diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml new file mode 100644 index 0000000..d72b179 --- /dev/null +++ b/.github/workflows/on_pull_request.yml @@ -0,0 +1,32 @@ +name: 'Pull Request handler' + +on: + pull_request: + +#Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + terraform-check-code: + uses: ./.github/workflows/tf-lint.yml + + terraform-doc-check: + needs: terraform-check-code + uses: ./.github/workflows/tf-doc.yml + + terraform-secu-scan-tfsec: + needs: terraform-check-code + uses: ./.github/workflows/tf-sec.yml + + terraform-estimate: + needs: terraform-secu-scan-tfsec + if: | + always() && + contains(needs.*.result, 'success') + uses: ./.github/workflows/tf-estimate.yml + secrets: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + diff --git a/.github/workflows/tf-doc.yml b/.github/workflows/tf-doc.yml new file mode 100644 index 0000000..77ff702 --- /dev/null +++ b/.github/workflows/tf-doc.yml @@ -0,0 +1,64 @@ +name: 'Terraform Docs' + +on: + workflow_call: + inputs: + commit: + description: "Whether the changes should be committed" + default: false + required: false + type: boolean + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + terraform-doc: + name: 'Generate TF Doc' + runs-on: ubuntu-latest + + steps: + - name: Checkout PR branch + uses: actions/checkout@v3 + + - name: Render terraform docs + uses: terraform-docs/gh-actions@main + id: terraform-docs + with: + working-dir: . + output-file: README.md + output-method: inject + git-push: ${{ inputs.commit }} + + - name: Prepare PR message + run: | + baseline="$([[ "${{ inputs.commit }}" = "true" ]] && echo "HEAD~" || echo "HEAD")" + + # TODO: debug, remove + echo "${baseline}|||${{ inputs.commit}}|||${{ steps.terraform-docs.outputs.num_changed }}" + + if [ "${{ steps.terraform-docs.outputs.num_changed }}" -eq 0 ] || diff_content="$(git diff --exit-code "${baseline}" README.md)"; then + echo "README.md is up to date." >/tmp/README_diff + exit 0 + else + cat - >/tmp/README_diff << EOF + README.md changes: + + \`\`\`patch + ${diff_content} + \`\`\` + EOF + + # error-out if changes were not committed + [[ "${{ inputs.commit }}" = "true" ]] + exit "$?" + fi + + - name: Update PR comment + uses: thollander/actions-comment-pull-request@v2 + if: ${{ ( success() || failure() ) && github.event_name == 'pull_request' }} + with: + filePath: /tmp/README_diff + comment_tag: documentation_status diff --git a/.github/workflows/tf-check-secure-estimate.yml b/.github/workflows/tf-estimate.yml similarity index 50% rename from .github/workflows/tf-check-secure-estimate.yml rename to .github/workflows/tf-estimate.yml index 2a6efa9..46434f3 100644 --- a/.github/workflows/tf-check-secure-estimate.yml +++ b/.github/workflows/tf-estimate.yml @@ -1,89 +1,22 @@ -name: 'Terraform Check-Secure-Estimate' +name: Terraform Cost Estimate on: - pull_request: + workflow_call: + secrets: + INFRACOST_API_KEY: + description: The key to use when connecting to the infracost API + required: true -#Special permissions required for OIDC authentication permissions: id-token: write contents: read pull-requests: write env: - AWS_ACCESS_KEY_ID : "${{ secrets.AWS_ACCESS_KEY_ID }}" - AWS_SECRET_ACCESS_KEY : "${{ secrets.AWS_SECRET_ACCESS_KEY }}" TF_ROOT : "." - -jobs: - terraform-check-code: - name: 'TF Validate code' - runs-on: ubuntu-latest - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - # Initialize a new or existing Terraform working directory - - name: Terraform Init - run: terraform init - - # Validate terraform files - - name: Terraform Validate - run: terraform validate - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Check Format - run: terraform fmt -check -recursive - - ## TFLint installation and configuration - - uses: actions/cache@v3 - name: TFLint - Cache plugin dir - with: - path: ~/.tflint.d/plugins - key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }} - - - uses: terraform-linters/setup-tflint@v3 - name: TFLint - Setup - with: - tflint_version: latest - - - name: TFLint - Show version - run: tflint --version - - - name: TFLint - Initiate - run: tflint --init - env: - # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting - GITHUB_TOKEN: ${{ github.token }} - - - name: TFLint - Execute - run: tflint -f compact - - terraform-secu-scan-tfsec: - needs: terraform-check-code - name: 'TF Security Scan' - runs-on: ubuntu-latest - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout PR branch - uses: actions/checkout@v3 - # Perform a security scan of the terraform code using TFsec - - name: Run TFsec scan - uses: aquasecurity/tfsec-action@v1.0.0 - - terraform-plan-estimate: - needs: terraform-secu-scan-tfsec - if: | - always() && - contains(needs.