fix: alerts and protections disabled upon archival #432
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: plan | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: {} | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| app.terraform.io:443 | |
| archivist.terraform.io:443 | |
| checkpoint-api.hashicorp.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| registry.terraform.io:443 | |
| releases.hashicorp.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Setup Teraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
| - name: Prettify | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| - name: Initialise | |
| run: terraform init | |
| - name: Validate | |
| run: terraform validate -no-color | |
| tflint: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Cache Plugins | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ hashFiles('.tflint.hcl') }} | |
| - name: Setup TFLint | |
| uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 | |
| with: | |
| tflint_version: v0.50.3 | |
| - name: Initialise | |
| run: tflint --init | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Lint | |
| run: tflint -f compact | |
| trivy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| env: | |
| trivy_sarif: trivy.sarif | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| d2glxqk2uabbnd.cloudfront.net:443 | |
| d5l0dvt14r5h8.cloudfront.net:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| public.ecr.aws:443 | |
| raw.githubusercontent.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Run with SARIF Output | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
| with: | |
| scan-type: "fs" | |
| format: "sarif" | |
| output: ${{ env.trivy_sarif }} | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db" | |
| - name: Report via GitHub CodeQL | |
| uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 | |
| with: | |
| sarif_file: ${{ env.trivy_sarif }} | |
| terraform-cloud-speculative-run: | |
| needs: [validate,tflint,trivy] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| env: | |
| TF_CLOUD_ORGANIZATION: "grendel-consulting" | |
| TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} | |
| TF_WORKSPACE: "codebases" | |
| CONFIG_DIRECTORY: "./" | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| app.terraform.io:443 | |
| archivist.terraform.io:443 | |
| github.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Configure Terraform Cloud | |
| uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 | |
| id: upload | |
| with: | |
| workspace: ${{ env.TF_WORKSPACE }} | |
| directory: ${{ env.CONFIG_DIRECTORY }} | |
| speculative: true | |
| - name: Trigger a Terraform Cloud Run | |
| uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 | |
| id: run | |
| with: | |
| workspace: ${{ env.TF_WORKSPACE }} | |
| configuration_version: ${{ steps.upload.outputs.configuration_version_id }} | |
| plan_only: true | |
| - name: Fetch the Plan Output | |
| uses: hashicorp/tfc-workflows-github/actions/plan-output@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 | |
| id: plan-output | |
| with: | |
| plan: ${{ steps.run.outputs.plan_id }} | |
| - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| # Load to intermeditate environment variables to avoid script injections | |
| PLANNED_TO_ADD: ${{ steps.plan-output.outputs.add }} | |
| PLANNED_TO_CHANGE: ${{ steps.plan-output.outputs.change }} | |
| PLANNED_TO_DESTROY: ${{ steps.plan-output.outputs.destroy }} | |
| PLAN_URL: ${{ steps.run.outputs.run_link }} | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| // 1. Retrieve environment variables from the earlier steps | |
| const { PLANNED_TO_ADD, PLANNED_TO_CHANGE, PLANNED_TO_DESTROY, PLAN_URL } = process.env | |
| // 2. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output') | |
| }) | |
| const output = `#### Terraform Cloud Plan Output | |
| Plan: ${PLANNED_TO_ADD} to add, ${PLANNED_TO_CHANGE} to change, ${PLANNED_TO_DESTROY} to destroy. | |
| [Terraform Cloud Plan]("$PLAN_URL") | |
| ` | |
| // 3. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } else { | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| } |