Skip to content

workflow for dev

workflow for dev #18

Workflow file for this run

name: 'Terraform dev'
on:
push:
branches:
- dev
pull_request:
branches:
- dev
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
env:
WORKSPACE: dev
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
RESOURCE_GROUP: ${{ secrets.RESOURCE_GROUP }}
STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
#Special permissions required for OIDC authentication
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
terraform:
name: 'Terraform'
permissions: write-all
runs-on: ubuntu-latest
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
# Set the working directory to dev for the config files
defaults:
run:
shell: bash
working-directory: ./terraform
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v4.1.1
# Install the preferred version of Terraform CLI
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3.0.0
with:
terraform_version: 1.7.0
terraform_wrapper: false
- name: Setup Graphviz
uses: ts-graphviz/setup-graphviz@v1.2.0
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform First Init
id: init
run: terraform init -backend-config="storage_account_name=${{ env.STORAGE_ACCOUNT }}" -backend-config="container_name=${{ env.CONTAINER_NAME }}" -backend-config="resource_group_name=${{ env.RESOURCE_GROUP }}"
- name: Switch Workspace
id: workspace
run: terraform workspace select ${{ env.WORKSPACE }}
- name: Terraform ReInit
id: reinit
run: terraform init -backend-config="storage_account_name=${{ env.STORAGE_ACCOUNT }}" -backend-config="container_name=${{ env.CONTAINER_NAME }}" -backend-config="resource_group_name=${{ env.RESOURCE_GROUP }}"
- name: Terraform Format
id: fmt
if: github.ref != 'refs/heads/dev'
run: terraform fmt -check
# Run a terraform validate for push and PR on non-dev branch
# Run even if formatting fails
- name: Terraform Validate
id: validate
if: github.ref != 'refs/heads/dev' && (success() || failure())
run: terraform validate
# Run a terraform plan for pull requests only
- name: Terraform Plan
id: plan
if: github.event.pull_request.base.ref == 'dev' && github.event_name == 'pull_request'
shell: bash
run: |
echo 'plan<<EOF' | tee $GITHUB_OUTPUT
terraform plan -no-color -out=tfplan | tee -a $GITHUB_OUTPUT
echo 'EOF' | tee -a $GITHUB_OUTPUT
# Run Checkov against configuration
- name: Checkov
if: github.event_name == 'pull_request'
id: checkov
uses: bridgecrewio/checkov-action@master
with:
quiet: true
framework: terraform
container_user: 1000
output_format: github_failed_only
soft_fail: false
skip_check: CKV_AZURE_88,CKV_AZURE_71,CKV_AZURE_16,CKV_AZURE_80,CKV_AZURE_63,CKV_AZURE_18,CKV_AZURE_65,CKV_AZURE_17,CKV_AZURE_13,CKV_AZURE_78,CKV_AZURE_66,CKV_AZURE_44,CKV_AZURE_35,CKV_AZURE_43,CKV_AZURE_33,CKV_AZURE_3,CKV2_AZURE_1,CKV2_AZURE_18,CKV2_AZURE_8,CKV2_AZURE_21,CKV_GIT_4,CKV_AZURE_206,CKV_AZURE_225,CKV_AZURE_212,CKV_AZURE_213
# Add a comment to pull requests with plan results
- name: add-plan-comment
id: comment
uses: actions/github-script@v3
if: github.event_name == 'pull_request' && (success() || failure())
env:
PLAN: "terraform\n${{ steps.plan.outputs.plan }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
#### Checkov 🧪\`${{ steps.checkov.outcome }}\`
<details><summary>Show Plan</summary>
${{steps.plan.outputs.plan}}
</details>
<details><summary>Show Checkov Results</summary>
${process.env.CHECKOV_RESULTS}
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Json Plan for Rover
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: |
terraform plan -out plan.out
terraform show -json plan.out > plan.json
- name: Terraform Apply
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: terraform apply -auto-approve
- name: Generate Arch Diagram .dot
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: terraform graph > dev_infrastructure.dot
- name: Generate Arch Diagram .png
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: terraform graph | dot -Tpng > dev_infrastructure.png
- name: Upload Artifact
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
uses: actions/upload-artifact@v4.2.0
with:
name: dev-infrastructure
path: dev_infrastructure.png
- name: Generate Rover Diagram
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
uses: Official-James/rover-terraform-action@1.0.2
- name: Upload Rover Image
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
uses: edunad/actions-image@v2.0.0
with:
path: './rover.svg'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
title: 'Rover Visualization dev'
- name: Add Arch Diagrams to Branch
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
mv rover.svg rover_dev.svg
git add rover_dev.svg
git add dev_infrastructure.png
git add dev_infrastructure.dot
git commit -m "Update dev_infrastructure.png and dev_infrastructure.dot and rover_dev.svg"
git push
- name: Generate Overview Diagram
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: dot overview.dot -Tpng > overview.png
- name: Upload Artifact
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
uses: actions/upload-artifact@v4.2.0
with:
name: overview
path: overview.png
- name: Add Overview Diagram to Branch
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add overview.png
git commit -m "Update overview.png"
git push