Merge pull request #4107 from alphagov/renovate/tj-actions-changed-fi… #13235
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform validation and linting | |
| on: | |
| push: | |
| paths: ['**/*.tf', '**/*.hcl', '.github/workflows/ci-terraform.yml'] | |
| env: | |
| TF_IN_AUTOMATION: true | |
| TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache | |
| permissions: | |
| contents: read | |
| jobs: | |
| tflint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| show-progress: false | |
| - name: Get changed TF deployments | |
| id: changed-deployments | |
| uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 | |
| with: | |
| path: terraform/deployments | |
| dir_names: true | |
| dir_names_max_depth: 1 | |
| safe_output: false | |
| - name: Determine Terraform version to use | |
| uses: dflook/terraform-version@8ee89d962417ed259f9d75e7529e262637c7e5a8 | |
| id: terraform-version | |
| with: | |
| path: terraform | |
| - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 | |
| with: | |
| terraform_version: ${{ steps.terraform-version.outputs.terraform }} | |
| terraform_wrapper: false | |
| - name: Create Terraform plugin cache dir | |
| run: mkdir -p "$TF_PLUGIN_CACHE_DIR" | |
| - name: Cache Terraform plugins | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ env.TF_PLUGIN_CACHE_DIR }} | |
| key: | |
| terraform-plugins-${{ runner.os }}-${{ hashFiles('**/.terraform.lock.hcl') }} | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| name: Cache TFLint plugins | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ runner.os }}-${{ hashFiles('**/tflint.hcl') }} | |
| - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 | |
| name: Set up TFLint | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| with: | |
| tflint_version: v0.55.0 | |
| - name: terraform fmt roots | |
| working-directory: terraform/deployments | |
| env: | |
| DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }} | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| run: | | |
| for d in ${DEPLOYMENTS}; do | |
| cd "$d" | |
| if ! terraform fmt -check -diff -list=true .; then | |
| >&2 echo "Some terraform files in '$d' weren't formatted correctly. Run 'terraform fmt' to fix them." | |
| exit 1 | |
| fi | |
| echo "Deployment '$d' ok" | |
| cd "$OLDPWD" | |
| done | |
| - name: terraform fmt variables | |
| working-directory: terraform/variables | |
| run: | | |
| if ! terraform fmt -recursive -check -diff -list=true .; then | |
| >&2 echo "Some tfvars files weren't formatted correctly. Run 'terraform fmt' to fix them." | |
| exit 1 | |
| fi | |
| echo "Variables ok" | |
| - name: terraform init | |
| working-directory: terraform/deployments | |
| env: | |
| DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }} | |
| TF_TOKEN_app_terraform_io: ${{ secrets.TFC_CI_READ_ONLY_TOKEN }} | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| run: | | |
| STEP_EXIT_STATUS=0 | |
| for d in ${DEPLOYMENTS}; do | |
| echo "$d" | |
| cd "$d" | |
| if ! terraform init -backend=false; then STEP_EXIT_STATUS=1; fi | |
| echo -e '\n-------------------------\n' | |
| cd "$OLDPWD" | |
| done | |
| exit $STEP_EXIT_STATUS | |
| - name: terraform validate | |
| working-directory: terraform/deployments | |
| env: | |
| DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }} | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| run: | | |
| STEP_EXIT_STATUS=0 | |
| for d in ${DEPLOYMENTS}; do | |
| echo "$d" | |
| cd "$d" | |
| if ! terraform validate; then STEP_EXIT_STATUS=1; fi | |
| echo -e '\n-------------------------\n' | |
| cd "$OLDPWD" | |
| done | |
| exit $STEP_EXIT_STATUS | |
| - name: tflint | |
| working-directory: terraform/deployments | |
| env: | |
| DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }} | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| run: | | |
| tflint --version | |
| for d in ${DEPLOYMENTS}; do | |
| echo "$d" | |
| cd "$d" | |
| tflint --init -c ${{ github.workspace }}/.tflint.hcl | |
| tflint --format compact --call-module-type=all --force \ | |
| -c ${{ github.workspace }}/.tflint.hcl \ | |
| --enable-rule=terraform_comment_syntax \ | |
| --enable-rule=terraform_deprecated_index \ | |
| --enable-rule=terraform_required_providers \ | |
| --enable-rule=terraform_standard_module_structure \ | |
| --enable-rule=terraform_typed_variables \ | |
| --enable-rule=terraform_unused_declarations \ | |
| --enable-rule=terraform_unused_required_providers \ | |
| --disable-rule=aws_eks_node_group_invalid_ami_type | |
| cd "$OLDPWD" | |
| done | |
| - name: Ensure variables-common.tf is a symlink | |
| working-directory: terraform/deployments | |
| env: | |
| DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }} | |
| if: steps.changed-deployments.outputs.any_changed == 'true' | |
| run: | | |
| STEP_EXIT_STATUS=0 | |
| for d in ${DEPLOYMENTS}; do | |
| echo "$d" | |
| cd "$d" | |
| if { [ -f "variables-common.tf" ] && [ ! -h "variables-common.tf" ]; } || { [ -h "variables-common.tf" ] && [ "$(readlink variables-common.tf)" != "../../variables/variables-common.tf" ]; }; then | |
| >&2 echo "variables-common.tf in '$d' should be a symlink to ../../variables/variables-common.tf" | |
| STEP_EXIT_STATUS=1 | |
| fi | |
| echo -e '\n-------------------------\n' | |
| cd "$OLDPWD" | |
| done | |
| exit $STEP_EXIT_STATUS |