Compare commits
5 Commits
insecure-n
...
tjcorr-pat
| Author | SHA1 | Date | |
|---|---|---|---|
| df42af213f | |||
| 6b71adccee | |||
| f4eb48d54c | |||
| 2a0f34f27c | |||
| 56ba79ef8e |
10
.github/workflows/tf-drift.yml
vendored
10
.github/workflows/tf-drift.yml
vendored
@ -30,11 +30,11 @@ jobs:
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Install the latest version of the Terraform CLI
|
||||
- name: Setup Terraform
|
||||
uses: hashicorp/setup-terraform@v2
|
||||
uses: hashicorp/setup-terraform@v4
|
||||
with:
|
||||
terraform_wrapper: false
|
||||
|
||||
@ -61,7 +61,7 @@ jobs:
|
||||
|
||||
# Save plan to artifacts
|
||||
- name: Publish Terraform Plan
|
||||
uses: actions/upload-artifact@v3
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: tfplan
|
||||
path: tfplan
|
||||
@ -93,7 +93,7 @@ jobs:
|
||||
# If changes are detected, create a new issue
|
||||
- name: Publish Drift Report
|
||||
if: steps.tf-plan.outputs.exitcode == 2
|
||||
uses: actions/github-script@v6
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
|
||||
with:
|
||||
@ -141,7 +141,7 @@ jobs:
|
||||
# If changes aren't detected, close any open drift issues
|
||||
- name: Publish Drift Report
|
||||
if: steps.tf-plan.outputs.exitcode == 0
|
||||
uses: actions/github-script@v6
|
||||
uses: actions/github-script@v7
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
script: |
|
||||
|
||||
14
.github/workflows/tf-plan-apply.yml
vendored
14
.github/workflows/tf-plan-apply.yml
vendored
@ -33,11 +33,11 @@ jobs:
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Install the latest version of the Terraform CLI
|
||||
- name: Setup Terraform
|
||||
uses: hashicorp/setup-terraform@v2
|
||||
uses: hashicorp/setup-terraform@v3
|
||||
with:
|
||||
terraform_wrapper: false
|
||||
|
||||
@ -69,7 +69,7 @@ jobs:
|
||||
|
||||
# Save plan to artifacts
|
||||
- name: Publish Terraform Plan
|
||||
uses: actions/upload-artifact@v3
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: tfplan
|
||||
path: tfplan
|
||||
@ -101,7 +101,7 @@ jobs:
|
||||
# If this is a PR post the changes
|
||||
- name: Push Terraform Output to PR
|
||||
if: github.ref != 'refs/heads/main'
|
||||
uses: actions/github-script@v6
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
|
||||
with:
|
||||
@ -125,11 +125,11 @@ jobs:
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
|
||||
- name: Setup Terraform
|
||||
uses: hashicorp/setup-terraform@v2
|
||||
uses: hashicorp/setup-terraform@v3
|
||||
|
||||
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
|
||||
- name: Terraform Init
|
||||
@ -137,7 +137,7 @@ jobs:
|
||||
|
||||
# Download saved plan from artifacts
|
||||
- name: Download Terraform Plan
|
||||
uses: actions/download-artifact@v3
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
name: tfplan
|
||||
|
||||
|
||||
11
.github/workflows/tf-unit-tests.yml
vendored
11
.github/workflows/tf-unit-tests.yml
vendored
@ -3,6 +3,11 @@ name: 'Terraform Unit Tests'
|
||||
on:
|
||||
push:
|
||||
|
||||
permissions:
|
||||
security-events: write # Needed to upload-sarif
|
||||
contents: read # Needed to clone repo
|
||||
actions: read # Potentially needed for private repositories (see https://github.com/github/codeql-action/issues/2117)
|
||||
|
||||
jobs:
|
||||
terraform-unit-tests:
|
||||
name: 'Terraform Unit Tests'
|
||||
@ -11,11 +16,11 @@ jobs:
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
|
||||
- name: Setup Terraform
|
||||
uses: hashicorp/setup-terraform@v2
|
||||
uses: hashicorp/setup-terraform@v3
|
||||
|
||||
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
|
||||
- name: Terraform Init
|
||||
@ -39,7 +44,7 @@ jobs:
|
||||
# Upload results to GitHub Advanced Security
|
||||
- name: Upload SARIF file
|
||||
if: success() || failure()
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
category: checkov
|
||||
|
||||
@ -19,7 +19,7 @@ This is a sample repository that shows how to use GitHub Actions workflows to ma
|
||||
|
||||
1. [**Terraform Unit Tests**](.github/workflows/tf-unit-tests.yml)
|
||||
|
||||
This workflow runs on every commit and is composed of a set of unit tests on the infrastructure code. It runs [terraform fmt]( https://www.terraform.io/cli/commands/fmt) to ensure the code is properly linted and follows terraform best practices. Next it performs [terraform validate](https://www.terraform.io/cli/commands/validate) to check that the code is syntactically correct and internally consistent. Lastly, [checkov](https://github.com/bridgecrewio/checkov), an open source static code analysis tool for IaC, will run to detect security and complaince issues. If the repository is utilizing GitHub Advanced Security (GHAS), the results will be uploaded to GitHub.
|
||||
This workflow runs on every commit and is composed of a set of unit tests on the infrastructure code. It runs [terraform fmt]( https://www.terraform.io/cli/commands/fmt) to ensure the code is properly linted and follows terraform best practices. Next it performs [terraform validate](https://www.terraform.io/cli/commands/validate) to check that the code is syntactically correct and internally consistent. Lastly, [checkov](https://github.com/bridgecrewio/checkov), an open source static code analysis tool for IaC, will run to detect security and compliance issues. If the repository is utilizing GitHub Advanced Security (GHAS), the results will be uploaded to GitHub.
|
||||
|
||||
2. [**Terraform Plan / Apply**](.github/workflows/tf-plan-apply.yml)
|
||||
|
||||
@ -39,7 +39,7 @@ To use these workflows in your environment several prerequisite steps are requir
|
||||
|
||||
2. **Create GitHub Environment**
|
||||
|
||||
The workflows utilizes GitHub Environments and Secrets to store the azure identity information and setup an approval process for deployments. Create an environment named `production` by following these [insturctions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules).
|
||||
The workflows utilizes GitHub Environments and Secrets to store the azure identity information and setup an approval process for deployments. Create an environment named `production` by following these [instructions](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). On the `production` environment setup a protection rule and add any required approvers you want that need to sign off on production deployments. You can also limit the environment to your main branch. Detailed instructions can be found [here](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules).
|
||||
|
||||
3. **Setup Azure Identity**:
|
||||
|
||||
@ -72,4 +72,4 @@ To use these workflows in your environment several prerequisite steps are requir
|
||||
|
||||
## Additional Resources
|
||||
|
||||
A companion article detailing how to use GitHub Actions to deploy to Azure using IaC can be found at the [DevOps Resource Center](). `TODO: add link`
|
||||
A companion article detailing how to use GitHub Actions to deploy to Azure using IaC can be found at the [DevOps Resource Center](https://learn.microsoft.com/devops/deliver/iac-github-actions).
|
||||
Reference in New Issue
Block a user