Add Terraform CI/CD pipeline

2025-10-29 07:04:09 +00:00 · 2025-10-29 07:04:09 +00:00 · c057781ad6
commit c057781ad6
parent 345f67374c
1 changed files with 248 additions and 0 deletions
--- a/.gitea/workflows/terraform.yml
+++ b/.gitea/workflows/terraform.yml
@ -0,0 +1,248 @@
+name: Terraform CI/CD Pipeline
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      action:
+        description: 'Action to perform'
+        required: true
+        type: choice
+        options:
+          - plan
+          - apply
+          - destroy
+
+env:
+  TF_VERSION: "1.9.0"
+  WORKING_DIR: "./terraform"  # Adjust to your terraform directory
+
+jobs:
+  # Stage 1: Linting and Syntax Checks
+  lint-and-validate:
+    name: Lint and Validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: https://github.com/hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Terraform Format Check
+        id: fmt
+        run: terraform fmt -check -recursive
+        working-directory: ${{ env.WORKING_DIR }}
+        continue-on-error: true
+
+      - name: Terraform Init (for validation)
+        run: terraform init -backend=false
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Terraform Validate
+        run: terraform validate
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Check Format Result
+        if: steps.fmt.outcome == 'failure'
+        run: |
+          echo "❌ Terraform formatting check failed. Run 'terraform fmt -recursive' to fix."
+          exit 1
+
+  # Stage 2: Security Scanning
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    needs: lint-and-validate
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Checkov (Open Source Security Scanner)
+        uses: https://github.com/bridgecrewio/checkov-action@v12
+        with:
+          directory: ${{ env.WORKING_DIR }}
+          framework: terraform
+          soft_fail: false  # Set to true to not fail the pipeline on security issues
+          output_format: cli
+
+      - name: Run tfsec (Terraform Security Scanner)
+        uses: https://github.com/aquasecurity/tfsec-action@v1.0.3
+        with:
+          working_directory: ${{ env.WORKING_DIR }}
+          soft_fail: false
+
+  # Stage 3: Terraform Init and Plan
+  plan:
+    name: Terraform Plan
+    runs-on: ubuntu-latest
+    needs: security-scan
+    if: github.event_name == 'push' || github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && (github.event.inputs.action == 'plan' || github.event.inputs.action == 'apply'))
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: https://github.com/hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+
+      - name: Configure Terraform Credentials
+        run: |
+          # Add your cloud provider credentials here
+          # Example for AWS:
+          # echo "AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV
+          # echo "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> $GITHUB_ENV
+          
+          # Example for Azure:
+          # echo "ARM_CLIENT_ID=${{ secrets.ARM_CLIENT_ID }}" >> $GITHUB_ENV
+          # echo "ARM_CLIENT_SECRET=${{ secrets.ARM_CLIENT_SECRET }}" >> $GITHUB_ENV
+          # echo "ARM_SUBSCRIPTION_ID=${{ secrets.ARM_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
+          # echo "ARM_TENANT_ID=${{ secrets.ARM_TENANT_ID }}" >> $GITHUB_ENV
+          
+          # For GCP, you might need to create a credentials file
+          echo "Configure your provider credentials here"
+
+      - name: Terraform Init
+        run: terraform init
+        working-directory: ${{ env.WORKING_DIR }}
+        env:
+          # Add backend configuration secrets if needed
+          TF_CLI_ARGS_init: "-backend-config=access_key=${{ secrets.BACKEND_ACCESS_KEY }}"
+
+      - name: Terraform Plan
+        run: terraform plan -out=tfplan.binary
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Convert Plan to JSON
+        run: terraform show -json tfplan.binary > tfplan.json
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Upload Terraform Plan
+        uses: actions/upload-artifact@v4
+        with:
+          name: terraform-plan
+          path: |
+            ${{ env.WORKING_DIR }}/tfplan.binary
+            ${{ env.WORKING_DIR }}/tfplan.json
+            ${{ env.WORKING_DIR }}/.terraform/
+            ${{ env.WORKING_DIR }}/.terraform.lock.hcl
+          retention-days: 30
+
+      - name: Comment Plan on PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const plan = fs.readFileSync('${{ env.WORKING_DIR }}/tfplan.json', 'utf8');
+            const output = `#### Terraform Plan 📖
+            
+            <details><summary>Show Plan</summary>
+            
+            \`\`\`json
+            ${plan}
+            \`\`\`
+            
+            </details>`;
+            
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });
+
+  # Stage 4: Terraform Apply
+  apply:
+    name: Terraform Apply
+    runs-on: ubuntu-latest
+    needs: plan
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && github.event.inputs.action == 'apply')
+    environment: 
+      name: production
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: https://github.com/hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+
+      - name: Download Terraform Plan
+        uses: actions/download-artifact@v4
+        with:
+          name: terraform-plan
+          path: ${{ env.WORKING_DIR }}
+
+      - name: Configure Terraform Credentials
+        run: |
+          # Same credentials configuration as in plan stage
+          echo "Configure your provider credentials here"
+
+      - name: Restore Terraform Init Files
+        run: |
+          # The .terraform directory is already restored from artifacts
+          echo "Terraform initialization files restored"
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve tfplan.binary
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Output Terraform Outputs
+        run: terraform output -json > terraform-outputs.json
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Upload Terraform Outputs
+        uses: actions/upload-artifact@v4
+        with:
+          name: terraform-outputs
+          path: ${{ env.WORKING_DIR }}/terraform-outputs.json
+          retention-days: 90
+
+  # Stage 5: Terraform Destroy (Manual/Authorized Only)
+  destroy:
+    name: Terraform Destroy
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.action == 'destroy'
+    environment:
+      name: production-destroy  # Requires manual approval in repository settings
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: https://github.com/hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+
+      - name: Configure Terraform Credentials
+        run: |
+          # Same credentials configuration as previous stages
+          echo "Configure your provider credentials here"
+
+      - name: Terraform Init
+        run: terraform init
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Terraform Destroy
+        run: terraform destroy -auto-approve
+        working-directory: ${{ env.WORKING_DIR }}
+
+      - name: Notify Destroy Completion
+        run: |
+          echo "🔥 Terraform infrastructure has been destroyed!"
+          echo "Destroyed by: ${{ github.actor }}"
+          echo "Timestamp: $(date -u)"