name: 'Terraform Unit Tests'

on:
  push:

permissions:
  security-events: write # Needed to upload-sarif
  contents: read # Needed to clone repo
  actions: read # Potentially needed for private repositories (see https://github.com/github/codeql-action/issues/2117)

jobs:
  terraform-unit-tests:
    name: 'Terraform Unit Tests'
    runs-on: ubuntu-latest
    
    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v4

    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v3

    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: Terraform Init
      run: terraform init -backend=false

    # Validate terraform files
    - name: Terraform Validate
      run: terraform validate

    # Checks that all Terraform configuration files adhere to a canonical format
    - name: Terraform Format
      run: terraform fmt -check -recursive
    
    # Perform a security scan of the terraform code using checkov
    - name: Run Checkov action
      id: checkov
      uses: bridgecrewio/checkov-action@master
      with: 
        framework: terraform

    # Upload results to GitHub Advanced Security
    - name: Upload SARIF file
      if: success() || failure()
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: results.sarif
        category: checkov