-
Notifications
You must be signed in to change notification settings - Fork 12
143 lines (127 loc) · 3.76 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Build
on:
workflow_dispatch:
push:
branches:
- master
tags:
- '**'
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: write
discussions: write
actions: read
security-events: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
validate:
runs-on: ubuntu-latest
name: Validate terraform
steps:
- name: Checkout
uses: actions/checkout@v3
- name: terraform fmt
uses: dflook/terraform-fmt-check@v1
with:
path: src
- name: Create temp files for terraform validation
run: |
touch src/certs/cacerts.crt
touch src/certs/cacerts.key
touch src/terraform/.env
touch src/clusters/k3d/.env
echo GITHUB_OWNER=somebody >> src/terraform/.env
echo GITHUB_TOKEN=sometoken >> src/terraform/.env
echo ORACLE_EMAIL=someemail >> src/terraform/.env
echo ORACLE_PASSWORD=somepassword >> src/terraform/.env
echo DD_API_KEY=somekey >> src/terraform/.env
echo DD_SITE=somedomain >> src/terraform/.env
echo NEW_RELIC_ENDPOINT=someendpoint >> src/terraform/.env
echo NEW_RELIC_LICENSE_KEY=somekey >> src/terraform/.env
echo DOCKER_HOST= >> src/clusters/k3d/.env
- name: terraform validate src-clusters-k3d
uses: dflook/terraform-validate@v1
with:
path: src/clusters/k3d
- name: terraform validate src-clusters-kind
uses: dflook/terraform-validate@v1
with:
path: src/clusters/kind
- name: terraform validate src-terraform
uses: dflook/terraform-validate@v1
with:
path: src/terraform
tfsec:
strategy:
matrix:
include:
- location: src/tests/k3s
working_dir: src/terraform
- location: src/clusters/k3d
working_dir: src/clusters/k3d
- location: src/clusters/kind
working_dir: src/clusters/kind
name: tfsec sarif report
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Clone repo
uses: actions/checkout@v3
- name: tfsec
uses: aquasecurity/tfsec-sarif-action@v0.1.4
with:
sarif_file: tfsec.sarif
working_directory: ${{ matrix.working_dir }}
tfvars_file: ${{ matrix.location }}/terraform.tfvars
tfsec_args: --debug
- name: Output SARIF file
run: |
cat tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
terrascan:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Run Terrascan
id: terrascan
uses: tenable/terrascan-action@main
with:
# iac_type: 'terraform'
# iac_version: 'v14'
# policy_type: 'aws'
only_warn: true
sarif_upload: true
#non_recursive:
iac_dir: src/terraform
#policy_path:
#skip_rules:
config_path: terrascan_config.toml
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: terrascan.sarif
release:
runs-on: ubuntu-latest
name: Release
needs: [validate, tfsec, terrascan]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Release
uses: softprops/action-gh-release@v1
with:
generate_release_notes: true
discussion_category_name: Announcements
append_body: true