feat: Add platform-cx-s3-to-sqs module #124

Workflow file for this run

.github/workflows/terraform.yml at 1ccbc40

	name: "Terraform Module Validation"

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]

	permissions:
	contents: write
	pull-requests: write
	security-events: write
	id-token: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	discover:
	name: "Discover Modules and Examples"
	runs-on: ubuntu-latest
	outputs:
	modules: ${{ steps.set-modules.outputs.modules }}
	examples: ${{ steps.set-examples.outputs.examples }}
	steps:
	- uses: actions/checkout@v4

	- id: set-modules
	run: \|
	# Find all directories containing .tf files, excluding .terraform and examples directories
	MODULES=$(find . -type f -name ".tf" -not -path "/\." -not -path "/examples/*" -exec dirname {} \; \| sort -u \| sed 's/^\.\///' \| jq -R -s -c 'split("\n")[:-1]')
	echo "modules=$MODULES" >> $GITHUB_OUTPUT

	- id: set-examples
	run: \|
	# Find all directories containing examples/**/main.tf files
	EXAMPLES=$(find . -type f -name "main.tf" -path "/examples/" -exec dirname {} \; \| sort -u \| sed 's/^\.\///' \| jq -R -s -c 'split("\n")[:-1]')
	echo "examples=$EXAMPLES" >> $GITHUB_OUTPUT

	validate-modules:
	name: "Validate Modules"
	needs: discover
	runs-on: ubuntu-latest
	strategy:
	matrix:
	module: ${{ fromJson(needs.discover.outputs.modules) }}
	defaults:
	run:
	working-directory: ${{ matrix.module }}

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}
	repository: ${{ github.event.pull_request.head.repo.full_name }}
	fetch-depth: 0
	token: ${{ secrets.GH_CQ_BOT }}

	- name: Configure Git for Pull Request
	if: github.event_name == 'pull_request'
	run: \|
	git config --global user.name "github-actions[bot]"
	git config --global user.email "github-actions[bot]@users.noreply.github.com"

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Format
	id: fmt
	run: terraform fmt -check -recursive

	- uses: terraform-linters/setup-tflint@v4
	name: Setup TFLint
	with:
	tflint_version: v0.52.0

	- name: Show version
	run: tflint --version

	- name: Init TFLint
	run: tflint --init
	env:
	# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
	GITHUB_TOKEN: ${{ github.GH_CQ_BOT }}

	- name: Run TFLint
	run: tflint -f compact

	- name: Validate Module Structure
	id: validate
	run: \|
	# Check for required files in module root
	for file in README.md variables.tf outputs.tf versions.tf; do
	if [ ! -f "$file" ]; then
	echo "::error::Missing required file: $file"
	exit 1
	fi
	done

	# Validate all .tf files syntax, excluding examples directory
	for file in $(find . -name ".tf" -not -path "./examples/"); do
	if ! terraform fmt -check "$file"; then
	echo "::error::Invalid HCL syntax in $file"
	exit 1
	fi
	done

	# Check for template files if config directory exists
	if [ -d "config" ]; then
	for tpl in config//*.tpl; do
	if [ ! -f "$tpl" ]; then
	echo "::error::Missing template file: $tpl"
	exit 1
	fi
	done
	fi

	- name: Generate Terraform Docs
	uses: terraform-docs/terraform-docs-action@v1
	with:
	working-dir: ${{ matrix.module }}
	output-file: README.md
	output-method: inject
	git-push: true
	git-commit-message: "docs: update terraform docs"

	- name: Run tfsec
	uses: aquasecurity/[email protected]
	with:
	working_directory: ${{ matrix.module }}
	soft_fail: true

	- name: Create KICS results directory
	run: \|
	# Create results directory based on module name without leading ./
	results_dir="${GITHUB_WORKSPACE}/kics-results-${{ matrix.module }}"
	mkdir -p "$results_dir"
	echo "KICS_RESULTS_DIR=$results_dir" >> $GITHUB_ENV

	- name: Run KICS scan
	uses: checkmarx/[email protected]
	with:
	path: ${{ matrix.module }}
	config_path: .kics.config
	platform_type: terraform
	output_path: ${{ env.KICS_RESULTS_DIR }}
	output_formats: "json,sarif"
	fail_on: high
	enable_comments: true

	- name: Upload KICS results
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ${{ env.KICS_RESULTS_DIR }}/results.sarif
	category: ${{ matrix.module }}

	- name: Comment on PR
	uses: actions/github-script@v6
	if: github.event_name == 'pull_request' && (steps.fmt.outcome == 'failure' \|\| steps.validate.outcome == 'failure')
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const output = `### Module: \`${{ matrix.module }}\`
	### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
	### Module Structure Validation 🤖\`${{ steps.validate.outcome }}\`

	Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\``;

	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: output
	})
	validate-examples:
	name: "Validate Examples"
	needs: discover
	runs-on: ubuntu-latest
	strategy:
	matrix:
	example: ${{ fromJson(needs.discover.outputs.examples) }}
	defaults:
	run:
	working-directory: ${{ matrix.example }}

	steps:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: "arn:aws:iam::615713231484:role/cq-playground-aws-github-action"
	aws-region: us-east-1

	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Format
	run: terraform fmt -check -recursive

	- name: Terraform Init
	run: terraform init

	- name: Terraform Validate
	run: terraform validate

	- name: Terraform Plan
	run: terraform plan

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add platform-cx-s3-to-sqs module #124

Workflow file

feat: Add platform-cx-s3-to-sqs module #124

Jobs

Run details

Workflow file for this run