Updated workflow so it can be manually fired #16
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Terraform PR Check | |
on: | |
pull_request: | |
paths: | |
- "terraform/**" | |
- ".github/workflows/terraform-pr-check.yml" | |
push: | |
branches: ["main"] | |
paths: | |
- "terraform/**" | |
concurrency: | |
group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" | |
cancel-in-progress: true | |
env: | |
DOTNET_VERSION: ${{ vars.DOTNET_VERSION }} | |
ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} | |
ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }} | |
ARM_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} | |
AZ_KEYVAULT_NAME: ${{ secrets.AZ_ACA_RESOURCE_GROUP }}-kv | |
TF_BACKEND_STORAGE_ACCOUNT_NAME: ${{ secrets.TF_BACKEND_STORAGE_ACCOUNT_NAME }} | |
TF_BACKEND_CONTAINER_NAME: ${{ secrets.TF_BACKEND_CONTAINER_NAME }} | |
TF_BACKEND_KEY: ${{ secrets.TF_BACKEND_KEY }} | |
TF_BACKEND_RESOURCE_GROUP: ${{ secrets.TF_BACKEND_RESOURCE_GROUP }} | |
TF_VAR_project_name: ${{ secrets.DFE_PROJECT_NAME }} | |
TF_VAR_environment: ${{ secrets.AZ_ENVIRONMENT }} | |
TF_VAR_azure_location: ${{ vars.AZ_LOCATION }} | |
TF_VAR_az_app_kestrel_endpoint: ${{ vars.KESTRELENDPOINT }} | |
TF_VAR_az_tag_environment: ${{ vars.AZ_TAG_ENVIRONMENT }} | |
TF_VAR_az_tag_product: ${{ vars.AZ_TAG_PRODUCT }} | |
TF_VAR_registry_server: "ghcr.io/dfe-digital" | |
TF_VAR_image_tag: "latest" | |
TF_VAR_registry_username: ${{ github.repository_owner }} | |
TF_VAR_registry_password: ${{ secrets.GITHUB_TOKEN }} | |
TF_WORKING_DIRECTORY: terraform/container-app | |
jobs: | |
validate-terraform: | |
name: Validate Terraform | |
runs-on: ubuntu-22.04 | |
defaults: | |
run: | |
working-directory: ${{env.TF_WORKING_DIRECTORY}} | |
steps: | |
- name: Clone repo | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: 1.6.2 | |
- name: Get GitHub Runner IP | |
id: whats-my-ip | |
uses: ./.github/actions/whats-my-ip-address | |
- name: Set GitHub Runner IP to TF Var | |
shell: bash | |
run: | | |
echo "TF_VAR_github_ip=${{ steps.whats-my-ip.outputs.ip}}" >> $GITHUB_ENV | |
- name: Login with AZ | |
uses: ./.github/actions/azure-login | |
with: | |
az_tenant_id: ${{ secrets.AZ_TENANT_ID }} | |
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} | |
az_client_id: ${{ secrets.AZ_CLIENT_ID }} | |
az_client_secret: ${{ secrets.AZ_CLIENT_SECRET }} | |
- name: Add Runner to KV whitelist | |
uses: azure/CLI@v1 | |
with: | |
azcliversion: 2.45.0 | |
inlineScript: | | |
az keyvault network-rule add --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null | |
- name: Terraform init | |
id: init | |
run: | | |
terraform init \ | |
-backend-config="resource_group_name=${{ env.TF_BACKEND_RESOURCE_GROUP }}" \ | |
-backend-config="storage_account_name=${{ env.TF_BACKEND_STORAGE_ACCOUNT_NAME }}" \ | |
-backend-config="container_name=${{ env.TF_BACKEND_CONTAINER_NAME }}" \ | |
-backend-config="key=${{ env.TF_BACKEND_KEY }}" | |
- name: Terraform Validate | |
id: validate | |
run: terraform validate -no-color -compact-warnings | |
- name: Terraform plan | |
id: plan | |
run: terraform plan -no-color | |
- name: Terraform fmt | |
id: fmt | |
run: terraform fmt -check -diff | |
- name: Validate Terraform docs | |
uses: terraform-docs/[email protected] | |
with: | |
working-dir: ${{ env.TF_WORKING_DIRECTORY }} | |
config-file: .terraform-docs.yml | |
output-file: terraform-configuration.md | |
output-method: inject | |
git-push: "true" | |
- name: Update PR with Terraform results | |
uses: ./.github/actions/post-terraform-results | |
if: github.event_name == 'pull_request' | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
plan_stdout: ${{ steps.plan.outputs.stdout }} | |
plan_outcome: ${{ steps.plan.outcome }} | |
fmt_outcome: ${{ steps.fmt.outcome }} | |
init_outcome: ${{ steps.init.outcome }} | |
validate_outcome: ${{ steps.validate.outcome }} | |
validate_stdout: ${{ steps.validate.outputs.stdout }} | |
github_actor: ${{ github.actor }} | |
github_event_name: ${{ github.event_name }} | |
tf_working_directory: ${{ env.TF_WORKING_DIRECTORY }} | |
github_workflow: ${{ github.workflow }} | |
- name: Remove Runner to KV whitelist | |
uses: azure/CLI@v1 | |
if: always() | |
with: | |
azcliversion: 2.45.0 | |
inlineScript: | | |
az keyvault network-rule remove --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null | |
terraform-lint: | |
name: Terraform Lint | |
runs-on: ubuntu-22.04 | |
defaults: | |
run: | |
working-directory: ${{ env.TF_WORKING_DIRECTORY }} | |
steps: | |
- name: Clone repo | |
uses: actions/checkout@v4 | |
- name: Setup TFLint | |
uses: terraform-linters/setup-tflint@v4 | |
with: | |
tflint_version: v0.44.1 | |
- name: Run TFLint | |
run: tflint -f compact | |
tfsec-pr-commenter: | |
name: tfsec Check | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Clone repo | |
uses: actions/checkout@v4 | |
- name: tfsec | |
uses: aquasecurity/[email protected] | |
with: | |
github_token: ${{ github.token }} |