Merge pull request #1 from soat-tech-challenge/feat/terraform-workflows

g-otn · web-flow · commit d085287bc482 · 2023-11-04T18:15:07.000-03:00
feat: terraform workflows
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
@@ -0,0 +1,61 @@
+# Terraform API-driven apply run using Terraform Cloud
+name: Terraform Apply
+
+on:
+  workflow_call:
+    # See https://developer.hashicorp.com/terraform/cli/cloud/settings#environment-variables
+    inputs:
+      cloud_organization:
+        type: string
+        default: "soat-tech-challenge"
+      cloud_workspace:
+        type: string
+      config_directory:
+        type: string
+        default: "./"
+    secrets:
+      cloud_token:
+        required: true
+
+jobs:
+  apply:
+    name: Apply
+    runs-on: ubuntu-latest
+
+    outputs:
+      status: ${{ steps.apply-run.outputs.status }}
+      payload: ${{ steps.apply-run.outputs.payload }}
+      run_id: ${{ steps.apply-run.outputs.id }}
+      run_link: ${{ steps.apply-run.outputs.run_link }}
+      plan_id: ${{ steps.apply-run.outputs.plan_id }}
+
+    env:
+      TF_CLOUD_ORGANIZATION: ${{ inputs.cloud_organization }}
+      TF_API_TOKEN: ${{ secrets.cloud_token }}
+      TF_WORKSPACE: ${{ inputs.cloud_workspace }}
+      CONFIG_DIRECTORY: ${{ inputs.config_directory }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Upload Configuration
+        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.4
+        id: apply-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+
+      - name: Create Apply Run
+        uses: hashicorp/tfc-workflows-github/actions/create-run@v1.0.4
+        id: apply-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
+
+      - name: Apply
+        uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.0.4
+        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
+        with:
+          run: ${{ steps.apply-run.outputs.run_id }}
+          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml
@@ -0,0 +1,40 @@
+# Terraform CLI-driven destroy run using Remote Host
+name: Terraform Destroy
+
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        type: string
+    secrets:
+      token:
+        required: true
+
+jobs:
+  terraform_destroy:
+    name: Terraform Destroy
+
+    runs-on: ubuntu-latest
+
+    env:
+      TF_IN_AUTOMATION: true
+      TF_INPUT: false
+      TF_WORKSPACE: ${{ inputs.workspace }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          cli_config_credentials_token: ${{ secrets.token }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan
+        run: terraform plan -destroy
+
+      - name: Terraform Destroy
+        run: terraform destroy -auto-approve
diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml
@@ -0,0 +1,112 @@
+# Terraform API-driven speculative plan run using Terraform Cloud
+name: Terraform Speculative Plan
+
+on:
+  workflow_call:
+    # See https://developer.hashicorp.com/terraform/cli/cloud/settings#environment-variables
+    inputs:
+      cloud_organization:
+        type: string
+        default: "soat-tech-challenge"
+      cloud_workspace:
+        type: string
+      config_directory:
+        type: string
+        default: "./"
+    secrets:
+      cloud_token:
+        required: true
+
+jobs:
+  terraform-cloud-speculative-plan:
+    name: Terraform Cloud Speculative Plan
+    runs-on: ubuntu-latest
+
+    outputs:
+      status: ${{ steps.apply-run.outputs.status }}
+      payload: ${{ steps.apply-run.outputs.payload }}
+      run_id: ${{ steps.apply-run.outputs.id }}
+      run_link: ${{ steps.apply-run.outputs.run_link }}
+      plan_id: ${{ steps.apply-run.outputs.plan_id }}
+
+    env:
+      TF_CLOUD_ORGANIZATION: ${{ inputs.cloud_organization }}
+      TF_API_TOKEN: ${{ secrets.cloud_token }}
+      TF_WORKSPACE: ${{ inputs.cloud_workspace }}
+      CONFIG_DIRECTORY: ${{ inputs.config_directory }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Upload Configuration
+        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.4
+        id: plan-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+          speculative: true
+
+      - name: Create Plan Run
+        uses: hashicorp/tfc-workflows-github/actions/create-run@v1.0.4
+        id: plan-run
+        ## run may fail, if so continue to output PR comment
+        ## step.terraform-cloud-check-run-status will fail job after pr comment is created/updated.
+        continue-on-error: true
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.plan-upload.outputs.configuration_version_id }}
+          plan_only: true
+
+      - name: Get Plan Output
+        uses: hashicorp/tfc-workflows-github/actions/plan-output@v1.0.4
+        id: plan-output
+        with:
+          plan: ${{ steps.plan-run.outputs.plan_id }}
+
+      - name: Update PR with Plan comment
+        uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
+            })
+            const output = `#### Terraform Cloud Plan Output
+            \`\`\`
+            Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
+            \`\`\`
+            [Terraform Cloud Plan](${{ steps.plan-run.outputs.run_link }})
+            `
+            // 3. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output
+              })
+            } else {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: output
+              })
+            }
+
+        ## Check Run Status, if not planned_and_finished fail the job
+      - id: terraform-cloud-check-run-status
+        if: ${{ steps.plan-run.outputs.run_status != 'planned_and_finished'}}
+        run: |
+          echo "Terraform Cloud Run Failed or Requires Further Attention"
+          echo "Run Status: '${{ steps.plan-run.outputs.run_status }}'"
+          echo "${{ steps.plan-run.outputs.run_link }}"
+          exit 1
diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml
@@ -0,0 +1,25 @@
+name: TFLint
+
+on:
+  workflow_call:
+
+jobs:
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@v3
+
+      - name: Init TFLint
+        run: tflint --init
+        env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        run: tflint -f compact
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -0,0 +1,19 @@
+name: tfsec
+
+on:
+  workflow_call:
+
+jobs:
+  tfsec:
+    name: tfsec
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: tfsec
+        uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1
+        with:
+          tfsec_args: --soft-fail
+          github_token: ${{ github.token }}
