Pre-commit improvements #1007
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Terraform CI" | |
| on: | |
| pull_request: | |
| branches: [main] | |
| merge_group: | |
| types: [checks_requested] | |
| env: | |
| GO_VERSION: "1.21" | |
| jobs: | |
| terraform-ci: | |
| runs-on: ubuntu-latest | |
| name: Run tests | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| # Grab the last 75 commits. Later on we need to a git diff, and it's | |
| # very likely that two commits involved will be inside the last 75 | |
| fetch-depth: 75 | |
| - name: Determine Terraform version | |
| id: determine-terraform-version | |
| run: | | |
| echo "TERRAFORM_VERSION=$(cat .terraform-version)" >> "$GITHUB_OUTPUT" | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{steps.determine-terraform-version.outputs.TERRAFORM_VERSION}} | |
| - name: Check Terraform style | |
| id: tf_fmt | |
| run: | | |
| terraform fmt -write=false -diff=true -list=true -recursive -check | |
| - name: Validate Terraform syntax | |
| env: | |
| GIT_FROM: ${{github.event.pull_request.base.sha}} | |
| GIT_TO: ${{github.event.pull_request.head.sha}} | |
| TF_PLUGIN_CACHE_DIR: "${{ runner.temp }}/terraform_cache" | |
| run: | | |
| # shellcheck disable=SC2199 | |
| # shellcheck disable=SC2076 | |
| set -e -u -o pipefail | |
| mkdir "$TF_PLUGIN_CACHE_DIR" | |
| if [[ $(git diff "${GIT_FROM}"..."${GIT_TO}" --name-only -- "*.tf" "*.tf.json" | wc -l) -eq 0 ]]; then | |
| echo "No Terraform files have changed. Stopping"; | |
| exit 0 | |
| fi | |
| git diff "${GIT_FROM}"..."${GIT_TO}" --name-only -- "*.tf" "*.tf.json" \ | |
| | xargs dirname \ | |
| | sort \ | |
| | uniq \ | |
| > modified-tf-dirs.txt | |
| all_roots=$(find infra/deployments -type d \ | |
| -mindepth 1 -maxdepth 2 \ | |
| -not -path "*/tfvars" \ | |
| -not -path "infra/deployments/forms" \ | |
| -not -path "infra/deployments/deploy" \ | |
| -not -path "infra/deployments/integration" | |
| ) | |
| for start in ${all_roots}; do | |
| echo "Inspecting ${start}" | |
| stack=("${start}") | |
| visited=() | |
| while [[ "${#stack[@]}" -gt 0 ]]; do | |
| path="${stack[0]}" | |
| stack=("${stack[@]:1}") # Shift the front element off | |
| if [[ "${visited[@]}" =~ "${path}" ]]; then | |
| # Skip because it's already been visited | |
| continue | |
| fi | |
| visited+=("${path}") | |
| declare -a new_paths | |
| readarray -t new_paths < <(terraform-config-inspect --json "${path}" \ | |
| | jq -r '.module_calls | to_entries | .[] | .value.source' \ | |
| | sort \ | |
| | uniq \ | |
| | xargs -I{} readlink -f "${path}/{}" \ | |
| | xargs -I{} realpath --relative-to "$(pwd)" "{}" \ | |
| | sort | |
| ) | |
| if [[ "${#new_paths[@]}" -gt 0 ]]; then | |
| stack+=( "${stack[@]}" "${new_paths[@]}" ) | |
| fi | |
| done | |
| printf '%s\n' "${visited[@]}" | sort | uniq > "${start}/directories.txt" | |
| matching_lines="$(comm -1 -2 modified-tf-dirs.txt "${start}/directories.txt")" | |
| if [[ -n "$matching_lines" ]]; then | |
| echo "Requires validation" | |
| terraform -chdir="${start}" init -backend=false || exit | |
| terraform -chdir="${start}" validate | |
| else | |
| echo "Does not require validation" | |
| fi | |
| done; | |
| - uses: actions/cache/restore@v4 | |
| id: restore-terraform-config-inspect | |
| with: | |
| key: terraform-config-inspect | |
| path: /usr/local/bin/terraform-config-inspect | |
| ## We do NOT use Golang for development | |
| ## It is purely needed to install a tool in this pipeline | |
| - name: "Install Go ${{env.GO_VERSION}}" | |
| if: steps.restore-terraform-config-inspect.outputs.cache-hit != 'true' | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: "${{env.GO_VERSION}}" | |
| - name: "Install terraform-config-inspect" | |
| if: steps.restore-terraform-config-inspect.outputs.cache-hit != 'true' | |
| run: | | |
| go install "github.com/hashicorp/terraform-config-inspect@latest" | |
| # Copy the binary to a known place in the path so that we have | |
| # a consistent path for it, for caching purposes | |
| cp "$(which terraform-config-inspect)" /usr/local/bin/terraform-config-inspect | |
| - uses: actions/cache/save@v4 | |
| if: steps.restore-terraform-config-inspect.outputs.cache-hit != 'true' | |
| with: | |
| key: ${{ steps.restore-terraform-config-inspect.outputs.cache-primary-key }} | |
| path: /usr/local/bin/terraform-config-inspect | |
| - uses: actions/cache@v4 | |
| name: Cache tflint plugin dir | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ hashFiles('.tflint.hcl') }} | |
| - uses: terraform-linters/setup-tflint@v5 | |
| with: | |
| tflint_version: v0.52.0 | |
| - name: Init tflint | |
| run: tflint --init | |
| env: | |
| # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Run tflint | |
| run: | | |
| make tflint | |
| - name: Run Checkov against Terraform | |
| uses: "docker://ghcr.io/bridgecrewio/checkov:3.2.386" | |
| with: | |
| entrypoint: checkov | |
| args: "-d infra/ --external-checks-dir infra/checkov/ --framework terraform --quiet --skip-download" |