-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
133 lines (116 loc) · 4.1 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Terraform AWS Action
inputs:
backend_config:
description: Location of the terraform config file, including filename
required: true
vars_file:
description: Location of the TFVars file, including filename
required: true
github_token:
description: GitHub token for updating pull requests with plan output
required: false
checkov_dir:
description: Directory to run checkov checks against
required: false
default: '.'
apply:
description: Whether to run an apply or not
required: true
default: 'false'
plan:
description: Whether to run a plan or not
required: true
default: 'true'
destroy:
description: Whether to run destroy or not
required: false
default: 'false'
terraform_token:
description: token to allow external modules
required: false
default: 'false'
terraform_version:
description: Version of terraform to run
required: false
default: 1.4.0
runs:
using: "composite"
steps:
- name: hashicorp/setup-terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ inputs.terraform_version }}
- name: Set Github Auth
if: inputs.terraform_token != 'false'
run: git config --global url."https://oauth2:${{ inputs.terraform_token }}@github.com".insteadOf https://github.com
shell: bash
- name: Test with Checkov
id: checkov
uses: bridgecrewio/checkov-action@v12.2527.0
with:
directory: ${{ inputs.checkov_dir }}
framework: terraform
check: MEDIUM
# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
id: check_formatting
run: terraform fmt -check
continue-on-error: true
shell: bash
- name: Terraform Format Status
if: steps.check_formatting.outcome != 'success'
run: echo "Formatting error. Please run terraform fmt before pushing your code."; exit 1
shell: bash
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
id: init
run: terraform init -backend-config='${{ inputs.backend_config }}'
shell: bash
- name: Terraform Validate
id: validate
run: terraform validate -no-color
shell: bash
# Generates an execution plan for Terraform
- name: Terraform Plan
id: plan
if: inputs.plan == 'true'
run: terraform plan -var-file='${{ inputs.vars_file }}' -input=false -no-color
continue-on-error: true
shell: bash
# Updates PRs with Plan status if a github token is present
- name: Update Pull Request
uses: actions/github-script@v6
if: github.event_name == 'pull_request' && inputs.github_token
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ inputs.github_token }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.check_formatting.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
shell: bash
- name: Terraform Destroy
if: inputs.destroy == 'true'
runs: terraform destroy auto-approve
shell: bash
- name: Terraform Apply
if: inputs.apply == 'true' && github.event_name != 'pull_request'
run: terraform apply -var-file='${{ inputs.vars_file }}' -input=false -no-color -auto-approve
shell: bash