Tips-Of-Mine/terraform-github-actions
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: Tips-Of-Mine:insecure-nsg
Branches Tags
Tips-Of-Mine:main
Tips-Of-Mine:tjcorr-patch-1
Tips-Of-Mine:node20
Tips-Of-Mine:insecure-nsg
...
pull from: Tips-Of-Mine:main
Branches Tags
Tips-Of-Mine:tjcorr-patch-1
Tips-Of-Mine:main
Tips-Of-Mine:node20
Tips-Of-Mine:insecure-nsg

3 Commits
insecure-n ... main

Author SHA1 Message Date
T.J. Corrigan
f4eb48d54c
Update GitHub Actions workflows to use node20 (#24) 2024-03-28 08:08:25 -05:00
Tugdual Grall
2a0f34f27c
Update README.md (#3) 2023-10-19 12:55:46 -05:00
T.J. Corrigan
56ba79ef8e
README typo 2022-11-01 10:57:54 -05:00
4 changed files with 23 additions and 18 deletions
Show Stats Expand all files Collapse all files

10
.github/workflows/tf-drift.yml vendored
View File

@ -30,11 +30,11 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
# Install the latest version of the Terraform CLI
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
@ -61,7 +61,7 @@ jobs:
# Save plan to artifacts
- name: Publish Terraform Plan
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan
@ -93,7 +93,7 @@ jobs:
# If changes are detected, create a new issue
- name: Publish Drift Report
if: steps.tf-plan.outputs.exitcode == 2
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
with:
@ -141,7 +141,7 @@ jobs:
# If changes aren't detected, close any open drift issues
- name: Publish Drift Report
if: steps.tf-plan.outputs.exitcode == 0
uses: actions/github-script@v6
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |

14
.github/workflows/tf-plan-apply.yml vendored
View File

@ -33,11 +33,11 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
# Install the latest version of the Terraform CLI
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
@ -69,7 +69,7 @@ jobs:
# Save plan to artifacts
- name: Publish Terraform Plan
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan
@ -101,7 +101,7 @@ jobs:
# If this is a PR post the changes
- name: Push Terraform Output to PR
if: github.ref != 'refs/heads/main'
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
with:
@ -125,11 +125,11 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
uses: hashicorp/setup-terraform@v3
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
@ -137,7 +137,7 @@ jobs:
# Download saved plan from artifacts
- name: Download Terraform Plan
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: tfplan

11
.github/workflows/tf-unit-tests.yml vendored
View File

@ -3,6 +3,11 @@ name: 'Terraform Unit Tests'
on:
push:
permissions:
security-events: write # Needed to upload-sarif
contents: read # Needed to clone repo
actions: read # Potentially needed for private repositories (see https://github.com/github/codeql-action/issues/2117)
jobs:
terraform-unit-tests:
name: 'Terraform Unit Tests'
@ -11,11 +16,11 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
uses: hashicorp/setup-terraform@v3
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
@ -39,7 +44,7 @@ jobs:
# Upload results to GitHub Advanced Security
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: checkov

6
README.md
View File

@ -19,7 +19,7 @@ This is a sample repository that shows how to use GitHub Actions workflows to ma
1. [**Terraform Unit Tests**](.github/workflows/tf-unit-tests.yml)
This workflow runs on every commit and is composed of a set of unit tests on the infrastructure code. It runs [terraform fmt]( https://www.terraform.io/cli/commands/fmt) to ensure the code is properly linted and follows terraform best practices. Next it performs [terraform validate](https://www.terraform.io/cli/commands/validate) to check that the code is syntactically correct and internally consistent. Lastly, [checkov](https://github.com/bridgecrewio/checkov), an open source static code analysis tool for IaC, will run to detect security and complaince issues. If the repository is utilizing GitHub Advanced Security (GHAS), the results will be uploaded to GitHub.
This workflow runs on every commit and is composed of a set of unit tests on the infrastructure code. It runs [terraform fmt]( https://www.terraform.io/cli/commands/fmt) to ensure the code is properly linted and follows terraform best practices. Next it performs [terraform validate](https://www.terraform.io/cli/commands/validate) to check that the code is syntactically correct and internally consistent. Lastly, [checkov](https://github.com/bridgecrewio/checkov), an open source static code analysis tool for IaC, will run to detect security and compliance issues. If the repository is utilizing GitHub Advanced Security (GHAS), the results will be uploaded to GitHub.
2. [**Terraform Plan / Apply**](.github/workflows/tf-plan-apply.yml)
@ -39,7 +39,7 @@ To use these workflows in your environment several prerequisite steps are requir
2. **Create GitHub Environment**
The workflows utilizes GitHub Environments and Secrets to store the azure identity information and setup an approval process for deployments. Create an environment named `production` by following these [insturctions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules).
The workflows utilizes GitHub Environments and Secrets to store the azure identity information and setup an approval process for deployments. Create an environment named `production` by following these [instructions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules).
3. **Setup Azure Identity**:
@ -72,4 +72,4 @@ To use these workflows in your environment several prerequisite steps are requir
## Additional Resources
A companion article detailing how to use GitHub Actions to deploy to Azure using IaC can be found at the [DevOps Resource Center](). `TODO: add link`
A companion article detailing how to use GitHub Actions to deploy to Azure using IaC can be found at the [DevOps Resource Center](https://learn.microsoft.com/devops/deliver/iac-github-actions).