ci(terraform): Test workflow changes from #57 #40
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform CI | |
| run-name: ${{ github.event_name == 'merge_group' && github.event.merge_group.head_commit.message || ''}} | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| branches: [main] | |
| merge_group: | |
| types: [checks_requested] | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.repository }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| targets: | |
| name: Terraform Targets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| targets: ${{ steps.directories.outputs.all_changed_files }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Check changed directories | |
| id: directories | |
| uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3 | |
| with: | |
| dir_names: true | |
| dir_names_max_depth: 3 | |
| files: terraform/** | |
| matrix: true | |
| terraform-deploy: | |
| needs: [targets] | |
| if: ${{ needs.targets.outputs.targets != '[]' }} | |
| name: Terraform Deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read # Required to identify workflow run. | |
| checks: write # Required to add status summary. | |
| contents: read # Required to checkout repository. | |
| id-token: write # Require for OIDC. | |
| pull-requests: write # Required to add comment and label. | |
| strategy: | |
| fail-fast: true | |
| max-parallel: 1 | |
| matrix: | |
| targets: ${{ fromJson(needs.targets.outputs.targets) }} | |
| environment: ${{ contains(matrix.targets, 'production') && 'production' || 'development' }} | |
| env: | |
| TF_TOKEN_APP_TERRAFORM_IO: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| # This is required because the 'environment' context does not exist, so cannot be referenced | |
| # by the steps that need it | |
| - name: Set deployment environment as an environment variable | |
| run: echo "ENVIRONMENT=${{ contains(matrix.targets, 'production') && 'production' || 'development' }}" >> $GITHUB_ENV | |
| # AWS Credentials required for tflint deep check | |
| - name: Configure AWS credentials via OIDC | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| aws-region: us-east-1 | |
| mask-aws-account-id: true | |
| role-to-assume: ${{ secrets[format('GHA_3WARE_OIDC_{0}', env.ENVIRONMENT)] }} | |
| role-session-name: ${{ github.event_name == 'merge_group' && 'aws-net-sec-terraform-apply' || 'aws-net-sec-terraform-plan' }} | |
| - name: Terraform Fmt + Init + Validate | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tf | |
| uses: devsectop/tf-via-pr@a917bd222a6a780f25d2c5cd1942f6b2c2f16a7a # v12.0.5 | |
| with: | |
| working-directory: ${{ matrix.targets }} | |
| arg-lock: false | |
| format: true | |
| validate: true | |
| - name: Cache TFLint plugin directory | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: .trunk/plugins/ | |
| key: ${{ runner.os }}-${{ github.repository }}-tflint-${{ hashFiles('.trunk/configs/.tflint_ci.hcl') }} | |
| # Install TFLint; required to download plugins | |
| - name: Install TFLint | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: terraform-linters/setup-tflint@15ef44638cb215296e7ba9e7a41f20b5b06f4784 # v4.0.0 | |
| with: | |
| tflint_version: v0.53.0 | |
| tflint_wrapper: true | |
| # Run TFLint using the configuration file in the trunk directory | |
| - name: Run TFLint | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: tflint | |
| run: | | |
| tflint -chdir=${{ matrix.targets }} --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint_ci.hcl --init | |
| tflint -chdir=${{ matrix.targets }} --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint_ci.hcl --format compact | |
| continue-on-error: true | |
| # Add PR comment then exit workflow if TFLint detects a violation | |
| - name: Add PR comment on TFLint error | |
| if: ${{ steps.tflint.outputs.exitcode != 0 }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} # https://cli.github.com/manual/gh_auth_login | |
| run: | | |
| # Compose TFLint output. | |
| tflint=" | |
| <details><summary>❌ TFLint error.</summary> | |
| \`\`\`hcl | |
| ${{ steps.tflint.outputs.stderr || steps.tflint.outputs.stdout }} | |
| \`\`\` | |
| </details>" | |
| # Get body of PR comment from tf step output. | |
| comment=$(gh api /repos/{owner}/{repo}/issues/comments/${{ steps.tf.outputs.comment-id }} --method GET --jq '.body') | |
| # Replace placeholder with TFLint output. | |
| comment=$(echo "$comment" | sed "s|<!-- placeholder-2 -->|$tflint|") | |
| # Update PR comment combined with TFLint output. | |
| gh api /repos/{owner}/{repo}/issues/comments/${{ steps.tf.outputs.comment-id }} --method PATCH --field body="$comment" | |
| # Exit workflow due to TFLint error. | |
| exit 1 | |
| - name: Terraform ${{ format('{0}', github.event_name == 'merge_group' && 'Apply' || 'Plan') }} | |
| uses: devsectop/tf-via-pr@a917bd222a6a780f25d2c5cd1942f6b2c2f16a7a # v12.0.5 | |
| with: | |
| working-directory: ${{ matrix.targets }} | |
| command: ${{ github.event_name == 'merge_group' && 'apply' || 'plan' }} | |
| arg-lock: ${{ github.event_name == 'merge_group' }} | |
| plan-encrypt: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} |