Created
January 28, 2023 22:00
-
-
Save wenqiglantz/75275706064bdc37da6186368606e752 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Terraform Deployment" | |
| on: | |
| workflow_call: | |
| inputs: | |
| # working-directory is added to specify "terraform" directory in project source code as that's where the terraform files live. | |
| working-directory: | |
| required: false | |
| type: string | |
| default: './terraform' | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| terraform: | |
| name: Deploy terraform | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ${{ inputs.working-directory }} | |
| # important to specify the environment here so workflow knows where to deploy your artifact to. | |
| # default environment to "dev" if it is not passed in through workflow_dispatch manual trigger | |
| environment: ${{ github.event.inputs.environment || 'dev' }} | |
| env: | |
| DEPLOY_REPO: ${{ github.event.repository.name }} | |
| DEPLOY_ENV: ${{ github.event.inputs.environment || 'dev' }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 | |
| with: | |
| role-to-assume: ${{ secrets.TERRAFORM_ROLE_TO_ASSUME }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # v2.1.7 | |
| name: Cache plugin dir | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }} | |
| - uses: terraform-linters/setup-tflint@ba6bb2989f94daf58a4cc6eac2c1ca7398a678bf # v3.0.0 | |
| name: Setup TFLint | |
| with: | |
| tflint_version: latest | |
| - name: Init TFLint | |
| run: tflint --init | |
| - name: Run TFLint | |
| run: tflint -f compact | |
| - name: Run tfsec, static analysis tool to detect potential security risks | |
| uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1 | |
| with: | |
| tfsec_args: --soft-fail | |
| github_token: ${{ github.token }} | |
| - name: Run Checkov action | |
| uses: bridgecrewio/checkov-action@3854b91536303a096e7693434ef98706a0be82cb # master | |
| with: | |
| directory: ${{ inputs.working-directory }} | |
| quiet: true # optional: display only failed checks | |
| soft_fail: true # optional: do not return an error code if there are failed checks | |
| framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} | |
| output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif | |
| output_file_path: reports/results.sarif # folder and name of results file | |
| download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry | |
| log_level: DEBUG # optional: set log level. Default WARNING | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@7b3bcd8d76f3cbaec0a3564e53de7c9adf00f0a7 | |
| - name: Print debug info | |
| run: | | |
| echo environment is ${{ github.event.inputs.environment }} | |
| echo working_directory is ${{ inputs.working-directory }} | |
| echo repository is ${{ github.repository }} | |
| - name: Terraform Init | |
| id: init | |
| run: | | |
| # passes a NPM_TOKEN which has access to private repo as client app doesn't pass such credential in when calling tf composite module. | |
| # credit: https://github.com/hashicorp/setup-terraform/issues/33 | |
| git config --global url."https://oauth2:${{ secrets.NPM_TOKEN }}@github.com".insteadOf https://github.com | |
| rm -rf .terraform | |
| terraform init -backend-config='./.env/${{ github.event.inputs.environment || 'dev' }}/backend.tfvars' -upgrade=true -no-color -input=false | |
| - name: Terraform Plan | |
| id: plan | |
| run: | | |
| # convert repo and env to lower case and pass to Terraform as env variables | |
| export TF_VAR_deploy_repo=${DEPLOY_REPO,,} | |
| export TF_VAR_deploy_env=${DEPLOY_ENV,,} | |
| export TF_VAR_pipeline_token=${{ secrets.PIPELINE_TOKEN }} | |
| terraform plan -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars -no-color | |
| - name: Terraform Apply | |
| id: apply | |
| run: | | |
| # convert repo and env to lower case and pass to Terraform as env variables | |
| export TF_VAR_deploy_repo=${DEPLOY_REPO,,} | |
| export TF_VAR_deploy_env=${DEPLOY_ENV,,} | |
| export TF_VAR_pipeline_token=${{ secrets.PIPELINE_TOKEN }} | |
| terraform apply -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars | |
| - name: Terraform destroy | |
| # If you want to use this workflow to run terraform destroy, create a feature branch "destroy", trigger this workflow from that branch to destroy. | |
| if: always() && github.ref == 'refs/heads/destroy' | |
| id: destroy | |
| run: | | |
| # convert repo and env to lower case and pass to Terraform as env variables | |
| export TF_VAR_deploy_repo=${DEPLOY_REPO,,} | |
| export TF_VAR_deploy_env=${DEPLOY_ENV,,} | |
| export TF_VAR_pipeline_token=${{ secrets.PIPELINE_TOKEN }} | |
| terraform destroy -auto-approve -input=false -var-file=.env/${{ github.event.inputs.environment || 'dev' }}/terraform.tfvars |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment