-
Notifications
You must be signed in to change notification settings - Fork 0
133 lines (125 loc) · 3.77 KB
/
pull_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Pull Request Validation
on:
pull_request:
paths:
- 'terraform/**'
- '.github/**'
jobs:
fmt:
runs-on: ubuntu-latest
env:
TERRAFORM_ENV_BASE64: ${{ secrets.TERRAFORM_ENV_BASE64 }}
steps:
- uses: actions/checkout@v4
- name: fmt-check
run: |
terraform fmt -recursive -check .
lint:
needs: [fmt]
runs-on: ubuntu-latest
env:
TERRAFORM_ENV_BASE64: ${{ secrets.TERRAFORM_ENV_BASE64 }}
steps:
- uses: actions/checkout@v4
- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
with:
tflint_version: latest
- name: tflint
run: |
_branch="${GITHUB_BASE_REF}"
case "${_branch}" in
"prod")
_tfdir=terraform
;;
"qa")
_tfdir=terraform
;;
*)
echo "ERROR: Unknown target branch: ${_branch}"
exit 1
esac
cd ${_tfdir}
echo "***Running terraform lint***"
tflint
validate:
needs: [lint]
name: validate
runs-on: ubuntu-latest
timeout-minutes: 5
env:
TERRAFORM_ENV_BASE64: ${{ secrets.TERRAFORM_ENV_BASE64 }}
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: |-
echo $TERRAFORM_ENV_BASE64 | base64 -d > tfvars
source tfvars
_branch="${GITHUB_BASE_REF}"
_tfdir=terraform
export TF_VAR_pingone_environment_name="${_branch}"
case "${_branch}" in
"prod")
_stateKey=${TF_VAR_tf_state_key_prefix}/prod/terraform.tfstate
;;
"qa")
_stateKey=${TF_VAR_tf_state_key_prefix}/qa/terraform.tfstate
;;
*)
echo "ERROR: Unknown target branch: ${_branch}"
exit 1
esac
terraform -chdir=${_tfdir} init \
-backend-config="bucket=$TF_VAR_tf_state_bucket" \
-backend-config="region=$TF_VAR_tf_state_region" \
-backend-config="key=${_stateKey}"
echo "***Running terraform validate***"
terraform -chdir=${_tfdir} validate
trivy:
needs: [validate]
runs-on: ubuntu-latest
env:
TERRAFORM_ENV_BASE64: ${{ secrets.TERRAFORM_ENV_BASE64 }}
steps:
- uses: actions/checkout@v4
- name: Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
exit-code: '1'
tfplan:
needs: [validate]
runs-on: ubuntu-latest
env:
TERRAFORM_ENV_BASE64: ${{ secrets.TERRAFORM_ENV_BASE64 }}
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: |-
echo $TERRAFORM_ENV_BASE64 | base64 -d > tfvars
source tfvars
_branch="${GITHUB_BASE_REF}"
_tfdir=terraform
export TF_VAR_pingone_environment_name="${_branch}"
case "${_branch}" in
"prod")
_stateKey="${TF_VAR_tf_state_key_prefix}/prod/terraform.tfstate"
export TF_VAR_pingone_target_environment_id="${PINGONE_TARGET_ENVIRONMENT_ID_PROD}"
;;
"qa")
_stateKey="${TF_VAR_tf_state_key_prefix}/qa/terraform.tfstate"
export TF_VAR_pingone_target_environment_id="${PINGONE_TARGET_ENVIRONMENT_ID_QA}"
;;
*)
echo "ERROR: Unknown target branch: ${_branch}"
exit 1
esac
terraform -chdir=${_tfdir} init \
-backend-config="bucket=$TF_VAR_tf_state_bucket" \
-backend-config="region=$TF_VAR_tf_state_region" \
-backend-config="key=${_stateKey}"
echo "***Running terraform plan***"
terraform -chdir=${_tfdir} plan