terraform-vsphere-resourcegroups

Author	SHA1	Message	Date
Patrick de Ruiter	42245ff565	Replace artifact upload with MinIO/S3 upload for test reports All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 13s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 27s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 18s Details Code Quality & Security Scan / Terraform Tests (push) Successful in 1m4s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 29s Details Code Quality & Security Scan / Terraform Init (push) Successful in 48s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 40s Details - Replaced actions/upload-artifact with direct MinIO upload - Uses same pattern as terraform plan upload - Test reports stored in: terraform-tests/{repository}/{run_number}/ - Enhanced test report with repository, run number, and branch info - Fixes: Gitea Actions artifact upload not supported AWS CLI is installed and used to upload reports to S3-compatible MinIO storage, matching the existing terraform plan upload workflow.	2025-11-09 10:09:57 +01:00
Patrick de Ruiter	74940bdc29	Use actual Vault credentials for terraform tests Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 17s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 33s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 31s Details Code Quality & Security Scan / Terraform Tests (push) Failing after 1m29s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details Code Quality & Security Scan / Terraform Init (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details - Changed from mock credentials to actual Vault AppRole secrets - Added VAULT_ADDR environment variable for Vault connection - Uses same credentials as terraform-init job (read-only access) - Fixes: Vault authentication failures in test execution	2025-11-09 09:59:47 +01:00
Patrick de Ruiter	89dabee068	Fix terraform test job - add init step before testing Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Terraform Tests (push) Failing after 40s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details Code Quality & Security Scan / Terraform Init (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details - Added terraform init -backend=false before running tests - Tests don't require backend configuration - Ensures providers are downloaded before test execution - Fixes: terraform test failing due to missing providers	2025-11-09 09:54:19 +01:00
Patrick de Ruiter	cfbe6cbdc4	Add comprehensive Terraform testing framework Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 24s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 44s Details Code Quality & Security Scan / Terraform Tests (push) Failing after 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details Code Quality & Security Scan / Terraform Init (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details - Implemented 21 test cases across 3 test suites: * resource_groups.tftest.hcl (7 tests): Default behavior and validation * custom_configuration.tftest.hcl (6 tests): Custom configurations * variable_validation.tftest.hcl (8 tests): Input validation and edge cases - Updated CI/CD pipeline (.gitea/workflows/sonarqube.yaml): * Added terraform-test job with format check and test execution * Generates and uploads test reports (30-day retention) * Runs after security scanning, before deployment - Added comprehensive documentation: * TESTING.md: Complete testing guide with best practices * TEST_SUMMARY.md: Implementation summary and statistics * TESTING_QUICK_START.md: Quick reference for developers * TESTING_WORKFLOW.md: Visual workflow diagrams - Updated existing documentation: * README.md: Added testing section with examples * CLAUDE.md: Added test commands to workflow - Test coverage includes: * Resource creation and configuration validation * Tag category and tag management * Variable validation and defaults * Custom configurations and overrides * Edge cases and error handling * Output generation verification Tests use mock credentials for infrastructure-independent execution. Requires Terraform >= 1.6.0 for native testing framework.	2025-11-09 00:37:45 +01:00
Patrick de Ruiter	1a52e592e5	Remove non-functional Terraform provider caching Some checks failed Code Quality & Security Scan / Terraform Init (push) Has started running Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 22s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 34s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 47s Details Issue: - Cache steps were timing out after ~5 minutes with ETIMEDOUT errors - Gitea Actions cache server not configured or not responding - Connection attempts to 172.19.0.3:36175 failing - Added 8-10 minutes of unnecessary delays to pipeline Solution: - Removed 'Cache Terraform Providers' step from terraform-init job - Removed 'Restore Terraform Cache' step from terraform-apply job - Terraform init will download providers fresh each time - No performance degradation since cache was never working Impact: - Faster pipeline execution (removes timeout delays) - No functional changes (cache was never successful) - Apply job still independent and self-contained Note: terraform-vsphere-network never had cache steps (copied before caching was added)	2025-11-02 13:13:31 +01:00
