Skip to content

Commit

Permalink
add scaffolding pipeline code #2
Browse files Browse the repository at this point in the history
  • Loading branch information
@kunduso
kunduso committed Jun 10, 2024
1 parent 2836faf commit d431b89
Show file tree
Hide file tree
Showing 2 changed files with 213 additions and 0 deletions.
52 changes: 52 additions & 0 deletions .github/workflows/code-scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: checkov-static-analysis-scan

# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "main" branch
push:
branches: [ '*' ]
paths-ignore:
- '**/README.md'
pull_request:
branches: ["main"]
paths-ignore:
- '**/README.md'

# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions: read-all
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "scan"
scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

# The type of runner that the job will run on
runs-on: ubuntu-latest

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
- uses: actions/checkout@v3

- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
# This will add both a CLI output to the console and create a results.sarif file
output_format: cli,sarif
output_file_path: console,results.sarif

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2

# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed. Security checks that do not pass will 'fail'.
# An alternative is to add `continue-on-error: true` to the previous step
# Or 'soft_fail: true' to checkov.
if: success() || failure()
with:
sarif_file: results.sarif
161 changes: 161 additions & 0 deletions .github/workflows/terraform.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
name: terraform-infra-provisioning

on:
workflow_dispatch:
push:
branches: [ '*' ]
paths-ignore:
- '**/README.md'
pull_request:
branches: ["main"]
paths-ignore:
- '**/README.md'

permissions: read-all
#--------------------------
#
# PLEASE READ: Add a GitHub Actions variable 'INFRACOST_SCAN_TYPE' and set the value to either 'hcl_code' or 'tf_plan' depending on what type of Infracost scan desired.
#
#--------------------------
jobs:
terraform:
name: 'continuous-integration'
runs-on: ubuntu-latest
environment: development
permissions:
contents: read
id-token: write
pull-requests: write
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash

steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3

- name: Configure AWS Credentials Action For GitHub Actions
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.IAM_ROLE }}
role-session-name: AWSSession
aws-region: us-east-2

# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1

- name: Setup Infracost
uses: infracost/actions/setup@v2
# See https://github.com/infracost/actions/tree/master/setup for other inputs
# If you can't use this action, see Docker images in https://infracost.io/cicd
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
if: github.event_name == 'pull_request'

# Checkout the base branch of the pull request (e.g. main/master).
- name: Checkout base branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3
with:
ref: '${{ github.event.pull_request.base.ref }}'

# Generate Infracost JSON file as the baseline.
- name: Generate Infracost cost estimate baseline
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost breakdown --path=. \
--format=json \
--out-file=/tmp/infracost-base.json
# Checkout the current PR branch so we can create a diff.
- name: Checkout PR branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost diff --path=. \
--format=json \
--compare-to=/tmp/infracost-base.json \
--out-file=/tmp/infracost.json
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
id: init
run: terraform init

# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
id: fmt
run: terraform fmt -check
# Checks that all Terraform configuration files are correctly written
- name: Terraform Validate
id: validate
run: terraform validate -no-color
# Generates an execution plan for Terraform
- name: Terraform Plan
id: plan
if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
run: |
terraform plan -no-color -input=false \
-out=TFplan.JSON
continue-on-error: true

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
run: |
infracost diff --path=TFplan.JSON \
--format=json \
--out-file=/tmp/infracost.json
- name: Post Infracost estimate
if: github.event_name == 'pull_request'
run: |
infracost comment github --path=/tmp/infracost.json \
--repo=$GITHUB_REPOSITORY \
--github-token=${{github.token}} \
--pull-request=${{github.event.pull_request.number}} \
--show-skipped \
--behavior=update
- name: Post Terraform Plan output
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: terraform apply -auto-approve -input=false

0 comments on commit d431b89

Please sign in to comment.