-
Notifications
You must be signed in to change notification settings - Fork 0
123 lines (110 loc) · 4.19 KB
/
tf-apply.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: 'Terraform Apply'
# Allow run manually
on:
workflow_dispatch:
inputs:
terraform_code_location:
type: string
description: What working directory should be passed to the script
default: "examples/module-development"
run_tfsec:
type: boolean
description: 'Whether tfsec should be ran'
default: true
run_checkov:
type: boolean
description: 'Whether checkov should be ran'
default: false
run_terraform_compliance:
type: boolean
description: 'Whether terraform-compliance should be ran'
default: false
terraform_compliance_policy_files:
type: string
description: 'The location of terraform-compliance files if used'
default: "git:https://github.com/libre-devops/azure-naming-convention.git//?ref=main"
enable_debug_mode:
type: boolean
description: 'Whether debug mode should be enable for within the script'
default: true
delete_plan_files:
type: boolean
description: 'Whether the tfplan files should be auto deleted'
default: true
terraform_version:
type: string
description: 'What version should tenv attempt to use?'
default: latest
terraform_state_name:
type: string
description: 'Name of the Terraform state file'
default: 'lbd-uks-prd-test-build.terraform.tfstate'
jobs:
run-script:
name: 'Run Script'
runs-on: ubuntu-latest
defaults:
run:
shell: pwsh
steps:
- uses: actions/checkout@v3
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install tenv
id: install-tenv
shell: pwsh
run: |
$tfenvUri = "https://api.github.com/repos/tofuutils/tenv/releases/latest"
$tenvLatestVersion = (Invoke-RestMethod -Uri $tfenvUri).tag_name
$tenvDownloadUrl = "https://github.com/tofuutils/tenv/releases/latest/download/tenv_${tenvLatestVersion}_amd64.deb"
$tenvFilePath = "./tenv_${tenvLatestVersion}_amd64.deb"
Invoke-WebRequest -Uri $tenvDownloadUrl -OutFile $tenvFilePath
sudo dpkg -i $tenvFilePath
- name: Install tfsec
id: install-tfsec
shell: pwsh
run: |
brew install tfsec
- name: Install checkov
id: install-checkov
shell: pwsh
run: |
pip3 install checkov
- name: Install terraform-compliance
id: install-terraform-compliance
shell: pwsh
run: |
pip3 install terraform-compliance
- name: Build
id: run-script
shell: pwsh
run: |
.\Run-AzTerraform.ps1 `
-TerraformCodeLocation ${{ inputs.working_directory }} `
-RunTerraformInit true `
-RunTerraformPlan true `
-RunTerraformPlanDestroy false `
-RunTerraformApply false `
-RunTerraformDestroy false `
-DebugMode ${{ inputs.enable_debug_mode }} `
-RunTfsec ${{ inputs.run_tfsec }} `
-RunCheckov ${{ inputs.run_checkov }} `
-RunTerraformCompliance ${{ inputs.run_terraform_compliance }} `
-TerraformCompliancePolicyFiles ${{ inputs.terraform_compliance_policy_files }} `
-DeletePlanFiles ${{ inputs.delete_plan_files }} `
-TerraformVersion ${{ inputs.terraform_version }} `
-BackendStorageSubscriptionId ${{ secrets.SpokeSubId }} `
-BackendStorageAccountRgName ${{ secrets.SpokeSaRgName }} `
-BackendStorageAccountName ${{ secrets.SpokeSaName }} `
-BackendStorageAccountBlobContainerName ${{ secrets.SpokeSaBlobContainerName }} `
-BackendStorageAccountBlobStatefileName ${{ inputs.terraform_state_name }}
env:
ARM_CLIENT_ID: ${{ secrets.SpokeSvpClientId }}
ARM_CLIENT_SECRET: ${{ secrets.SpokeSvpClientSecret }}
ARM_SUBSCRIPTION_ID: ${{ secrets.SpokeSubId }}
ARM_TENANT_ID: ${{ secrets.SpokeTenantId }}
ARM_USE_AZUREAD: true