-
Notifications
You must be signed in to change notification settings - Fork 0
139 lines (109 loc) · 4.43 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Terraform CI
on:
pull_request:
branches: [ main ]
jobs:
setup-azure-storage:
name: 'Setup azure storage account for tfstate files'
runs-on: ubuntu-latest
env:
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
TF_BACKEND_CONFIG_CONTAINER_NAME: ${{ secrets.TF_BACKEND_CONFIG_CONTAINER_NAME }}
TF_BACKEND_CONFIG_RG_NAME: ${{ secrets.TF_BACKEND_CONFIG_RG_NAME }}
TF_BACKEND_CONFIG_SA_NAME: ${{ secrets.TF_BACKEND_CONFIG_SA_NAME }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run setup script
run: |
sudo apt-get update -qq && sudo apt-get -qq install jq
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
jq -h
az version
az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
chmod +x tfstate_storage_azure.sh
./tfstate_storage_azure.sh
init-and-validate-terraform:
needs: setup-azure-storage
name: 'Initialize and validate terraform providers and modules'
runs-on: ubuntu-latest
env:
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
- name: Terraform Init
run: terraform init -backend-config="resource_group_name=${{ secrets.TF_BACKEND_CONFIG_RG_NAME }}" -backend-config="storage_account_name=${{ secrets.TF_BACKEND_CONFIG_SA_NAME }}" -backend-config="container_name=${{ secrets.TF_BACKEND_CONFIG_CONTAINER_NAME }}" -backend-config="key=${{ secrets.TF_BACKEND_CONFIG_FILE_KEY }}"
- name: Terraform Validate
run: terraform validate
- name: Terraform Format
run: terraform fmt -check -diff
- name: Setup TFLint
uses: terraform-linters/[email protected]
with:
tflint_version: latest
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Show TFLint version
run: tflint --version
- name: Init TFLint
run: tflint --init
- name: Run TFLint
run: tflint --var-file=./environments/dev/dev.tfvars -f compact
terraform-security-analysis:
needs: setup-azure-storage
name: 'Run security analysis for terraform'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup TFSec
uses: tfsec/tfsec-sarif-action@master
with:
sarif_file: tfsec.sarif
tfvars_file: ./environments/dev/dev.tfvars
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
infracost-report:
needs: setup-azure-storage
name: 'Generate infra cost report'
runs-on: ubuntu-latest
env:
INFRACOST_CURRENCY: BRL
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_wrapper: false
- name: Terraform Init
run: terraform init -backend-config="resource_group_name=${{ secrets.TF_BACKEND_CONFIG_RG_NAME }}" -backend-config="storage_account_name=${{ secrets.TF_BACKEND_CONFIG_SA_NAME }}" -backend-config="container_name=${{ secrets.TF_BACKEND_CONFIG_CONTAINER_NAME }}" -backend-config="key=${{ secrets.TF_BACKEND_CONFIG_FILE_KEY }}"
- name: Terraform plan
run: terraform plan -var-file=./environments/dev/dev.tfvars -out tfplan.binary
- name: Terraform show
run: terraform show -json tfplan.binary > plan.json
- name: Setup Infracost
uses: infracost/actions/setup@v1
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
- name: Infracost Report
run: infracost breakdown --usage-file ./infracost-usage.yml --path plan.json --format json --out-file /tmp/infracost.json
- name: Post Infracost comment
uses: infracost/actions/comment@v1
with:
path: /tmp/infracost.json
behavior: update