Patrick de Ruiter
9c0d389dd3
- Migrated Ansible integration from consul_template to vault_agent - Copied vault_agent role from terraform-vsphere-infra module - Created vault_agent-playbook.yml for deployment - Archived consul_template role as consul_template-legacy - Updated Terraform configuration: - Changed Ansible inventory group from consul_template to vault_agent - Added vault_secret_path variable for vault-agent - Added ssl_certs_dir and ssl_private_dir variables - Formatted all Terraform files - Implemented CI/CD pipeline: - Created .gitea/workflows/pipeline.yaml - Added TFLint, Tfsec, and Checkov security scans - Added Terraform validate step - Added SonarQube integration - Created sonar-project.properties - Documentation updates: - Updated README.md with vault-agent information - Added migration section comparing consul-template vs vault-agent - Updated CLAUDE.md with vault-agent architecture - Added vault-agent configuration examples Why vault-agent over consul-template: - Full AppRole support with role_id/secret_id files - Advanced token auto-renewal with auto_auth - Better credential security (separate files vs config) - Actively developed by HashiCorp Note: The ansible/ directory changes (vault_agent role and playbook) are not committed as the directory is in .gitignore. These files exist locally and will be deployed during Ansible runs.
117 lines
2.7 KiB
YAML
117 lines
2.7 KiB
YAML
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
name: Code Quality & Security Scan
|
|
jobs:
|
|
tflint:
|
|
name: TFLint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checking out
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup TFLint
|
|
uses: terraform-linters/setup-tflint@v4
|
|
with:
|
|
tflint_version: latest
|
|
|
|
- name: Initialize TFLint
|
|
working-directory: terraform
|
|
run: tflint --init
|
|
|
|
- name: Run TFLint
|
|
working-directory: terraform
|
|
run: tflint --format compact
|
|
|
|
tfsec:
|
|
name: Tfsec Security Scan
|
|
runs-on: ubuntu-latest
|
|
needs: tflint
|
|
steps:
|
|
- name: Checking out
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Tfsec
|
|
uses: aquasecurity/tfsec-action@v1.0.3
|
|
with:
|
|
working_directory: terraform
|
|
format: default
|
|
soft_fail: false
|
|
|
|
checkov:
|
|
name: Checkov Security Scan
|
|
runs-on: ubuntu-latest
|
|
needs: tfsec
|
|
steps:
|
|
- name: Checking out
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Checkov
|
|
uses: bridgecrewio/checkov-action@v12
|
|
with:
|
|
directory: terraform
|
|
framework: terraform
|
|
output_format: cli
|
|
soft_fail: false
|
|
|
|
terraform-validate:
|
|
name: Terraform Validate
|
|
runs-on: ubuntu-latest
|
|
needs: checkov
|
|
steps:
|
|
- name: Checking out
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: latest
|
|
|
|
- name: Terraform Format Check
|
|
working-directory: terraform
|
|
run: terraform fmt -check -recursive
|
|
|
|
- name: Terraform Init (for validation)
|
|
working-directory: terraform
|
|
env:
|
|
TF_VAR_vault_address: "https://vault.example.com:8200"
|
|
TF_VAR_environment: "test"
|
|
TF_VAR_short_hostname: "test-host"
|
|
run: terraform init -backend=false
|
|
|
|
- name: Terraform Validate
|
|
working-directory: terraform
|
|
env:
|
|
TF_VAR_vault_address: "https://vault.example.com:8200"
|
|
TF_VAR_environment: "test"
|
|
TF_VAR_short_hostname: "test-host"
|
|
run: terraform validate
|
|
|
|
sonarqube:
|
|
name: SonarQube Trigger
|
|
runs-on: ubuntu-latest
|
|
needs: terraform-validate
|
|
steps:
|
|
- name: Checking out
|
|
uses: actions/checkout@v4
|
|
with:
|
|
# Disabling shallow clone is recommended for improving relevancy of reporting
|
|
fetch-depth: 0
|
|
- name: SonarQube Scan
|
|
uses: sonarsource/sonarqube-scan-action@v6
|
|
env:
|
|
SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
|
|
SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
|