diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
deleted file mode 100644
index f9ba8cf..0000000
--- a/.github/CODE_OF_CONDUCT.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# Microsoft Open Source Code of Conduct
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-
-Resources:
-
-- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
-- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
-- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 7602182..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
- - package-ecosystem: "terraform" # See documentation for possible values
- directory: "/" # Location of package manifests
- schedule:
- interval: "weekly"
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
new file mode 100644
index 0000000..174739e
--- /dev/null
+++ b/.github/workflows/terraform.yml
@@ -0,0 +1,48 @@
+name: 'Terraform'
+
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ terraform:
+ name: 'Terraform'
+ env:
+ ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+ ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+ ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+ runs-on: ubuntu-latest
+ environment: production
+ # Use the Bash shell regardless of whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+ defaults:
+ run:
+ shell: bash
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout
+ uses: actions/checkout@v3
+
+ # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v2
+ with:
+ cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+ # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+ - name: Terraform Init
+ run: terraform init
+
+ # Generates an execution plan for Terraform
+ - name: Terraform Plan
+ run: terraform plan -input=false
+
+ # Apply Terraform changes
+ - name: Terraform Apply
+ run: terraform apply -auto-approve -input=false
diff --git a/.github/workflows/tf-drift.yml b/.github/workflows/tf-drift.yml
deleted file mode 100644
index a92b2d3..0000000
--- a/.github/workflows/tf-drift.yml
+++ /dev/null
@@ -1,174 +0,0 @@
-name: 'Terraform Configuration Drift Detection'
-
-on:
- workflow_dispatch:
- schedule:
- - cron: '41 3 * * *' # runs nightly at 3:41 am
-
-#Special permissions required for OIDC authentication
-permissions:
- id-token: write
- contents: read
- issues: write
-
-#These environment variables are used by the terraform azure provider to setup OIDD authenticate.
-env:
- ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
- ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
- ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
-
-jobs:
- terraform-plan:
- name: 'Terraform Plan'
- runs-on: ubuntu-latest
- env:
- #this is needed since we are running terraform with read-only permissions
- ARM_SKIP_PROVIDER_REGISTRATION: true
- outputs:
- tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
-
- steps:
- # Checkout the repository to the GitHub Actions runner
- - name: Checkout
- uses: actions/checkout@v3
-
- # Install the latest version of the Terraform CLI
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
- with:
- terraform_wrapper: false
-
- # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- - name: Terraform Init
- run: terraform init
-
- # Generates an execution plan for Terraform
- # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes.
- - name: Terraform Plan
- id: tf-plan
- run: |
- export exitcode=0
- terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$?
-
- echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
-
- if [ $exitcode -eq 1 ]; then
- echo Terraform Plan Failed!
- exit 1
- else
- exit 0
- fi
-
- # Save plan to artifacts
- - name: Publish Terraform Plan
- uses: actions/upload-artifact@v3
- with:
- name: tfplan
- path: tfplan
-
- # Create string output of Terraform Plan
- - name: Create String Output
- id: tf-plan-string
- run: |
- TERRAFORM_PLAN=$(terraform show -no-color tfplan)
-
- delimiter="$(openssl rand -hex 8)"
- echo "summary<<${delimiter}" >> $GITHUB_OUTPUT
- echo "## Terraform Plan Output" >> $GITHUB_OUTPUT
- echo "Click to expand
" >> $GITHUB_OUTPUT
- echo "" >> $GITHUB_OUTPUT
- echo '```terraform' >> $GITHUB_OUTPUT
- echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT
- echo '```' >> $GITHUB_OUTPUT
- echo " " >> $GITHUB_OUTPUT
