code-quality/.github/workflows/terraform.yml at 35e0157cc22a79968f14cf98dd995d3380cede75 · riege/code-quality · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Reusable Terraform workflow

on:
  workflow_call:
    inputs:
      skip_init:
        type: boolean
        description: "Set to 'true' if Terraform initialization shall be skipped. Might be necessary in some rare cases."
      skip_validate:
        type: boolean
        description: "Set to 'true' if Terraform validation shall be skipped. Might be necessary in some rare cases."
      terraform_directory:
        type: string
        description: "Path to the Terraform directory. Defaults to the root of the repository."
        default: "."

env:
  # OpsGenie Terraform provider needs this to be non-empty, even if we only validate the code.
  OPSGENIE_API_KEY: "123"

jobs:
  terraform:
    name: Check Terraform
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6

      - name: Setup terraform
        uses: hashicorp/setup-terraform@v3

      - name: Change working directory
        run: cd ${{ inputs.terraform_directory }}
        if: ${{ inputs.terraform_directory != '.' }}

      - name: Terraform fmt
        id: fmt
        run: terraform fmt -check -recursive -diff

      - name: Terraform init
        id: init
        if: ${{ !inputs.skip_init && (success() || failure()) }}
        env:
          TF_TOKEN_app_terraform_io: ${{ secrets.TERRAFORM_CLOUD_ACCESS_TOKEN }}
        run: terraform init -backend=false

      - name: Terraform validate
        id: validate
        if: ${{ !inputs.skip_validate && (success() || failure()) }}
        env:
          ARM_SUBSCRIPTION_ID: 0caa8408-f721-4bd2-8b21-e5cb6ac8891d # dummy subscription ID to silence missing argument error since azurerm v4
        run: terraform validate -no-color

      - name: Create job summary
        if: success() || failure()
        run: |
          # shellcheck disable=SC2016
          {
            echo '#### Terraform Format and Style 🖌 `${{ steps.fmt.outcome }}`'
            echo '#### Terraform Initialization ⚙️ `${{ steps.init.outcome }}`'
            echo '#### Terraform Validation 🤖 `${{ steps.validate.outcome }}`'
            echo '<details><summary>Format and Style Output</summary>'
            echo -e '\n```'
            echo '${{ steps.fmt.outputs.stdout }}'
            echo '```'
            echo -e '\n</details>'
            echo '<details><summary>Validation Output</summary>'
            echo -e '\n```'
            echo '${{ steps.validate.outputs.stdout }}'
            echo '```'
            echo -e '\n</details>'
          }  >> "$GITHUB_STEP_SUMMARY"

      - name: Load TFLint config
        uses: terraform-linters/tflint-load-config-action@v2
        if: success() || failure()
        with:
          source-repo: riege/code-quality
          source-path: terraform/.tflint.hcl
          destination-path: ${{ github.workspace }}/${{ inputs.terraform_directory }}/.tflint.hcl
          token: ${{ github.token }}

      - name: Determine TFLint config file location
        if: success() || failure()
        run: |
          echo "TFLINT_CONFIG_FILE_ABS=${{ github.workspace }}/${{ inputs.terraform_directory }}/.tflint.hcl" >> "$GITHUB_ENV"
          echo "TFLINT_CONFIG_FILE_REL=${{ inputs.terraform_directory }}/.tflint.hcl" >> "$GITHUB_ENV"

      - name: Cache plugin dir
        uses: actions/cache@v4
        if: success() || failure()
        with:
          path: ~/.tflint.d/plugins
          key: tflint-${{ hashFiles(env.TFLINT_CONFIG_FILE_REL) }}

      - name: Setup TFLint
        uses: terraform-linters/setup-tflint@v6
        if: success() || failure()

      - name: Init TFLint
        run: tflint --init --config="$TFLINT_CONFIG_FILE_ABS"
        if: success() || failure()
        env:
          GITHUB_TOKEN: ${{ github.token }}

      - name: Run TFLint
        if: ${{ github.event_name != 'pull_request' && (success() || failure()) }}
        run: |
          set +e
          TFLINT_OUTPUT=$(tflint --recursive --config="$TFLINT_CONFIG_FILE_ABS")
          EXITCODE=$?
          {
            echo '<details><summary>TFLint Output</summary>'
            echo -e '\n```'
            echo "$TFLINT_OUTPUT"
            echo '```'
            echo -e '\n</details>'
          } >> "$GITHUB_STEP_SUMMARY"
          exit $EXITCODE

      - name: Run TFLint (PR)
        if: ${{ github.event_name == 'pull_request' && (success() || failure()) }}
        run: |
          tflint --format=checkstyle --recursive --config="$TFLINT_CONFIG_FILE_ABS" > ${{ github.workspace }}/tflint-report.xml

      - name: Report Result
        uses: jwgmeligmeyling/checkstyle-github-action@master
        if: ${{ github.event_name == 'pull_request' && (success() || failure()) }}
        with:
          title: TFLint Report
          name: TFLint Report
          path: ${{ github.workspace }}/tflint-report.xml