From c9cbfc79792377aafdd154d18cea0aab94931264 Mon Sep 17 00:00:00 2001 From: Ben Martin Date: Sun, 20 Apr 2025 10:11:26 +0000 Subject: [PATCH] chore(cicd): complete refactor of CICD - add tfsec and tflint --- .gitea/workflows/cicd.yaml | 132 +++++++++++++++++++++++++++ .gitea/workflows/lint.yaml | 30 ------ .gitea/workflows/plan-and-apply.yaml | 51 ----------- 3 files changed, 132 insertions(+), 81 deletions(-) create mode 100644 .gitea/workflows/cicd.yaml delete mode 100644 .gitea/workflows/lint.yaml delete mode 100644 .gitea/workflows/plan-and-apply.yaml diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml new file mode 100644 index 0000000..aaf8ad0 --- /dev/null +++ b/.gitea/workflows/cicd.yaml @@ -0,0 +1,132 @@ +name: Terraform CI/CD + +on: + push: + branches: + - main + pull_request: + branches: + - main + +env: + NOMAD_ADDR: "${{ vars.NOMAD_ADDR }}" + NOMAD_TOKEN: "${{ secrets.NOMAD_TOKEN }}" + PG_CONN_STR: "${{ secrets.PG_CONN_STR }}" + TF_CLI_ARGS: "-no-color" + TF_IN_AUTOMATION: true + TF_PLUGIN_CACHE_DIR: ${{ gitea.workspace }}/.terraform.d/plugin-cache + +jobs: + terraform-ci: + name: Terraform Format, Validate, Lint, Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + + - name: Setup Nomad + uses: hashicorp/setup-nomad@main + + - name: Terraform Format Check + run: terraform fmt -check -recursive + + - name: Nomad fmt + run: nomad fmt -recursive -check + + - name: Create Terraform Plugin Cache Dir + run: mkdir -v -p $TF_PLUGIN_CACHE_DIR + + - name: Cache Terraform Plugin Dir + uses: actions/cache@v4 + with: + path: ${{ env.TF_PLUGIN_CACHE_DIR }} + key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform-plugins- + + - name: Cache TFLint Dir + uses: actions/cache@v4 + with: + path: ~/.tflint.d/plugins + key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + restore-keys: | + ${{ runner.os }}-tflint- + + - name: Terraform Init + run: terraform init + + - name: Terraform Validate + run: terraform validate + + - name: TFLint + uses: terraform-linters/setup-tflint@v4 + - run: | + tflint --init + tflint + + - name: tfsec + uses: aquasecurity/tfsec-action@v1.0.0 + with: + soft_fail: true + + terraform-plan: + name: Terraform Plan + runs-on: ubuntu-latest + needs: terraform-ci + if: github.event_name == 'pull_request' + steps: + - uses: actions/checkout@v4 + - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-nomad@main + + - name: Create Terraform Plugin Cache Dir + run: mkdir -v -p $TF_PLUGIN_CACHE_DIR + + - name: Cache Terraform Plugin Dir + uses: actions/cache@v4 + with: + path: ${{ env.TF_PLUGIN_CACHE_DIR }} + key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform-plugins- + + - name: Terraform Init + run: terraform init + + - name: Terraform Plan + run: terraform plan -out=tfplan + + - name: Upload Terraform Plan + uses: actions/upload-artifact@v4 + with: + name: tfplan + path: tfplan + + terraform-apply: + name: Terraform Apply + runs-on: ubuntu-latest + needs: terraform-ci + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + steps: + - uses: actions/checkout@v4 + - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-nomad@main + + - name: Create Terraform Plugin Cache Dir + run: mkdir -v -p $TF_PLUGIN_CACHE_DIR + + - name: Cache Terraform Plugin Dir + uses: actions/cache@v4 + with: + path: ${{ env.TF_PLUGIN_CACHE_DIR }} + key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform-plugins- + + - name: Terraform Init + run: terraform init + + - name: Terraform Apply + run: terraform apply -auto-approve diff --git a/.gitea/workflows/lint.yaml b/.gitea/workflows/lint.yaml deleted file mode 100644 index 74eff73..0000000 --- a/.gitea/workflows/lint.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: Lint - -on: - pull_request: - branches: - - main - push: - branches: - - main - -env: - TF_IN_AUTOMATION: true - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - - - name: Setup Nomad - uses: hashicorp/setup-nomad@main - - - name: Terraform fmt - run: terraform fmt -recursive -check - - - name: Nomad fmt - run: nomad fmt -recursive -check diff --git a/.gitea/workflows/plan-and-apply.yaml b/.gitea/workflows/plan-and-apply.yaml deleted file mode 100644 index f9ee807..0000000 --- a/.gitea/workflows/plan-and-apply.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: Terraform Plan and Apply - -on: - pull_request: - branches: - - main - push: - branches: - - main - -env: - TF_PLUGIN_CACHE_DIR: ${{ gitea.workspace }}/.terraform.d/plugin-cache - TF_IN_AUTOMATION: true - TF_CLI_ARGS: "-no-color" - NOMAD_ADDR: "${{ vars.NOMAD_ADDR }}" - NOMAD_TOKEN: "${{ secrets.NOMAD_TOKEN }}" - PG_CONN_STR: "${{ secrets.PG_CONN_STR }}" - -jobs: - cicd: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - - - name: Create Terraform Plugin Cache Dir - run: mkdir -v -p $TF_PLUGIN_CACHE_DIR - - - name: Cache Terraform Plugins - uses: actions/cache@v4 - with: - path: ${{ env.TF_PLUGIN_CACHE_DIR }} - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - - - name: Terraform Init - id: init - run: terraform init -input=false - - - name: Terraform Validate - id: validate - run: terraform validate - - - name: Terraform Plan - id: plan - run: terraform plan -out=tfplan - - - name: Terraform Apply - if: github.ref == 'refs/heads/main' - run: terraform apply -auto-approve tfplan