diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 2371030..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Terraform Check - -on: - push: - branches: - - main - pull_request: - branches: - - main - -permissions: read-all - -defaults: - run: - shell: sh - -jobs: - - validate: - name: Validate - runs-on: ubuntu-latest - container: hashicorp/terraform:light - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Validate - run: find ./modules/ -maxdepth 1 -mindepth 1 - -exec terraform init {} \; - -exec terraform validate {} \; - - format: - name: Format - runs-on: ubuntu-latest - container: hashicorp/terraform:light - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Format - run: terraform fmt -check -diff -recursive - - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Setup - uses: terraform-linters/setup-tflint@v1.1.0 - - name: Show version - run: tflint --version - - name: Run - run: > - find ./modules/ -maxdepth 1 -mindepth 1 - -exec tflint {} --loglevel=info \; - - security: - name: Security - runs-on: ubuntu-latest - permissions: - checks: write - contents: read - security-events: write - statuses: write - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: tfsec - uses: tfsec/tfsec-sarif-action@master - with: - sarif_file: tfsec.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: tfsec.sarif diff --git a/.github/workflows/terraform-checks.yml b/.github/workflows/terraform-checks.yml new file mode 100644 index 0000000..7aa0f49 --- /dev/null +++ b/.github/workflows/terraform-checks.yml @@ -0,0 +1,77 @@ +name: Terraform Check + +on: + pull_request: + branches: + - main + +env: + TERRAFORM_DOCS_VERSION: v0.16.0 + +jobs: + collectInputs: + name: Collect workflow inputs + runs-on: ubuntu-latest + outputs: + directories: ${{ steps.dirs.outputs.directories }} + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Get root directories + id: dirs + uses: clowdhaus/terraform-composite-actions/directories@v1.3.0 + + preCommitMinVersions: + name: Min TF pre-commit + needs: collectInputs + runs-on: ubuntu-latest + strategy: + matrix: + directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Terraform min/max versions + id: minMax + uses: clowdhaus/terraform-min-max@v1.0.3 + with: + directory: ${{ matrix.directory }} + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} + # Run only validate pre-commit check on min version supported + if: ${{ matrix.directory != '.' }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.minVersion }} + args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} + # Run only validate pre-commit check on min version supported + if: ${{ matrix.directory == '.' }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.minVersion }} + args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' + + preCommitMaxVersion: + name: Max TF pre-commit + runs-on: ubuntu-latest + needs: collectInputs + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{github.event.pull_request.head.repo.full_name}} + + - name: Terraform min/max versions + id: minMax + uses: clowdhaus/terraform-min-max@v1.0.3 + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.maxVersion }} + terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} diff --git a/.github/workflows/terraform-security.yml b/.github/workflows/terraform-security.yml new file mode 100644 index 0000000..f200856 --- /dev/null +++ b/.github/workflows/terraform-security.yml @@ -0,0 +1,27 @@ +name: Terraform Security + +on: + pull_request: + branches: + - main + +jobs: + security: + name: Security + runs-on: ubuntu-latest + permissions: + checks: write + contents: read + security-events: write + statuses: write + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: tfsec + uses: tfsec/tfsec-sarif-action@master + with: + sarif_file: tfsec.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: tfsec.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6beab84..e90ecc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,14 @@ --- repos: -- repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.31.0 - hooks: - - id: terraform_fmt - - id: terraform_validate - - id: terraform_docs_replace - - id: terraform_tflint - - id: terraform_tfsec + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.63.0 + hooks: + - id: terraform_fmt + - id: terraform_validate + - id: terraform_docs + - id: terraform_tflint + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.1.0 + hooks: + - id: check-merge-conflict + - id: end-of-file-fixer