Skip to content

chore(deps): update pre-commit hook antonbabenko/pre-commit-terraform to v1.83.6 #98

chore(deps): update pre-commit hook antonbabenko/pre-commit-terraform to v1.83.6

chore(deps): update pre-commit hook antonbabenko/pre-commit-terraform to v1.83.6 #98

name: plan
on:
pull_request:
branches:
- main
env:
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2.6.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
show-progress: false
- name: Setup Teraform
uses: hashicorp/setup-terraform@v3
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Prettify
run: terraform fmt -check
continue-on-error: true
- name: Initialise
run: terraform init
- name: Validate
run: terraform validate -no-color
tflint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2.6.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
show-progress: false
- name: Cache Plugins
uses: actions/cache@v3
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- name: Setup TFLint
uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.46.1
- name: Initialise
run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Lint
run: tflint -f compact
tfsec:
runs-on: ubuntu-latest
permissions:
contents: read
env:
tfsec_sarif: tfsec.sarif
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2.6.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
show-progress: false
- name: Run with SARIF Output
uses: tfsec/tfsec-sarif-action@v0.1.4
with:
sarif_file: ${{ env.tfsec_sarif }}
- name: Report via GitHub CodeQL
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ env.tfsec_sarif }}
terraform-cloud-speculative-run:
needs: [validate,tflint,tfsec]
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
env:
TF_CLOUD_ORGANIZATION: "grendel-consulting"
TF_WORKSPACE: "cloud-factory"
CONFIG_DIRECTORY: "./"
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2.6.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
show-progress: false
- name: Configure Terraform Cloud
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.1.1
id: upload
with:
workspace: ${{ env.TF_WORKSPACE }}
directory: ${{ env.CONFIG_DIRECTORY }}
speculative: true
- name: Trigger a Terraform Cloud Run
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.1.1
id: run
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.upload.outputs.configuration_version_id }}
plan_only: true
- name: Fetch the Plan Output
uses: hashicorp/tfc-workflows-github/actions/plan-output@v1.1.1
id: plan-output
with:
plan: ${{ steps.run.outputs.plan_id }}
- uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
})
const output = `#### Terraform Cloud Plan Output
Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
[Terraform Cloud Plan](${{ steps.run.outputs.run_link }})
`
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}