login@v1
with:
client-id: ${{ secrets.azure_client_id }}
tenant-id: ${{ secrets.azure_tenant_id }}
subscription-id: ${{ secrets.azure_subscription_id }}
- name: Terraform Init
working-directory: ./terraform
run: terraform init
- name: Terraform Format
working-directory: ./terraform
run: terraform fmt -check
- name: Terraform Validate
working-directory: ./terraform
run: terraform validate
- name: Setup TFLint
uses: terraform-linters/[email protected]
- name: Init TFLint
run: tflint --init
working-directory: ./terraform
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
- name: Run TFLint
working-directory: ./terraform
run: tflint --module
- name: Terraform Test
working-directory: ./terraform
run: |
terraform test
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
scan-ref: './terraform'
format: sarif
output: trivy-results.sarif
exit-code: 1
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Terraform Plan
working-directory: ./terraform
run: |
terraform plan -out=tfplan -var="location=eastus" -var="name_prefix=test" -var="bastion_admin_password=${{ secrets.BASTION_ADMIN_PASSWORD }}" -var="ssh_public_key=${{ secrets.BASTION_SSH_PUBLIC_KEY }}"
terraform-bin show -json -no-color tfplan > tfplan.json
terraform-bin show -no-color tfplan >> $GITHUB_STEP_SUMMARY
- name: Terraform Apply
working-directory: ./terraform
run: terraform apply tfplan