Patrick de Ruiter	2af3ccd989	Add Terraform caching and destroy workflow Some checks failed Code Quality & Security Scan / TFLint (push) Has been cancelled Details Code Quality & Security Scan / Tfsec Security Scan (push) Has been cancelled Details Code Quality & Security Scan / Checkov Security Scan (push) Has been cancelled Details Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled Details Code Quality & Security Scan / Terraform Init (push) Has been cancelled Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details Code Quality & Security Scan / Terraform Destroy (push) Has been cancelled Details Optimizations: - Added Terraform provider caching to terraform-init job - Apply job now reuses cached .terraform directory - Cache persists across workflow runs (keyed by .terraform.lock.hcl) - Significantly faster init times on subsequent runs New terraform-destroy job: - Only triggered on pull requests with 'destroy' label - Requires manual approval via 'destroy-approval' environment - Self-contained with fresh init (no cache for safety) - Clear warnings and authorization verification - Three-step process: verify → plan → execute Security features: - Destroy only runs on labeled pull requests - Requires environment protection approval - Fresh terraform init without cache for verification - Detailed logging of who/what/when/where - Cannot be triggered on direct push to master Usage: 1. Create pull request with proposed destroy changes 2. Add 'destroy' label to the PR 3. Approve via Gitea environment protection 4. Review destroy plan in logs 5. Approve destroy-approval environment to execute Benefits: - Faster apply workflow (cached providers) - Safe destroy process with multiple safeguards - Clear audit trail for destructive operations - Self-contained destroy for maximum safety	2025-11-02 12:33:44 +01:00
Patrick de Ruiter	514136f018	Add Terraform apply job with manual approval All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 25s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 33s Details Code Quality & Security Scan / Terraform Init (push) Successful in 59s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 55s Details - New terraform-apply job runs after terraform-init - Requires manual approval via production environment gate - Only runs on push to master branch - Downloads plan file from MinIO - Applies the exact plan that was reviewed - Includes all necessary environment variables for Vault and vSphere	2025-11-02 01:45:38 +01:00
Patrick de Ruiter	66e05bb105	Replace GitHub Actions artifact with MinIO upload All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 37s Details Code Quality & Security Scan / Terraform Init (push) Successful in 1m4s Details - Removed actions/upload-artifact@v4 (not supported in Gitea) - Added terraform show output to create human-readable plan text - Upload both binary plan and text version to MinIO - Plan stored at: s3://bucket/terraform-plans/repo/run-number/ - Uses existing AWS CLI with S3-compatible endpoint	2025-11-02 01:36:11 +01:00
Patrick de Ruiter	14a22b2561	Add required Terraform variables to plan step Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s Details Code Quality & Security Scan / Terraform Init (push) Failing after 30s Details - Added TF_VAR_datacenter environment variable - Added TF_VAR_cluster_name environment variable - Added TF_VAR_environment environment variable - Prevents interactive prompts during terraform plan - Required secrets: VSPHERE_DATACENTER, VSPHERE_CLUSTER, ENVIRONMENT	2025-11-02 01:16:27 +01:00
Patrick de Ruiter	269c9b48d7	Add Terraform plan step with artifact upload Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 26s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s Details Code Quality & Security Scan / Terraform Init (push) Has been cancelled Details - Added terraform plan step that outputs plan to tfplan file - Plan includes all required environment variables for Vault and MinIO - Plan artifact uploaded with 30-day retention for later apply step - Plan file can be downloaded and used for terraform apply	2025-11-02 00:48:46 +01:00
