-
Notifications
You must be signed in to change notification settings - Fork 33
162 lines (147 loc) · 5.79 KB
/
ci-terraform.yml
File metadata and controls
162 lines (147 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Terraform validation and linting
on:
push:
paths: ['**/*.tf', '**/*.hcl', '.github/workflows/ci-terraform.yml']
env:
TF_IN_AUTOMATION: true
TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache
permissions:
contents: read
jobs:
tflint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
show-progress: false
- name: Get changed TF deployments
id: changed-deployments
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
with:
path: terraform/deployments
dir_names: true
dir_names_max_depth: 1
safe_output: false
- name: Determine Terraform version to use
uses: dflook/terraform-version@8ee89d962417ed259f9d75e7529e262637c7e5a8
id: terraform-version
with:
path: terraform
- uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
with:
terraform_version: ${{ steps.terraform-version.outputs.terraform }}
terraform_wrapper: false
- name: Create Terraform plugin cache dir
run: mkdir -p "$TF_PLUGIN_CACHE_DIR"
- name: Cache Terraform plugins
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key:
terraform-plugins-${{ runner.os }}-${{ hashFiles('**/.terraform.lock.hcl') }}
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
name: Cache TFLint plugins
if: steps.changed-deployments.outputs.any_changed == 'true'
with:
path: ~/.tflint.d/plugins
key: tflint-${{ runner.os }}-${{ hashFiles('**/tflint.hcl') }}
- uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
name: Set up TFLint
if: steps.changed-deployments.outputs.any_changed == 'true'
with:
tflint_version: v0.55.0
- name: terraform fmt roots
working-directory: terraform/deployments
env:
DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }}
if: steps.changed-deployments.outputs.any_changed == 'true'
run: |
for d in ${DEPLOYMENTS}; do
cd "$d"
if ! terraform fmt -check -diff -list=true .; then
>&2 echo "Some terraform files in '$d' weren't formatted correctly. Run 'terraform fmt' to fix them."
exit 1
fi
echo "Deployment '$d' ok"
cd "$OLDPWD"
done
- name: terraform fmt variables
working-directory: terraform/variables
run: |
if ! terraform fmt -recursive -check -diff -list=true .; then
>&2 echo "Some tfvars files weren't formatted correctly. Run 'terraform fmt' to fix them."
exit 1
fi
echo "Variables ok"
- name: terraform init
working-directory: terraform/deployments
env:
DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }}
TF_TOKEN_app_terraform_io: ${{ secrets.TFC_CI_READ_ONLY_TOKEN }}
if: steps.changed-deployments.outputs.any_changed == 'true'
run: |
STEP_EXIT_STATUS=0
for d in ${DEPLOYMENTS}; do
echo "$d"
cd "$d"
if ! terraform init -backend=false; then STEP_EXIT_STATUS=1; fi
echo -e '\n-------------------------\n'
cd "$OLDPWD"
done
exit $STEP_EXIT_STATUS
- name: terraform validate
working-directory: terraform/deployments
env:
DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }}
if: steps.changed-deployments.outputs.any_changed == 'true'
run: |
STEP_EXIT_STATUS=0
for d in ${DEPLOYMENTS}; do
echo "$d"
cd "$d"
if ! terraform validate; then STEP_EXIT_STATUS=1; fi
echo -e '\n-------------------------\n'
cd "$OLDPWD"
done
exit $STEP_EXIT_STATUS
- name: tflint
working-directory: terraform/deployments
env:
DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }}
if: steps.changed-deployments.outputs.any_changed == 'true'
run: |
tflint --version
for d in ${DEPLOYMENTS}; do
echo "$d"
cd "$d"
tflint --init -c ${{ github.workspace }}/.tflint.hcl
tflint --format compact --call-module-type=all --force \
-c ${{ github.workspace }}/.tflint.hcl \
--enable-rule=terraform_comment_syntax \
--enable-rule=terraform_deprecated_index \
--enable-rule=terraform_required_providers \
--enable-rule=terraform_standard_module_structure \
--enable-rule=terraform_typed_variables \
--enable-rule=terraform_unused_declarations \
--enable-rule=terraform_unused_required_providers \
--disable-rule=aws_eks_node_group_invalid_ami_type
cd "$OLDPWD"
done
- name: Ensure variables-common.tf is a symlink
working-directory: terraform/deployments
env:
DEPLOYMENTS: ${{ steps.changed-deployments.outputs.all_changed_files }}
if: steps.changed-deployments.outputs.any_changed == 'true'
run: |
STEP_EXIT_STATUS=0
for d in ${DEPLOYMENTS}; do
echo "$d"
cd "$d"
if { [ -f "variables-common.tf" ] && [ ! -h "variables-common.tf" ]; } || { [ -h "variables-common.tf" ] && [ "$(readlink variables-common.tf)" != "../../variables/variables-common.tf" ]; }; then
>&2 echo "variables-common.tf in '$d' should be a symlink to ../../variables/variables-common.tf"
STEP_EXIT_STATUS=1
fi
echo -e '\n-------------------------\n'
cd "$OLDPWD"
done
exit $STEP_EXIT_STATUS