*.result, 'success') +jobs: + terraform-estimate: name: 'TF Estimate Cost and Plan' runs-on: ubuntu-latest @@ -98,14 +31,9 @@ jobs: with: terraform_wrapper: false - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - name: Terraform Init - run: terraform init + run: terraform init -backend=false - # Plan change - - name: Terraform Plan - run: terraform plan - - name: Setup Infracost uses: infracost/actions/setup@v2 with: @@ -150,4 +78,3 @@ jobs: --github-token=${{github.token}} \ --pull-request=${{github.event.pull_request.number}} \ --behavior=update - diff --git a/.github/workflows/tf-lint.yml b/.github/workflows/tf-lint.yml new file mode 100644 index 0000000..a95e0b8 --- /dev/null +++ b/.github/workflows/tf-lint.yml @@ -0,0 +1,59 @@ +name: 'Terraform Lint' + +on: + workflow_call: + +permissions: + contents: read + +jobs: + terraform-lint: + name: 'TF Validate code' + runs-on: ubuntu-latest + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_wrapper: false + + # Initialize a new or existing Terraform working directory + - name: Terraform Init + run: terraform init -backend=false + + # Validate terraform files + - name: Terraform Validate + run: terraform validate + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Check Format + run: terraform fmt -check -recursive + + ## TFLint installation and configuration + - uses: actions/cache@v3 + name: TFLint - Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v3 + name: TFLint - Setup + with: + tflint_version: latest + + - name: TFLint - Show version + run: tflint --version + + - name: TFLint - Initiate + run: tflint --init + env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ github.token }} + + - name: TFLint - Execute + run: tflint -f compact diff --git a/.github/workflows/tf-plan-apply.yml b/.github/workflows/tf-plan-apply.yml index b497793..d78f814 100644 --- a/.github/workflows/tf-plan-apply.yml +++ b/.github/workflows/tf-plan-apply.yml @@ -4,6 +4,7 @@ on: push: branches: - main + workflow_dispatch: #Special permissions required for OIDC authentication permissions: @@ -14,6 +15,7 @@ permissions: env: AWS_ACCESS_KEY_ID : "${{ secrets.AWS_ACCESS_KEY_ID }}" AWS_SECRET_ACCESS_KEY : "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + GOOGLE_APPLICATION_CREDENTIALS : /tmp/gcp.creds TF_ROOT : "." jobs: @@ -27,6 +29,13 @@ jobs: tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} steps: + # Set-up Google authentication if configured + - name: Set-up GCP auth + if: ${{ env.GOOGLE_APPLICATION_CREDENTIALS_CONTENT != '' }} + run: cat - <<<"${GOOGLE_APPLICATION_CREDENTIALS_CONTENT}" > "$GOOGLE_APPLICATION_CREDENTIALS" + env: + GOOGLE_APPLICATION_CREDENTIALS_CONTENT: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_CONTENT }}" + # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 @@ -119,6 +128,13 @@ jobs: needs: [terraform-plan] steps: + # Set-up Google authentication if configured + - name: Set-up GCP auth + if: ${{ env.GOOGLE_APPLICATION_CREDENTIALS_CONTENT != '' }} + run: cat - <<<"${GOOGLE_APPLICATION_CREDENTIALS_CONTENT}" > "$GOOGLE_APPLICATION_CREDENTIALS" + env: + GOOGLE_APPLICATION_CREDENTIALS_CONTENT: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_CONTENT }}" + # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/tf-sec.yml b/.github/workflows/tf-sec.yml new file mode 100644 index 0000000..d52ddf2 --- /dev/null +++ b/.github/workflows/tf-sec.yml @@ -0,0 +1,20 @@ +name: 'Terraform Security Scan' + +on: + workflow_call: + +permissions: + contents: read + +jobs: + terraform-secu-scan: + name: 'TF Security Scan' + runs-on: ubuntu-latest + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout PR branch + uses: actions/checkout@v3 + # Perform a security scan of the terraform code using TFsec + - name: Run TFsec scan + uses: aquasecurity/tfsec-action@v1.0.0 diff --git a/README.md b/README.md index cd023fb..1770378 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,7 @@ CD Content: Works with Cloud Provider below: - AWS + + +The generated module documentation will be here. +