Patrick de Ruiter	72c8be1a56	Add Vault credentials to workflow secrets Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Checkov Security Scan (push) Has been cancelled Details Code Quality & Security Scan / Tfsec Security Scan (push) Has been cancelled Details Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled Details Code Quality & Security Scan / Terraform Init (push) Has been cancelled Details - Added TF_VAR_role_id and TF_VAR_secret_id environment variables - Added VAULT_ADDR environment variable - Vault credentials now sourced from Gitea secrets instead of tfvars - Required secrets: VAULT_ADDR, VAULT_ROLE_ID, VAULT_SECRET_ID	2025-11-02 00:48:17 +01:00
Patrick de Ruiter	4a2ed7bf4f	Refactor Terraform init to use backend-config flags All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 21s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 45s Details Code Quality & Security Scan / Terraform Init (push) Successful in 29s Details - Updated backend.tf to use partial configuration - Modified workflow to pass backend settings via -backend-config flags - Follows Azure-style pattern with environment variables - Improves flexibility and keeps configuration out of version control - Required secrets: MINIO_ENDPOINT, MINIO_BUCKET, MINIO_STATE_KEY	2025-11-02 00:32:28 +01:00
Patrick de Ruiter	4ce4ee9b70	Add Terraform init step with secure MinIO backend Some checks failed Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s Details Code Quality & Security Scan / TFLint (push) Successful in 17s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s Details Code Quality & Security Scan / Terraform Init (push) Failing after 30s Details - Removed hardcoded MinIO credentials from backend.tf - Added terraform-init job after SonarQube step - Uses organization secrets for MinIO credentials: - MINIO_ACCESS_KEY - MINIO_SECRET_KEY - Credentials passed via AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env vars - Initializes Terraform with S3-compatible MinIO backend	2025-11-01 23:59:01 +01:00
Patrick de Ruiter	0089d060cf	Add Tfsec security scanning before Checkov All checks were successful Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 1m4s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 40s Details - Added Tfsec job for Terraform security analysis - Tfsec specializes in detecting security issues in Terraform code - Pipeline flow: TFLint -> Tfsec -> Checkov -> SonarQube - Tfsec focuses on cloud security misconfigurations - Complements Checkov with different security rule sets	2025-11-01 23:10:13 +01:00
Patrick de Ruiter	f4be04dce1	Add TFLint as first pipeline step Some checks failed Code Quality & Security Scan / TFLint (push) Failing after 28s Details Code Quality & Security Scan / Checkov Security Scan (push) Has been skipped Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details - Added TFLint job to catch Terraform errors and best practices - TFLint runs before Checkov for early error detection - Uses latest TFLint version with automatic initialization - Pipeline flow: TFLint -> Checkov -> SonarQube	2025-11-01 22:56:34 +01:00
Patrick de Ruiter	d7bc88ced2	Fix Checkov workflow for Gitea compatibility All checks were successful Code Quality & Security Scan / Checkov Security Scan (push) Successful in 30s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 44s Details - Removed upload-artifact step (not supported in Gitea) - Simplified output to CLI format only - Checkov results will be displayed in pipeline logs	2025-11-01 22:51:19 +01:00
Patrick de Ruiter	1262a96f93	Add Checkov compliance scanning to CI pipeline Some checks failed Code Quality & Security Scan / Checkov Security Scan (push) Failing after 1m58s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details - Added Checkov security scan job that runs before SonarQube - Configured for Terraform-specific IaC compliance checks - Outputs results in CLI and SARIF formats - Uploads scan results as artifacts for review - SonarQube job now depends on Checkov passing - Renamed workflow to reflect both quality and security scanning	2025-11-01 22:36:25 +01:00
Patrick de Ruiter	dcc7aaa091	Update SonarQube action to v6 for security patches All checks were successful SonarQube Scan / SonarQube Trigger (push) Successful in 47s Details	2025-11-01 20:39:05 +01:00
Patrick de Ruiter	bcb3110e03	Fix SonarQube scan Java version mismatch Some checks failed SonarQube Scan / SonarQube Trigger (push) Has been cancelled Details - Updated SonarQube action from kitabisa/sonarqube-action@v1.2.0 to sonarsource/sonarqube-scan-action@v4 - Official action uses Java 17, compatible with SonarQube 25.10 - Added sonar-project.properties with Terraform-specific exclusions - Fixes: java.lang.UnsupportedClassVersionError (class file version 61.0 vs 55.0)	2025-11-01 20:36:15 +01:00
Patrick de Ruiter	171d476941	Added gitea action pipeline Some checks failed SonarQube Scan / SonarQube Trigger (push) Failing after 20s Details	2025-11-01 19:47:36 +01:00
Patrick de Ruiter	dd088b4d17	Added gitea action pipeline	2025-11-01 19:45:34 +01:00

21 Commits