wenqiglantz/terraform.yml

## terraform.yml
name: "Terraform Deployment"

on:
  workflow_call:
    inputs:
      # working-directory is added to specify "terraform" directory in project source code as that's where the terraform files live.
      working-directory:
        required: false
        type: string
        default: './terraform'
      # apply-branch refers to the branch where 'terraform apply' should execute.  It defaults to the "main" branch, but calling workflow has the option to change it to a different branch to execute 'terraform apply'.
      apply-branch:
        required: false
        type: string
        default: 'main'

defaults:
  run:
    shell: bash

jobs:
  terraform:
    name:   Deploy terraform
    runs-on: ubuntu-latest

    defaults:
      run:
        working-directory: ${{ inputs.working-directory }}

    # important to specify the environment here so workflow knows where to deploy your artifact to.
    # default environment to "dev" if it is not passed in through workflow_dispatch manual trigger
    environment: ${{ github.event.inputs.environment || 'dev' }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout Code
        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
        with:
          role-to-assume: ${{ secrets.TERRAFORM_ROLE_TO_ASSUME }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Run Checkov action
        uses: bridgecrewio/checkov-action@3854b91536303a096e7693434ef98706a0be82cb # master
        with:
          directory: ${{ inputs.working-directory }}
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
          output_file_path: reports/results.sarif # folder and name of results file
          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
          log_level: DEBUG # optional: set log level. Default WARNING

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@7b3bcd8d76f3cbaec0a3564e53de7c9adf00f0a7

      - name: Terraform Init
        id: init
        run: |
          # passes a NPM_TOKEN which has access to private repo as client app doesn't pass such credential in when calling tf reusable module.
          # credit: https://github.com/hashicorp/setup-terraform/issues/33
          git config --global url."https://oauth2:${{ secrets.NPM_TOKEN }}@github.com".insteadOf https://github.com
          rm -rf .terraform
          terraform init -backend-config='./.env/${{ github.event.inputs.environment || 'dev' }}/backend.tfvars' -upgrade=true -no-color -input=false

      - name: Terraform Plan
        id: plan
        run: |
          terraform plan -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars -no-color

      - name: Terraform Apply
        if: github.ref == 'refs/heads/${{ inputs.apply-branch }}' && github.event_name == 'push'
        id: apply
        run: |
          terraform apply -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars

      - name: Terraform destroy
        # If you want to use this workflow to run terraform destroy, create a feature branch "destroy", trigger this workflow from that branch to destroy.
        if: github.ref == 'refs/heads/destroy'
        id: destroy
        run: |
          terraform destroy -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars
	name: "Terraform Deployment"

	on:
	workflow_call:
	inputs:
	# working-directory is added to specify "terraform" directory in project source code as that's where the terraform files live.
	working-directory:
	required: false
	type: string
	default: './terraform'
	# apply-branch refers to the branch where 'terraform apply' should execute. It defaults to the "main" branch, but calling workflow has the option to change it to a different branch to execute 'terraform apply'.
	apply-branch:
	required: false
	type: string
	default: 'main'

	defaults:
	run:
	shell: bash

	jobs:
	terraform:
	name: Deploy terraform
	runs-on: ubuntu-latest

	defaults:
	run:
	working-directory: ${{ inputs.working-directory }}

	# important to specify the environment here so workflow knows where to deploy your artifact to.
	# default environment to "dev" if it is not passed in through workflow_dispatch manual trigger
	environment: ${{ github.event.inputs.environment \|\| 'dev' }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout Code
	uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
	with:
	role-to-assume: ${{ secrets.TERRAFORM_ROLE_TO_ASSUME }}
	aws-region: ${{ secrets.AWS_REGION }}

	- name: Run Checkov action
	uses: bridgecrewio/checkov-action@3854b91536303a096e7693434ef98706a0be82cb # master
	with:
	directory: ${{ inputs.working-directory }}
	quiet: true # optional: display only failed checks
	soft_fail: true # optional: do not return an error code if there are failed checks
	framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
	output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
	output_file_path: reports/results.sarif # folder and name of results file
	download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
	log_level: DEBUG # optional: set log level. Default WARNING

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@7b3bcd8d76f3cbaec0a3564e53de7c9adf00f0a7

	- name: Terraform Init
	id: init
	run: \|
	# passes a NPM_TOKEN which has access to private repo as client app doesn't pass such credential in when calling tf reusable module.
	# credit: https://github.com/hashicorp/setup-terraform/issues/33
	git config --global url."https://oauth2:${{ secrets.NPM_TOKEN }}@github.com".insteadOf https://github.com
	rm -rf .terraform
	terraform init -backend-config='./.env/${{ github.event.inputs.environment \|\| 'dev' }}/backend.tfvars' -upgrade=true -no-color -input=false

	- name: Terraform Plan
	id: plan
	run: \|
	terraform plan -input=false -var-file=.env/${{ github.event.inputs.environment \|\| 'dev' }}/terraform.tfvars -no-color

	- name: Terraform Apply
	if: github.ref == 'refs/heads/${{ inputs.apply-branch }}' && github.event_name == 'push'
	id: apply
	run: \|
	terraform apply -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment \|\| 'dev' }}/terraform.tfvars

	- name: Terraform destroy
	# If you want to use this workflow to run terraform destroy, create a feature branch "destroy", trigger this workflow from that branch to destroy.
	if: github.ref == 'refs/heads/destroy'
	id: destroy
	run: \|
	terraform destroy -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment \|\| 'dev' }}/terraform.tfvars