-
Notifications
You must be signed in to change notification settings - Fork 44
159 lines (152 loc) · 6.13 KB
/
terraform-ruw.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
on:
# This makes the workflow reusable. It is not meant to be executed independently of a calling workflow.
workflow_call:
inputs:
# Actions settings
working_directory:
type: string
description: Working directory for this workflow
required: true
environment:
# Note: The environment setting will NOT allow secrets from that environment to be used in the RUW. Only
# environment variables and deploy rules are useful here. This can also be used for OIDC.
type: string
default: null
required: false
description: GitHub environment to use for this workflow
runs_on:
type: string
default: ubuntu-latest
required: false
description: Sets the runs-on option for all jobs in the workflow
# TFLint settings
tflint_enabled:
type: boolean
default: true
required: false
description: Should TFLint related jobs run
tflint_version:
type: string
description: Version of tflint to use
required: false
default: v0.52.0
tflint_minimum_failure_severity:
type: string
description: Minimum severity required before TFLint considers a rule finding an error
required: false
default: error
tflint_args:
type: string
description: Additional arguments to pass to the tflint command e.g. "-var 'foo=bar'"
required: false
default: null
# Terraform settings
terraform_version:
type: string
default: "~>1.0"
required: false
description: Version of Terraform to install for jobs that use it. This supports constraint strings also (e.g. ~>1.0)
# Terraform fmt settings
terraform_fmt_enabled:
type: boolean
default: true
required: false
description: Should terraform fmt related jobs run?
terraform_fmt_check:
type: boolean
default: false
required: false
description: Directly passed to the "-check" option for terraform fmt. Should a fmt diff cause the workflow to fail?
# Terraform test settings
terraform_test_enabled:
type: boolean
default: true
required: false
description: Should terraform test related jobs run
terraform_test_args:
type: string
default: null
required: false
description: Additional arguments to pass to the terraform test command e.g. "-var 'foo=bar' -filter=tests/mock_plan.tftest.hcl"
jobs:
# TFLint Job
tflint:
environment: ${{ inputs.environment }}
if: inputs.tflint_enabled
runs-on: ${{ inputs.runs_on }}
steps:
- uses: actions/checkout@v4
name: Checkout source code
# A cache is configured to avoid downloading plugins on every run
- uses: actions/cache@v4
name: Cache TFLint Plugins
with:
path: ~/.tflint.d/plugins
key: tflint-${{ runner.os }}-${{ hashFiles('**/.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
with:
tflint_version: ${{ inputs.tflint_version }}
- name: Init TFLint
run: tflint --init
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
working-directory: ${{ inputs.working_directory }}
- name: Run TFLint
run: tflint -f compact --minimum-failure-severity=${{ inputs.tflint_minimum_failure_severity }} --recursive ${{ inputs.tflint_args }}
working-directory: ${{ inputs.working_directory }}
# Terraform fmt job
terraform-fmt:
environment: ${{ inputs.environment }}
runs-on: ${{ inputs.runs_on }}
if: inputs.terraform_fmt_enabled
steps:
- uses: actions/checkout@v4
name: Checkout source code
- uses: hashicorp/setup-terraform@v3
name: Setup Terraform
with:
terraform_version: inputs.terraform_version
- name: terraform fmt
run: terraform fmt -check=${{ inputs.terraform_fmt_check }} -write=false -recursive
working-directory: ${{ inputs.working_directory }}
# Terraform test job
terraform-test:
environment: ${{ inputs.environment }}
runs-on: ${{ inputs.runs_on }}
if: inputs.terraform_test_enabled
# This environment variable sets the plugin cache dir for Terraform, and is also used to configure a cache directory
env:
TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache
# Terraform will not use the cache if the dependency lock file is not committed to the repo. This is a workaround.
# https://developer.hashicorp.com/terraform/cli/config/config-file#allowing-the-provider-plugin-cache-to-break-the-dependency-lock-file
TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE: true
steps:
- uses: actions/checkout@v4
name: Checkout source code
# Create the cache directory
- run: mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }}
# Initialize the cache
- uses: actions/cache@v4
name: Cache Terraform Providers
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
# The cache key includes the OS, working directory, and a hash of all versions.tf in the repo.
# A change to any of these will cause a new cache to be created (or reused if it exists)
key: terraform-providers-${{ runner.os }}-${{ inputs.working_directory }}-${{ hashFiles('**/versions.tf') }}
restore-keys:
terraform-providers-${{ runner.os }}-${{ inputs.working_directory }}-
terraform-providers-${{ runner.os }}-
- name: List plugin cache contents
run: ls -R ${{ env.TF_PLUGIN_CACHE_DIR }}
- uses: hashicorp/setup-terraform@v3
name: Setup Terraform
with:
terraform_version: inputs.terraform_version
- name: terraform init
run: terraform init
working-directory: ${{ inputs.working_directory }}
- name: terraform test
run: terraform test ${{ inputs.terraform_test_args }}
working-directory: ${{ inputs.working_directory }}