ben/cluster-state
1
0
Fork 0
Code Issues 1 Pull requests Activity Actions
cluster-state/.gitea/workflows/cicd.yaml
Ben Martin 85caf24a93
Some checks failed
Terraform CI/CD / Terraform Format, Validate, Lint, Scan (push) Failing after 7m1s
Details
Terraform CI/CD / Terraform Plan (push) Has been skipped
Details
Terraform CI/CD / Terraform Apply (push) Has been skipped
Details
fix(cicd): replace tfsec with trivy 
- tfsec is deprecated
2025-04-20 10:35:23 +00:00

135 lines
3.6 KiB
YAML
Raw Blame History

name: Terraform CI/CD
on:
push:
branches:
- main
pull_request:
branches:
- main
env:
NOMAD_ADDR: "${{ vars.NOMAD_ADDR }}"
NOMAD_TOKEN: "${{ secrets.NOMAD_TOKEN }}"
PG_CONN_STR: "${{ secrets.PG_CONN_STR }}"
TF_CLI_ARGS: "-no-color"
TF_IN_AUTOMATION: true
TF_PLUGIN_CACHE_DIR: ${{ gitea.workspace }}/.terraform.d/plugin-cache
jobs:
terraform-ci:
name: Terraform Format, Validate, Lint, Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Setup Nomad
uses: hashicorp/setup-nomad@main
- name: Create Terraform Plugin Cache Dir
run: mkdir -v -p $TF_PLUGIN_CACHE_DIR
- name: Terraform Format Check
run: terraform fmt -check -recursive
- name: Nomad fmt
run: nomad fmt -recursive -check
- name: Cache Terraform Plugin Dir
uses: actions/cache@v4
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
restore-keys: |
${{ runner.os }}-terraform-plugins-
- name: Cache TFLint Dir
uses: actions/cache@v4
with:
path: ~/.tflint.d/plugins
key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
restore-keys: |
${{ runner.os }}-tflint-
- name: Terraform Init
run: terraform init
- name: Terraform Validate
run: terraform validate
- name: TFLint
uses: terraform-linters/setup-tflint@v4
- run: |
tflint --init
tflint
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'config'
hide-progress: true
exit-code: '1'
severity: 'CRITICAL,HIGH'
terraform-plan:
name: Terraform Plan
runs-on: ubuntu-latest
needs: terraform-ci
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- uses: hashicorp/setup-nomad@main
- name: Create Terraform Plugin Cache Dir
run: mkdir -v -p $TF_PLUGIN_CACHE_DIR
- name: Cache Terraform Plugin Dir
uses: actions/cache@v4
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
restore-keys: |
${{ runner.os }}-terraform-plugins-
- name: Terraform Init
run: terraform init
- name: Terraform Plan
run: terraform plan -out=tfplan
- name: Upload Terraform Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan
terraform-apply:
name: Terraform Apply
runs-on: ubuntu-latest
needs: terraform-ci
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- uses: hashicorp/setup-nomad@main
- name: Create Terraform Plugin Cache Dir
run: mkdir -v -p $TF_PLUGIN_CACHE_DIR
- name: Cache Terraform Plugin Dir
uses: actions/cache@v4
with:
path: ${{ env.TF_PLUGIN_CACHE_DIR }}
key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
restore-keys: |
${{ runner.os }}-terraform-plugins-
- name: Terraform Init
run: terraform init
- name: Terraform Apply
run: terraform apply -auto-approve
Reference in a new issue View git blame Copy permalink