on: push: branches: - master pull_request: types: [opened, synchronize, reopened] name: Code Quality & Security Scan jobs: tflint: name: TFLint runs-on: ubuntu-latest steps: - name: Checking out uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup TFLint uses: terraform-linters/setup-tflint@v4 with: tflint_version: latest - name: Initialize TFLint run: tflint --init - name: Run TFLint run: tflint --format compact tfsec: name: Tfsec Security Scan runs-on: ubuntu-latest needs: tflint steps: - name: Checking out uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Tfsec uses: aquasecurity/tfsec-action@v1.0.3 with: format: default soft_fail: false checkov: name: Checkov Security Scan runs-on: ubuntu-latest needs: tfsec steps: - name: Checking out uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Checkov uses: bridgecrewio/checkov-action@v12 with: directory: . framework: terraform output_format: cli soft_fail: false sonarqube: name: SonarQube Trigger runs-on: ubuntu-latest needs: checkov steps: - name: Checking out uses: actions/checkout@v4 with: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - name: SonarQube Scan uses: sonarsource/sonarqube-scan-action@v6 env: SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }} SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} terraform-init: name: Terraform Init runs-on: ubuntu-latest needs: sonarqube steps: - name: Checking out uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: latest - name: Terraform Init env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }} TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }} TF_BACKEND_REGION: "main" TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform init \ -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \ -backend-config="bucket=${TF_BACKEND_BUCKET}" \ -backend-config="key=${TF_BACKEND_KEY}" \ -backend-config="region=${TF_BACKEND_REGION}" \ -backend-config="skip_credentials_validation=true" \ -backend-config="skip_metadata_api_check=true" \ -backend-config="skip_requesting_account_id=true" \ -backend-config="skip_region_validation=true" \ -backend-config="use_path_style=true" - name: Terraform Plan env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_datacenter: ${{ secrets.VSPHERE_DATACENTER }} TF_VAR_cluster_name: ${{ secrets.VSPHERE_CLUSTER }} TF_VAR_environment: ${{ secrets.ENVIRONMENT }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform plan -out=tfplan terraform show -no-color tfplan > tfplan.txt - name: Upload Terraform Plan to MinIO env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} MINIO_BUCKET: ${{ secrets.MINIO_BUCKET }} run: | # Install AWS CLI for S3-compatible operations curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip -q awscliv2.zip sudo ./aws/install # Upload plan files to MinIO PLAN_PATH="terraform-plans/${{ github.repository }}/${{ github.run_number }}" aws s3 cp tfplan "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" \ --endpoint-url="${MINIO_ENDPOINT}" aws s3 cp tfplan.txt "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan.txt" \ --endpoint-url="${MINIO_ENDPOINT}" echo "Plan uploaded to: s3://${MINIO_BUCKET}/${PLAN_PATH}/" terraform-apply: name: Terraform Apply runs-on: ubuntu-latest needs: terraform-init if: github.ref == 'refs/heads/master' && github.event_name == 'push' environment: name: production steps: - name: Checking out uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: latest - name: Install AWS CLI run: | curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip -q awscliv2.zip sudo ./aws/install - name: Terraform Init env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }} TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }} TF_BACKEND_REGION: "main" TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform init \ -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \ -backend-config="bucket=${TF_BACKEND_BUCKET}" \ -backend-config="key=${TF_BACKEND_KEY}" \ -backend-config="region=${TF_BACKEND_REGION}" \ -backend-config="skip_credentials_validation=true" \ -backend-config="skip_metadata_api_check=true" \ -backend-config="skip_requesting_account_id=true" \ -backend-config="skip_region_validation=true" \ -backend-config="use_path_style=true" - name: Download Terraform Plan from MinIO env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} MINIO_BUCKET: ${{ secrets.MINIO_BUCKET }} run: | PLAN_PATH="terraform-plans/${{ github.repository }}/${{ github.run_number }}" aws s3 cp "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" tfplan \ --endpoint-url="${MINIO_ENDPOINT}" echo "Plan downloaded from: s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" - name: Terraform Apply env: AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_datacenter: ${{ secrets.VSPHERE_DATACENTER }} TF_VAR_cluster_name: ${{ secrets.VSPHERE_CLUSTER }} TF_VAR_environment: ${{ secrets.ENVIRONMENT }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: terraform apply -auto-approve tfplan