Skip to content
Terraform CICD

upgrade terrascan to v3 action #129

Sign in to view logs

upgrade terrascan to v3 action

upgrade terrascan to v3 action #129

Workflow file for this run

.github/workflows/terraform.yml at 77cee35
---
name: "Terraform CICD"
on:
push:
branches:
- main
- develop
pull_request:
env:
# verbosity setting for Terraform logs
TF_LOG: INFO
jobs:
terraform:
name: "Terraform CICD"
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required for creating or updating PRs
contents: write # Required for modifying files (if applicable)
defaults:
run:
shell: bash
steps:
- name: Checkout the repository to the runner
uses: actions/checkout@v2
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Setup Terraform with specified version on the runner
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.3.0
- name: Terraform init [pull_request]
id: init-pr
if: github.event_name == 'pull_request'
run: |
if [ "${{ github.event.pull_request.base.ref }}" == "develop" ]; then
export ENV="dev";
elif [ "${{ github.event.pull_request.base.ref }}" == "main" ]; then
export ENV="prod";
else
echo "unsupported environment";
fi
terraform init -upgrade -backend-config=backend/$ENV.tfvars --reconfigure
- name: Terraform init [push]
id: init-push
if: github.event_name == 'push'
run: |
if [ "${{ github.ref }}" == "refs/heads/develop" ]; then
export ENV="dev";
elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
export ENV="prod";
else
echo "unsupported environment";
fi
terraform init -upgrade -backend-config=backend/$ENV.tfvars --reconfigure
- name: Terraform format
id: fmt
run: terraform fmt -check
- name: Terraform validate
id: validate
run: terraform validate
- uses: actions/cache@v4
name: Cache plugin dir
with:
path: ~/.tflint.d/plugins
key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
with:
tflint_version: v0.52.0
- name: Show version
run: tflint --version
- name: Init TFLint
run: tflint --init
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
- name: Run TFLint
run: tflint -f compact --recursive --minimum-failure-severity=error
- name: Run Terrascan
id: terrascan
uses: tenable/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
only_warn: true
sarif_upload: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: terrascan.sarif
- name: Terraform plan [pull_request]
id: plan-pr
if: github.event_name == 'pull_request'
run: |
if [ "${{ github.event.pull_request.base.ref }}" == "develop" ]; then
export ENV="dev";
elif [ "${{ github.event.pull_request.base.ref }}" == "main" ]; then
export ENV="prod";
else
echo "unsupported environment";
fi
terraform plan -input=false -var-file=variables/$ENV.auto.tfvars -lock=false
continue-on-error: true
- name: Terraform plan [push]
id: plan-push
if: github.event_name == 'push'
run: |
if [ "${{ github.ref }}" == "refs/heads/develop" ]; then
export ENV="dev";
elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
export ENV="prod";
else
echo "unsupported environment";
fi
terraform plan -input=false -var-file=variables/$ENV.auto.tfvars -lock=false
continue-on-error: true
- uses: actions/github-script@v6
name: Terraform Plan Comment on PR
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan-pr.outputs.stdout }}"
with:
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init-pr.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan-pr.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Plan Status [pull_request]
if: github.event_name == 'pull_request' && steps.plan-pr.outcome == 'failure'
run: exit 1
- name: Terraform Plan Status
if: github.event_name == 'push' && steps.plan-push.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: |
if [ "${{ github.ref }}" == "refs/heads/develop" ]; then
export ENV="dev";
elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
export ENV="prod";
else
echo "unsupported environment";
fi
terraform apply -var-file=variables/$ENV.auto.tfvars -auto-approve -lock=false
otel-cicd-action:
if: always()
name: OpenTelemetry Export Trace
runs-on: ubuntu-latest
needs: [terraform] # must run when all jobs are completed
steps:
- name: Export workflow
uses: corentinmusard/otel-cicd-action@v2
with:
otlpEndpoint: grpc://api.honeycomb.io:443/
otlpHeaders: ${{ secrets.OTLP_HEADERS }}
githubToken: ${{ secrets.GITHUB_TOKEN }}