Add better linting for terraform files.

danskernesdigitalebibliotek · Nov 9, 2022 · 48e8c5e · 48e8c5e
1 parent 9049cbe
commit 48e8c5e
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/.github/workflows/terraform-lint.yaml b/.github/workflows/terraform-lint.yaml
@@ -5,15 +5,35 @@ on:
     paths:
       - "infrastructure/**.tf"
       - "infrastructure/**.tfvars"
-      - ".github/workflows/terraform-lint.yaml"
+      - ".github/workflows/terraform-*.yaml"
+
 name: Terraform Lint
 jobs:
   terraform_format:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3.1.0
+      # Run terraform fmt as rudimentary linting
       - uses: hashicorp/setup-terraform@v2.0.3
       - name: Terraform fmt
         id: fmt
-        run: terraform fmt -recursive -check infrastructure/terraform
+        run: terraform fmt -recursive -check -diff -no-color infrastructure/terraform
         continue-on-error: false
+
+  tflint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.4
+      # Run tflint https://github.com/terraform-linters/tflint
+      - uses: terraform-linters/setup-tflint@v2
+        name: Setup TFLint
+      - name: Init TFLint
+        run: tflint --init
+      - name: Show version
+        run: tflint --version
+      - name: Run TFLint
+        env:
+          TFLINT_LOG: debug
+        run: |
+          tflint --module --no-color --var='environment_name=dplplatlint' infrastructure/terraform/modules/dpl-platform-environment/ && \
+          tflint --module --no-color --var='environment_name=dplplatlint' infrastructure/terraform/modules/dpl-platform-env-repos/
diff --git a/.github/workflows/terraform-tfsec.yml b/.github/workflows/terraform-tfsec.yml
@@ -0,0 +1,25 @@
+
+on:
+  pull_request:
+    paths:
+      - "infrastructure/**.tf"
+      - "infrastructure/**.tfvars"
+      - ".github/workflows/terraform-*.yaml"
+
+name: Run tfsec
+jobs:
+  tfsec:
+    name: tfsec PR commenter
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@master
+      - name: tfsec
+        uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
+        with:
+          github_token: ${{ github.token }}
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,5 @@
+plugin "azurerm" {
+    enabled = true
+    version = "0.19.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-azurerm"
+}