|
| 1 | +# Terraform CI-CD |
| 2 | +This is a demo repository to showcase a possible Terraform CI/CD. |
| 3 | + |
| 4 | +It follows the principle that CI/CD should not commit changes in your branch and you should be aware of errors before merging your Terraform code (CI checks) and fixing yourself. |
| 5 | + |
| 6 | +## Dependencies |
| 7 | +The CI/CD uses several tools to validate your Terraform code. It's expected that you have them installed locally. |
| 8 | + |
| 9 | +- [Terraform](https://www.terraform.io/): Terraform is used to run common terraform commands, such as `terraform init`, `terraform plan`, `terraform apply`, `terraform providers lock`, `terraform validate`. |
| 10 | +- [Tflint](https://github.com/terraform-linters/tflint): Tflint check possible errors and misconfigurations (e.g. EC2 instance types that do not exist), enforce best practices and naimng conventions. It uses the [tflint-ruleset-aws](https://github.com/terraform-linters/tflint-ruleset-aws) to enforce AWS best practices. It's configured via the `.tflint.hcl` file. |
| 11 | +- [Terraform-docs](https://github.com/terraform-docs/terraform-docs/): Creates automatic markdown documentation for the terraform code and Terraform modules. It's being configured via the `.terraform-docs.yaml` file. |
| 12 | +- [Trivy](https://github.com/aquasecurity/trivy): Finds vulnerabilities, misconfigurations and securities issues in the Terraform code. It's being configured via the `trivy.yaml` file. |
| 13 | + |
| 14 | +This repository uses [Devbox](https://www.jetify.com/devbox) to manage the Development environment so you can install all needed tools just running `devbox shell`. |
| 15 | + |
| 16 | +## Directory Structure |
| 17 | + |
| 18 | +``` |
| 19 | +├── backend.tf # Defines S3-based backend to store Terraform States |
| 20 | +├── config # Account-Region based backend configuration (S3 bucket + DynamoDB table) |
| 21 | +├── modules # Custom Terraform modules that will be used by the root Terraform project |
| 22 | +├── vars # Account-Region based files to declaratively define variables values |
| 23 | +``` |
| 24 | + |
| 25 | +This project follows an Account-Region based deployment, i.e. an environment is treated as the combination of AWS Accont and AWS Region (e.g. us-east-1 resources in account 111111111111 is treated as a single environment). |
| 26 | + |
| 27 | +## How does this CI/CD work? |
| 28 | +There is a custom GitHub Actions (`./github/actions/terraform/action.yaml` file) action that is used to run terraform plan and apply commands in a given environment, please check the `./github/workflows/main.yaml` file to understand how this is being used. A `ci` Job was also created to validate formating, linting and security issues. |
| 29 | + |
| 30 | +The best way to fully understand the CI/CD is to check its executions. Check the: |
| 31 | +- [PR to create simple SQS queue](https://github.com/felipe-loka/terraform-ci-cd/pull/6) to see the CI in action. |
| 32 | +- [PR to create an EC2 module](https://github.com/felipe-loka/terraform-ci-cd/pull/8) to see the CI in action. |
| 33 | + |
| 34 | +## How to fix problems that appear during CI? |
| 35 | + |
| 36 | +| CI failures | Command | |
| 37 | +|:------------------------:|:----------------------------------------------------------------------------------------------------------------:| |
| 38 | +| terraform fmt | `terraform fmt -recursive` | |
| 39 | +| Trivy scan | ` trivy config . --severity CRITICAL,HIGH --quiet && cat trivy-result.txt` | |
| 40 | +| terraform-docs | `terraform-docs .` | |
| 41 | +| terraform providers lock | `terraform providers lock -platform=linux_amd64 -platform=darwin_amd64 -platform=darwin_arm64` | |
| 42 | +| tflint | `tflint --init && tflint --recursive` | |
| 43 | +| | | |
| 44 | +| | | |
| 45 | + |
| 46 | + |
1 | 47 | <!-- BEGIN_TF_DOCS --> |
2 | 48 | ## Requirements |
3 | 49 |
|
|
0 commit comments