-
Notifications
You must be signed in to change notification settings - Fork 0
254 lines (211 loc) · 7.5 KB
/
ci.yml
File metadata and controls
254 lines (211 loc) · 7.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
name: CI
on:
pull_request:
paths:
- "**.tf"
- "modules/**"
- "tests/**"
- "schemas/**"
- "scripts/**"
- "validate/**"
- "docs/**"
- "mkdocs.yml"
- ".terraform-docs.yml"
- ".terraform.lock.hcl"
- ".github/workflows/ci.yml"
- "!topologies/**"
push:
branches: [main]
paths:
- "**.tf"
- "modules/**"
- "tests/**"
- "schemas/**"
- "scripts/**"
- "validate/**"
- "docs/**"
- "mkdocs.yml"
- ".terraform-docs.yml"
- ".terraform.lock.hcl"
- ".github/workflows/ci.yml"
- "!topologies/**"
schedule:
- cron: "0 8 * * 1"
permissions:
contents: read
jobs:
validate:
name: Validate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
with:
terraform_version_file: .terraform-version
- name: Cache Terraform providers
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .terraform
key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
restore-keys: terraform-
- name: Format check
run: terraform fmt -check -recursive
- name: Init
run: terraform init -backend=false
- name: Set up tflint
uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4
with:
tflint_version: latest
- name: Lint
run: |
tflint --init
tflint --recursive
- name: Test (mock providers)
run: terraform test
module-tests:
name: Module Tests (${{ matrix.module }})
runs-on: ubuntu-latest
strategy:
matrix:
module:
- project
- environments
- jobs
- credentials
- repository
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
with:
terraform_version_file: .terraform-version
- name: Cache Terraform providers
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .terraform
key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
restore-keys: terraform-
- name: Terraform Init
working-directory: modules/${{ matrix.module }}
run: terraform init -backend=false
- name: Terraform Test
working-directory: modules/${{ matrix.module }}
run: terraform test -verbose
docs:
name: Docs up to date
runs-on: ubuntu-latest
env:
TERRAFORM_DOCS_VERSION: v0.20.0
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Install terraform-docs
run: |
wget -q -O /tmp/terraform-docs.tar.gz \
https://github.com/terraform-docs/terraform-docs/releases/download/${TERRAFORM_DOCS_VERSION}/terraform-docs-${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz
tar -xzf /tmp/terraform-docs.tar.gz -C /tmp
sudo mv /tmp/terraform-docs /usr/local/bin/
chmod +x /usr/local/bin/terraform-docs
- name: Regenerate docs
run: bash scripts/gen-docs.sh
- name: Check for drift
run: |
if ! git diff --exit-code docs/reference/; then
echo ""
echo "Docs are out of date. Run 'bash scripts/gen-docs.sh' locally and commit the result."
exit 1
fi
schema-drift:
name: Schema Drift Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
with:
terraform_version_file: .terraform-version
- name: Cache Terraform providers
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .terraform
key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
restore-keys: terraform-
- name: Init
run: terraform init -backend=false
- name: Install uv
uses: astral-sh/setup-uv@v5
- name: Check schema drift
run: |
uv run --with PyYAML scripts/check_schema_drift.py \
--mapping scripts/resource_mapping.yml \
--schema schemas/v1.json \
--terraform-dir .
- name: Annotate PR on failure
if: failure() && github.event_name == 'pull_request'
run: |
echo "::error::Schema drift detected. Run 'uv run --with PyYAML scripts/check_schema_drift.py --mapping scripts/resource_mapping.yml --schema schemas/v1.json --terraform-dir .' locally and classify any UNMAPPED fields in scripts/resource_mapping.yml. Add MISSING_FROM_SCHEMA fields to schemas/v1.json."
yaml-validate:
name: YAML Validate Action
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Valid YAML passes
uses: ./validate
with:
file: validate/tests/valid.yml
- name: Invalid YAML is rejected
id: validate-invalid
uses: ./validate
with:
file: validate/tests/invalid.yml
continue-on-error: true
- name: Assert validation failed
run: |
if [ "${{ steps.validate-invalid.outcome }}" != "failure" ]; then
echo "Expected validation to fail for invalid.yml, but it did not."
exit 1
fi
echo "Validation correctly rejected invalid.yml."
mkdocs-build:
name: MkDocs Build
runs-on: ubuntu-latest
env:
TERRAFORM_DOCS_VERSION: v0.20.0
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
python-version: "3.12"
- name: Install MkDocs and dependencies
run: uv pip install --system -r docs/requirements.txt
- name: Install terraform-docs
run: |
wget -O /tmp/terraform-docs.tar.gz \
https://github.com/terraform-docs/terraform-docs/releases/download/${TERRAFORM_DOCS_VERSION}/terraform-docs-${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz
tar -xzf /tmp/terraform-docs.tar.gz -C /tmp
sudo mv /tmp/terraform-docs /usr/local/bin/
chmod +x /usr/local/bin/terraform-docs
- name: Generate Terraform documentation
run: bash scripts/gen-docs.sh
- name: Setup Pages
id: pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
- name: Set MkDocs site_url for GitHub Pages
run: |
SITE_URL="https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/"
python3 -c "
import re, pathlib, sys
site_url = sys.argv[1]
path = pathlib.Path('mkdocs.yml')
text = path.read_text()
text, n = re.subn(r'(?m)^site_url:.*$', f'site_url: {site_url}', text, count=1)
if n != 1:
sys.exit('Expected exactly one site_url line in mkdocs.yml')
path.write_text(text)
print(f'site_url -> {site_url}')
" "$SITE_URL"
- name: Build with MkDocs
run: mkdocs build --strict --site-dir ./site