-
Notifications
You must be signed in to change notification settings - Fork 12
150 lines (116 loc) · 3.68 KB
/
pull-request.yaml
File metadata and controls
150 lines (116 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Pull Request Build
on:
pull_request:
branches:
- main
paths-ignore:
- makefile
jobs:
terrascan:
name: terrascan check terraform modules
continue-on-error: true
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: terrascan check
continue-on-error: true
uses: ./.github/action/terrascan-action
checkov:
name: checkov check terraform modules
continue-on-error: true
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: checkov check
continue-on-error: true
uses: ./.github/action/checkov-action
tfsec:
name: tfsec check terraform modules
continue-on-error: true
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: tfsec check
continue-on-error: true
uses: ./.github/action/tfsec-action
terragrunt-infracost-action:
strategy:
matrix:
include:
- env-dir: dev
aws-region: us-east-1
aws-account-id: 733051034790
aws-role: terragrunt
aws: aws
aws-audience: sts.amazonaws.com
- env-dir: prod
aws-region: cn-northwest-1
aws-account-id: 527109613237
aws-role: terragrunt
aws: aws-cn
aws-audience: sts.cn-northwest-1.amazonaws.com.cn
- env-dir: stage
aws-region: ap-southeast-1
aws-account-id: 594962198840
aws-role: terragrunt
aws: aws
aws-audience: sts.amazonaws.com
runs-on: ubuntu-latest
continue-on-error: true
permissions:
id-token: write
actions: read
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: infracost estimates the cost
uses: ./.github/action/infracost-action
with:
role-to-assume: arn:${{ matrix.aws }}:iam::${{ matrix.aws-account-id }}:role/${{ matrix.aws-role }}
role-session-name: github-action
aws-region: ${{ matrix.aws-region }}
env-dir: ${{ matrix.env-dir }}
aws-audience: ${{ matrix.aws-audience }}
infracost_api_key: ${{ secrets.INFRACOST_API_KEY }}
create_pr: 'true'
infracost-report:
needs:
- terragrunt-infracost-action
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
actions: read
pull-requests: write
steps:
- name: Setup Infracost
# https://github.com/infracost/actions
# https://github.com/infracost/actions/tree/master/setup for other inputs
uses: infracost/actions/setup@v2
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
- name: download-artifact
uses: actions/download-artifact@v3
with:
name: infracost
path: ~/infracost
- name: concat the infracost result
working-directory: /home/runner/infracost/
run: |
infracost output --path "infracost-*.json" --format json --out-file /tmp/infracost.json
- name: Post Infracost comment
run: |
infracost comment github --path=/tmp/infracost.json \
--repo=$GITHUB_REPOSITORY \
--github-token=${{ github.token }} \
--pull-request=${{ github.event.pull_request.number }} \
--behavior=update