terraform-hrafnar-gcp-deploy/.github/workflows/terraform.yml at 998af80bc5980c164e3b575f7ac02ed76829963e · openteams-ai/terraform-hrafnar-gcp-deploy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: OpenTofu CI/CD

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main

env:
  OPENTOFU_VERSION: "1.8.0"
  GO_VERSION: "1.21"
  TF_IN_AUTOMATION: true

jobs:
  validate:
    name: Validate and Lint
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: ${{ env.OPENTOFU_VERSION }}

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup TFLint
        uses: terraform-linters/setup-tflint@v4
        with:
          tflint_version: v0.50.3

      - name: Install terraform-docs
        run: go install github.com/terraform-docs/terraform-docs@latest

      - name: OpenTofu Format Check
        run: tofu fmt -check -recursive

      - name: OpenTofu Init
        run: tofu init -backend=false

      - name: OpenTofu Validate
        run: tofu validate

      - name: TFLint
        run: |
          tflint --init
          tflint

      - name: Check Documentation
        run: |
          # Copy existing README to preserve custom content
          cp README.md README.md.backup
          # Generate docs using terraform-docs (same as make docs but without Docker)
          terraform-docs markdown . --output-file README.md
          # Compare the generated version with the original
          if ! diff -q README.md.backup README.md > /dev/null 2>&1; then
            echo "Documentation is out of date. Please run 'make docs' and commit the changes."
            echo "Differences found:"
            diff README.md.backup README.md || true
            # Restore original README
            mv README.md.backup README.md
            exit 1
          fi
          # Clean up backup file
          rm README.md.backup

  test:
    name: Terratest
    runs-on: ubuntu-latest
    needs: validate
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: ${{ env.OPENTOFU_VERSION }}
          tofu_wrapper: false

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Run Terratest
        run: |
          cd test
          go mod download
          go test -v -timeout 10m -parallel 2


  security-scan:
    name: Security Scanning
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy security scan (table format)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          scan-ref: '.'
          format: 'table'

      - name: Run Trivy security scan (sarif format)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
        continue-on-error: true