- echo "${delimiter}" >> $GITHUB_OUTPUT
-
- # Publish Terraform Plan as task summary
- - name: Publish Terraform Plan to Task Summary
- env:
- SUMMARY: ${{ steps.tf-plan-string.outputs.summary }}
- run: |
- echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
-
- # If changes are detected, create a new issue
- - name: Publish Drift Report
- if: steps.tf-plan.outputs.exitcode == 2
- uses: actions/github-script@v6
- env:
- SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const body = `${process.env.SUMMARY}`;
- const title = 'Terraform Configuration Drift Detected';
- const creator = 'github-actions[bot]'
-
- // Look to see if there is an existing drift issue
- const issues = await github.rest.issues.listForRepo({
- owner: context.repo.owner,
- repo: context.repo.repo,
- state: 'open',
- creator: creator,
- title: title
- })
-
- if( issues.data.length > 0 ) {
- // We assume there shouldn't be more than 1 open issue, since we update any issue we find
- const issue = issues.data[0]
-
- if ( issue.body == body ) {
- console.log('Drift Detected: Found matching issue with duplicate content')
- } else {
- console.log('Drift Detected: Found matching issue, updating body')
- github.rest.issues.update({
- owner: context.repo.owner,
- repo: context.repo.repo,
- issue_number: issue.number,
- body: body
- })
- }
- } else {
- console.log('Drift Detected: Creating new issue')
-
- github.rest.issues.create({
- owner: context.repo.owner,
- repo: context.repo.repo,
- title: title,
- body: body
- })
- }
-
- # If changes aren't detected, close any open drift issues
- - name: Publish Drift Report
- if: steps.tf-plan.outputs.exitcode == 0
- uses: actions/github-script@v6
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const title = 'Terraform Configuration Drift Detected';
- const creator = 'github-actions[bot]'
-
- // Look to see if there is an existing drift issue
- const issues = await github.rest.issues.listForRepo({
- owner: context.repo.owner,
- repo: context.repo.repo,
- state: 'open',
- creator: creator,
- title: title
- })
-
- if( issues.data.length > 0 ) {
- const issue = issues.data[0]
-
- github.rest.issues.update({
- owner: context.repo.owner,
- repo: context.repo.repo,
- issue_number: issue.number,
- state: 'closed'
- })
- }
-
- # Mark the workflow as failed if drift detected
- - name: Error on Failure
- if: steps.tf-plan.outputs.exitcode == 2
- run: exit 1
diff --git a/.github/workflows/tf-plan-apply.yml b/.github/workflows/tf-plan-apply.yml
deleted file mode 100644
index 1e97900..0000000
--- a/.github/workflows/tf-plan-apply.yml
+++ /dev/null
@@ -1,146 +0,0 @@
-name: 'Terraform Plan/Apply'
-
-on:
- push:
- branches:
- - main
- pull_request:
- branches:
- - main
-
-#Special permissions required for OIDC authentication
-permissions:
- id-token: write
- contents: read
- pull-requests: write
-
-#These environment variables are used by the terraform azure provider to setup OIDD authenticate.
-env:
- ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
- ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
- ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
-
-jobs:
- terraform-plan:
- name: 'Terraform Plan'
- runs-on: ubuntu-latest
- env:
- #this is needed since we are running terraform with read-only permissions
- ARM_SKIP_PROVIDER_REGISTRATION: true
- outputs:
- tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
-
- steps:
- # Checkout the repository to the GitHub Actions runner
- - name: Checkout
- uses: actions/checkout@v3
-
- # Install the latest version of the Terraform CLI
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
- with:
- terraform_wrapper: false
-
- # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- - name: Terraform Init
- run: terraform init
-
- # Checks that all Terraform configuration files adhere to a canonical format
- # Will fail the build if not
- - name: Terraform Format
- run: terraform fmt -check
-
- # Generates an execution plan for Terraform
- # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes.
- - name: Terraform Plan
- id: tf-plan
- run: |
- export exitcode=0
- terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$?
-
- echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
-
- if [ $exitcode -eq 1 ]; then
- echo Terraform Plan Failed!
