feat(vpc): Add ec2 server #24
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform CI | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| branches: [main] | |
| merge_group: | |
| types: [checks_requested] | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.repository }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| targets: | |
| name: Targets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| targets: ${{ steps.directories.outputs.all_changed_files }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Check changed directories | |
| id: directories | |
| uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3 | |
| with: | |
| dir_names: true | |
| dir_names_max_depth: 3 | |
| files: terraform/** | |
| matrix: true | |
| terraform-ci: | |
| needs: [targets] | |
| if: ${{ needs.targets.outputs.targets != '[]' }} | |
| name: Terraform CI | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read # Required to identify workflow run. | |
| checks: write # Required to add status summary. | |
| contents: read # Required to checkout repository. | |
| id-token: write # Require for OIDC. | |
| pull-requests: write # Required to add comment and label. | |
| strategy: | |
| fail-fast: true | |
| max-parallel: 1 | |
| matrix: | |
| targets: ${{ fromJson(needs.targets.outputs.targets) }} | |
| environment: ${{ fromJson(vars.ENVIRONMENTS) }} | |
| environment: ${{ matrix.environment }} | |
| env: | |
| TF_TOKEN_APP_TERRAFORM_IO: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| # AWS Credentials required for tflint deep check | |
| - name: Configure AWS credentials via OIDC | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| aws-region: us-east-1 | |
| mask-aws-account-id: true | |
| role-to-assume: ${{ secrets[format('GHA_3WARE_OIDC_{0}', matrix.environment)] }} | |
| role-session-name: ${{ github.event_name == 'merge_group' && 'aws-net-sec-terraform-apply' || 'aws-net-sec-terraform-plan' }} | |
| - name: Cache TFLint plugin directory | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: .trunk/plugins/ | |
| key: ${{ runner.os }}-${{ github.repository }}-tflint-${{ hashFiles('.trunk/configs/.tflint_ci.hcl') }} | |
| # Run terraform format | |
| - name: Terraform fmt | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tf-fmt | |
| run: terraform -chdir=${{ matrix.targets }} fmt -check | |
| continue-on-error: true | |
| # Initialise terraform in the directory where terraform file have changed. | |
| - name: Initialise terraform | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tf-init | |
| run: | | |
| terraform -chdir=${{ matrix.targets }} init -backend=false | |
| # Run terraform validate | |
| - name: Terraform validate | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tf-validate | |
| run: terraform -chdir=${{ matrix.targets }} validate -no-color | |
| continue-on-error: true | |
| # Add PR comment with formatting and validation errors | |
| - name: Add PR comment on terraform failure | |
| if: ${{ steps.tf-fmt.outputs.exitcode != 0 || steps.tf-validate.outputs.exitcode != 0 }} | |
| uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 | |
| with: | |
| header: test | |
| hide_and_recreate: true | |
| message: | | |
| #### ${{ matrix.targets }} | |
| #### :x: Terraform Format and Style ${{ steps.tf-fmt.outcome }} | |
| ${{ steps.tf-fmt.outputs.stdout }} | |
| #### :x: Terraform Validation ${{ steps.tf-validate.outcome }} | |
| ``` | |
| ${{ steps.tf-validate.outputs.stderr }} | |
| ``` | |
| Resolve these issues and commit your changes to trigger another deployment. | |
| # Exit this workflow if fmt or validate fail | |
| - name: Terraform error | |
| if: ${{ steps.tf-fmt.outputs.exitcode != 0 || steps.tf-validate.outputs.exitcode != 0 }} | |
| run: | | |
| exit 1 | |
| # Install TFLint; required to download plugins | |
| - name: Install TFLint | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: terraform-linters/setup-tflint@15ef44638cb215296e7ba9e7a41f20b5b06f4784 # v4.0.0 | |
| with: | |
| tflint_version: v0.53.0 | |
| tflint_wrapper: true | |
| # Initialise TFLint using the configuration file in the trunk directory | |
| - name: Initialise TFLint | |
| if: ${{ github.event_name == 'pull_request' }} | |
| shell: bash | |
| run: | | |
| tflint -chdir=${{ matrix.targets }} --init --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint_ci.hcl | |
| - name: Run TFLint | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tflint | |
| run: | | |
| tflint -chdir=${{ matrix.targets }} --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint_ci.hcl --format compact | |
| continue-on-error: true | |
| # Add PR comment when TFLint detects a violation | |
| - name: Add PR comment on TFLint failure | |
| if: ${{ steps.tflint.outputs.exitcode != 0 }} | |
| uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 | |
| with: | |
| header: test | |
| hide_and_recreate: true | |
| message: | | |
| #### ${{ matrix.targets }} | |
| #### :x: TFLint failure | |
| ``` | |
| ${{ steps.tflint.outputs.stdout }} | |
| ``` | |
| Resolve these issues and commit your changes to trigger another deployment. | |
| # Exit workflow if TFLint detects a violation | |
| - name: TFLint error | |
| if: ${{ steps.tflint.outputs.exitcode != 0 }} | |
| run: | | |
| exit 1 | |
| # Run Trunk Check without terraform and tflint due to deep check issue | |
| - name: Trunk Check | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: trunk-io/trunk-action@2eaee169140ec559bd556208f9f99cdfdf468da8 # v1.1.17 | |
| with: | |
| arguments: --filter checkov,trivy | |
| - name: Update PR comment for Test success | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 | |
| with: | |
| header: test | |
| hide_and_recreate: true | |
| message: | | |
| #### ${{ matrix.targets }} | |
| #### :white_check_mark: Terraform Format and Style ${{ steps.tf-fmt.outcome }} | |
| #### :white_check_mark: Terraform Validation ${{ steps.tf-validate.outcome }} | |
| #### :white_check_mark: TFLint ${{ steps.tf-validate.outcome }} | |
| - name: Provision TF | |
| uses: devsectop/tf-via-pr@f1acaae1d94826457fa57bc65f1df318fd81b3bc # v12.0.0 | |
| with: | |
| command: ${{ github.event_name == 'merge_group' && 'apply' || 'plan' }} | |
| arg-lock: ${{ github.event_name == 'merge_group' }} | |
| working-directory: ${{ matrix.targets }} | |
| plan-encrypt: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} | |
| comment-pr: recreate |