diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md deleted file mode 100644 index f9ba8cf..0000000 --- a/.github/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,9 +0,0 @@ -# Microsoft Open Source Code of Conduct - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). - -Resources: - -- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) -- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) -- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 7602182..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,11 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - - package-ecosystem: "terraform" # See documentation for possible values - directory: "/" # Location of package manifests - schedule: - interval: "weekly" diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml new file mode 100644 index 0000000..174739e --- /dev/null +++ b/.github/workflows/terraform.yml @@ -0,0 +1,48 @@ +name: 'Terraform' + +on: + push: + branches: + - main + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + terraform: + name: 'Terraform' + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + runs-on: ubuntu-latest + environment: production + # Use the Bash shell regardless of whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Generates an execution plan for Terraform + - name: Terraform Plan + run: terraform plan -input=false + + # Apply Terraform changes + - name: Terraform Apply + run: terraform apply -auto-approve -input=false diff --git a/.github/workflows/tf-drift.yml b/.github/workflows/tf-drift.yml deleted file mode 100644 index a92b2d3..0000000 --- a/.github/workflows/tf-drift.yml +++ /dev/null @@ -1,174 +0,0 @@ -name: 'Terraform Configuration Drift Detection' - -on: - workflow_dispatch: - schedule: - - cron: '41 3 * * *' # runs nightly at 3:41 am - -#Special permissions required for OIDC authentication -permissions: - id-token: write - contents: read - issues: write - -#These environment variables are used by the terraform azure provider to setup OIDD authenticate. -env: - ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" - ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" - -jobs: - terraform-plan: - name: 'Terraform Plan' - runs-on: ubuntu-latest - env: - #this is needed since we are running terraform with read-only permissions - ARM_SKIP_PROVIDER_REGISTRATION: true - outputs: - tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of the Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Generates an execution plan for Terraform - # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. - - name: Terraform Plan - id: tf-plan - run: | - export exitcode=0 - terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? - - echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - - if [ $exitcode -eq 1 ]; then - echo Terraform Plan Failed! - exit 1 - else - exit 0 - fi - - # Save plan to artifacts - - name: Publish Terraform Plan - uses: actions/upload-artifact@v3 - with: - name: tfplan - path: tfplan - - # Create string output of Terraform Plan - - name: Create String Output - id: tf-plan-string - run: | - TERRAFORM_PLAN=$(terraform show -no-color tfplan) - - delimiter="$(openssl rand -hex 8)" - echo "summary<<${delimiter}" >> $GITHUB_OUTPUT - echo "## Terraform Plan Output" >> $GITHUB_OUTPUT - echo "
Click to expand" >> $GITHUB_OUTPUT - echo "" >> $GITHUB_OUTPUT - echo '```terraform' >> $GITHUB_OUTPUT - echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT - echo '```' >> $GITHUB_OUTPUT - echo "
" >> $GITHUB_OUTPUT - echo "${delimiter}" >> $GITHUB_OUTPUT - - # Publish Terraform Plan as task summary - - name: Publish Terraform Plan to Task Summary - env: - SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} - run: | - echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY - - # If changes are detected, create a new issue - - name: Publish Drift Report - if: steps.tf-plan.outputs.exitcode == 2 - uses: actions/github-script@v6 - env: - SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const body = `${process.env.SUMMARY}`; - const title = 'Terraform Configuration Drift Detected'; - const creator = 'github-actions[bot]' - - // Look to see if there is an existing drift issue - const issues = await github.rest.issues.listForRepo({ - owner: context.repo.owner, - repo: context.repo.repo, - state: 'open', - creator: creator, - title: title - }) - - if( issues.data.length > 0 ) { - // We assume there shouldn't be more than 1 open issue, since we update any issue we find - const issue = issues.data[0] - - if ( issue.body == body ) { - console.log('Drift Detected: Found matching issue with duplicate content') - } else { - console.log('Drift Detected: Found matching issue, updating body') - github.rest.issues.update({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: issue.number, - body: body - }) - } - } else { - console.log('Drift Detected: Creating new issue') - - github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: title, - body: body - }) - } - - # If changes aren't detected, close any open drift issues - - name: Publish Drift Report - if: steps.tf-plan.outputs.exitcode == 0 - uses: actions/github-script@v6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const title = 'Terraform Configuration Drift Detected'; - const creator = 'github-actions[bot]' - - // Look to see if there is an existing drift issue - const issues = await github.rest.issues.listForRepo({ - owner: context.repo.owner, - repo: context.repo.repo, - state: 'open', - creator: creator, - title: title - }) - - if( issues.data.length > 0 ) { - const issue = issues.data[0] - - github.rest.issues.update({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: issue.number, - state: 'closed' - }) - } - - # Mark the workflow as failed if drift detected - - name: Error on Failure - if: steps.tf-plan.outputs.exitcode == 2 - run: exit 1 diff --git a/.github/workflows/tf-plan-apply.yml b/.github/workflows/tf-plan-apply.yml deleted file mode 