-
Notifications
You must be signed in to change notification settings - Fork 1
150 lines (129 loc) · 4.5 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Terraform
defaults:
run:
working-directory: terraform
on:
workflow_dispatch:
pull_request:
paths:
- terraform/**
branches:
- main
push:
paths:
- terraform/**
branches:
- main
jobs:
infracost:
if: github.event_name != 'push'
runs-on: ubuntu-latest
env:
TF_ROOT: .
INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
steps:
- name: setup infracost
uses: infracost/actions/setup@v2
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
- name: checkout base branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.ref }}
- name: generate cost breakdown
run: infracost breakdown --path=${TF_ROOT} --format=json --out-file=/tmp/infracost-base.json
- name: generate cost diff
run: infracost diff --path=${TF_ROOT} --format=json --compare-to=/tmp/infracost-base.json --out-file=/tmp/infracost.json
- name: post comment
run: infracost comment github --path=/tmp/infracost.json --repo=$GITHUB_REPOSITORY --github-token=${{github.token}} --pull-request=${{github.event.pull_request.number}} --behavior=update
security:
if: github.event_name != 'push'
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./terraform
steps:
- uses: actions/checkout@v4
- name: tfsec
uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}
lint:
if: github.event_name != 'push'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v3
name: cache plugin
with:
path: ~/.tflint.d/plugins
key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: latest
- name: show version
run: tflint --version
- name: init
run: tflint --init
- name: lint
run: tflint -f compact
plan:
if: github.event_name != 'push'
runs-on: ubuntu-latest
env:
ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
TF_VAR_FFK_DATABASE_USERNAME: ${{ secrets.FFK_DATABASE_USERNAME }}
TF_VAR_FFK_DATABASE_PASSWORD: ${{ secrets.FFK_DATABASE_PASSWORD }}
TF_VAR_FFK_DATABASE_NAME: ${{ secrets.FFK_DATABASE_NAME }}
TF_VAR_FFK_DATABASE_SERVER: ${{ secrets.FFK_DATABASE_SERVER }}
TF_VAR_FFK_DATABASE_PORT: ${{ secrets.FFK_DATABASE_PORT }}
TF_VAR_FFK_DISCORD_CLIENT_SECRET: ${{ secrets.FFK_DISCORD_CLIENT_SECRET }}
TF_VAR_FFK_DISCORD_REDIRECT: ${{ secrets.FFK_DISCORD_REDIRECT }}
TF_VAR_FFK_DISCORD_BOT_TOKEN: ${{ secrets.FFK_DISCORD_BOT_TOKEN }}
TF_VAR_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v2
- name: format
run: terraform fmt -recursive
- name: init
run: terraform init
- name: validate
run: terraform validate
- name: plan
run: terraform plan -refresh=false
# apply:
# if: github.event_name == 'push'
# runs-on: ubuntu-latest
# env:
# ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
# ARM_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
# ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
# ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
# TF_VAR_FFK_DATABASE_USERNAME: ${{ secrets.FFK_DATABASE_USERNAME }}
# TF_VAR_FFK_DATABASE_PASSWORD: ${{ secrets.FFK_DATABASE_PASSWORD }}
# TF_VAR_FFK_DATABASE_NAME: ${{ secrets.FFK_DATABASE_NAME }}
# TF_VAR_FFK_DATABASE_SERVER: ${{ secrets.FFK_DATABASE_SERVER }}
# TF_VAR_FFK_DATABASE_PORT: ${{ secrets.FFK_DATABASE_PORT }}
# TF_VAR_FFK_DISCORD_CLIENT_SECRET: ${{ secrets.FFK_DISCORD_CLIENT_SECRET }}
# TF_VAR_FFK_DISCORD_REDIRECT: ${{ secrets.FFK_DISCORD_REDIRECT }}
# TF_VAR_FFK_DISCORD_BOT_TOKEN: ${{ secrets.FFK_DISCORD_BOT_TOKEN }}
# TF_VAR_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
# steps:
# - uses: actions/checkout@v3
# - uses: hashicorp/setup-terraform@v2
#
# - name: format
# run: terraform fmt -recursive
#
# - name: init
# run: terraform init
#
# - name: validate
# run: terraform validate
#
# - name: apply
# run: terraform apply -auto-approve -refresh=false