- exit 1
- else
- exit 0
- fi
-
- # Save plan to artifacts
- - name: Publish Terraform Plan
- uses: actions/upload-artifact@v3
- with:
- name: tfplan
- path: tfplan
-
- # Create string output of Terraform Plan
- - name: Create String Output
- id: tf-plan-string
- run: |
- TERRAFORM_PLAN=$(terraform show -no-color tfplan)
-
- delimiter="$(openssl rand -hex 8)"
- echo "summary<<${delimiter}" >> $GITHUB_OUTPUT
- echo "## Terraform Plan Output" >> $GITHUB_OUTPUT
- echo "Click to expand
" >> $GITHUB_OUTPUT
- echo "" >> $GITHUB_OUTPUT
- echo '```terraform' >> $GITHUB_OUTPUT
- echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT
- echo '```' >> $GITHUB_OUTPUT
- echo " " >> $GITHUB_OUTPUT
- echo "${delimiter}" >> $GITHUB_OUTPUT
-
- # Publish Terraform Plan as task summary
- - name: Publish Terraform Plan to Task Summary
- env:
- SUMMARY: ${{ steps.tf-plan-string.outputs.summary }}
- run: |
- echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
-
- # If this is a PR post the changes
- - name: Push Terraform Output to PR
- if: github.ref != 'refs/heads/main'
- uses: actions/github-script@v6
- env:
- SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const body = `${process.env.SUMMARY}`;
- github.rest.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: body
- })
-
- terraform-apply:
- name: 'Terraform Apply'
- if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2
- runs-on: ubuntu-latest
- environment: production
- needs: [terraform-plan]
-
- steps:
- # Checkout the repository to the GitHub Actions runner
- - name: Checkout
- uses: actions/checkout@v3
-
- # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
-
- # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- - name: Terraform Init
- run: terraform init
-
- # Download saved plan from artifacts
- - name: Download Terraform Plan
- uses: actions/download-artifact@v3
- with:
- name: tfplan
-
- # Terraform Apply
- - name: Terraform Apply
- run: terraform apply -auto-approve tfplan
diff --git a/.github/workflows/tf-unit-tests.yml b/.github/workflows/tf-unit-tests.yml
deleted file mode 100644
index 2014e7f..0000000
--- a/.github/workflows/tf-unit-tests.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: 'Terraform Unit Tests'
-
-on:
- push:
-
-permissions:
- actions: read
- contents: read
- security-events: write
-
-jobs:
- terraform-unit-tests:
- name: 'Terraform Unit Tests'
- runs-on: ubuntu-latest
-
- steps:
- # Checkout the repository to the GitHub Actions runner
- - name: Checkout
- uses: actions/checkout@v3
-
- # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
-
- # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- - name: Terraform Init
- run: terraform init -backend=false
-
- # Validate terraform files
- - name: Terraform Validate
- run: terraform validate
-
- # Checks that all Terraform configuration files adhere to a canonical format
- - name: Terraform Format
- run: terraform fmt -check -recursive
-
- # Perform a security scan of the terraform code using checkov
- - name: Run Checkov action
- id: checkov
- uses: bridgecrewio/checkov-action@master
- with:
- framework: terraform
-
- # Upload results to GitHub Advanced Security
- - name: Upload SARIF file
- if: success() || failure()
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: results.sarif
- category: checkov
diff --git a/README.md b/README.md
index b87f340..0a7a934 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,4 @@
## Terraform on Azure using Github Actions
https://github.com/Azure-Samples/terraform-github-actions
+https://gmusumeci.medium.com/deploying-terraform-in-azure-using-github-actions-step-by-step-bf8804b17711
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 18b3e9e..3317123 100644
--- a/main.tf
+++ b/main.tf
@@ -1,28 +1,20 @@
+# Define Terraform provider
terraform {
+ required_version = ">= 1.3"
+ backend "azurerm" {
+ resource_group_name = "mn-tfstate-rg"
+ storage_account_name = "mntfstate"
+ container_name = "tfstate"
+ key = "prod.terraform.tfstate"
+ }
required_providers {
azurerm = {
+ version = "~>3.2"
source = "hashicorp/azurerm"
- version = ">= 3.7.0"
}
}
-
- # Update this block with the location of your terraform state file
- backend "azurerm" {
- resource_group_name = "meganeura-tfstate"
- storage_account_name = "meganeuratfstate"
- container_name = "meganeura-tfstate"
- key = "prod.terraform.tfstate"
- use_oidc = true
- }
}
-
+# Configure the Azure provider
provider "azurerm" {
features {}
- use_oidc = true
-}
-
-# Define any Azure resources to be created here. A simple resource group is shown here as a minimal example.
-resource "azurerm_resource_group" "rg-aks" {
- name = var.resource_group_name
- location = var.location
-}
+}
\ No newline at end of file
diff --git a/terraform.tfvars b/terraform.tfvars
deleted file mode 100644
index 6440d63..0000000
--- a/terraform.tfvars
+++ /dev/null
@@ -1,3 +0,0 @@
-# Sample values
-resource_group_name = "rg-terraform-github-actions"
-location = "eastus"
diff --git a/variables.tf b/variables.tf
deleted file mode 100644
index 6b68db1..0000000
--- a/variables.tf
+++ /dev/null
@@ -1,2 +0,0 @@
-variable "resource_group_name" {}
-variable "location" {}