100644 index 1e97900..0000000 --- a/.github/workflows/tf-plan-apply.yml +++ /dev/null @@ -1,146 +0,0 @@ -name: 'Terraform Plan/Apply' - -on: - push: - branches: - - main - pull_request: - branches: - - main - -#Special permissions required for OIDC authentication -permissions: - id-token: write - contents: read - pull-requests: write - -#These environment variables are used by the terraform azure provider to setup OIDD authenticate. -env: - ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" - ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" - -jobs: - terraform-plan: - name: 'Terraform Plan' - runs-on: ubuntu-latest - env: - #this is needed since we are running terraform with read-only permissions - ARM_SKIP_PROVIDER_REGISTRATION: true - outputs: - tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of the Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - # Will fail the build if not - - name: Terraform Format - run: terraform fmt -check - - # Generates an execution plan for Terraform - # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. - - name: Terraform Plan - id: tf-plan - run: | - export exitcode=0 - terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? - - echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - - if [ $exitcode -eq 1 ]; then - echo Terraform Plan Failed! - exit 1 - else - exit 0 - fi - - # Save plan to artifacts - - name: Publish Terraform Plan - uses: actions/upload-artifact@v3 - with: - name: tfplan - path: tfplan - - # Create string output of Terraform Plan - - name: Create String Output - id: tf-plan-string - run: | - TERRAFORM_PLAN=$(terraform show -no-color tfplan) - - delimiter="$(openssl rand -hex 8)" - echo "summary<<${delimiter}" >> $GITHUB_OUTPUT - echo "## Terraform Plan Output" >> $GITHUB_OUTPUT - echo "
Click to expand" >> $GITHUB_OUTPUT - echo "" >> $GITHUB_OUTPUT - echo '```terraform' >> $GITHUB_OUTPUT - echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT - echo '```' >> $GITHUB_OUTPUT - echo "
" >> $GITHUB_OUTPUT - echo "${delimiter}" >> $GITHUB_OUTPUT - - # Publish Terraform Plan as task summary - - name: Publish Terraform Plan to Task Summary - env: - SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} - run: | - echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY - - # If this is a PR post the changes - - name: Push Terraform Output to PR - if: github.ref != 'refs/heads/main' - uses: actions/github-script@v6 - env: - SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const body = `${process.env.SUMMARY}`; - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: body - }) - - terraform-apply: - name: 'Terraform Apply' - if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 - runs-on: ubuntu-latest - environment: production - needs: [terraform-plan] - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Download saved plan from artifacts - - name: Download Terraform Plan - uses: actions/download-artifact@v3 - with: - name: tfplan - - # Terraform Apply - - name: Terraform Apply - run: terraform apply -auto-approve tfplan diff --git a/.github/workflows/tf-unit-tests.yml b/.github/workflows/tf-unit-tests.yml deleted file mode 100644 index 2014e7f..0000000 --- a/.github/workflows/tf-unit-tests.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: 'Terraform Unit Tests' - -on: - push: - -permissions: - actions: read - contents: read - security-events: write - -jobs: - terraform-unit-tests: - name: 'Terraform Unit Tests' - runs-on: ubuntu-latest - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init -backend=false - - # Validate terraform files - - name: Terraform Validate - run: terraform validate - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt -check -recursive - - # Perform a security scan of the terraform code using checkov - - name: Run Checkov action - id: checkov - uses: bridgecrewio/checkov-action@master - with: - framework: terraform - - # Upload results to GitHub Advanced Security - - name: Upload SARIF file - if: success() || failure() - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif - category: checkov diff --git a/README.md b/README.md index b87f340..0a7a934 100644 --- a/README.md +++ b/README.md @@ -4,3 +4,4 @@ ## Terraform on Azure using Github Actions https://github.com/Azure-Samples/terraform-github-actions +https://gmusumeci.medium.com/deploying-terraform-in-azure-using-github-actions-step-by-step-bf8804b17711 \ No newline at end of file diff --git a/main.tf b/main.tf index 18b3e9e..3317123 100644 --- a/main.tf +++ b/main.tf @@ -1,28 +1,20 @@ +# Define Terraform provider terraform { + required_version = ">= 1.3" + backend "azurerm" { + resource_group_name = "mn-tfstate-rg" + storage_account_name = "mntfstate" + container_name = "tfstate" + key = "prod.terraform.tfstate" + } required_providers { azurerm = { + version = "~>3.2" source = "hashicorp/azurerm" - version = ">= 3.7.0" } } - - # Update this block with the location of your terraform state file - backend "azurerm" { - resource_group_name = "meganeura-tfstate" - storage_account_name = "meganeuratfstate" - container_name = "meganeura-tfstate" - key = "prod.terraform.tfstate" - use_oidc = true - } } - +# Configure the Azure provider provider "azurerm" { features {} - use_oidc = true -} - -# Define any Azure resources to be created here. A simple resource group is shown here as a minimal example. -resource "azurerm_resource_group" "rg-aks" { - name = var.resource_group_name - location = var.location -} +} \ No newline at end of file diff --git a/terraform.tfvars b/terraform.tfvars deleted file mode 100644 index 6440d63..0000000 --- a/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -# Sample values -resource_group_name = "rg-terraform-github-actions" -location = "eastus" diff --git a/variables.tf b/variables.tf deleted file mode 100644 index 6b68db1..0000000 --- a/variables.tf +++ /dev/null @@ -1,2 +0,0 @@ -variable "resource_group_name" {} -variable "location" {}