on:
  push:
    branches:
      - master
  pull_request:
      types: [opened, synchronize, reopened]

name: Code Quality & Security Scan
jobs:
  tflint:
    name: TFLint
    runs-on: ubuntu-latest
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup TFLint
      uses: terraform-linters/setup-tflint@v4
      with:
        tflint_version: latest

    - name: Initialize TFLint
      run: tflint --init

    - name: Run TFLint
      run: tflint --format compact

  tfsec:
    name: Tfsec Security Scan
    runs-on: ubuntu-latest
    needs: tflint
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Tfsec
      uses: aquasecurity/tfsec-action@v1.0.3
      with:
        format: default
        soft_fail: false

  checkov:
    name: Checkov Security Scan
    runs-on: ubuntu-latest
    needs: tfsec
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Checkov
      uses: bridgecrewio/checkov-action@v12
      with:
        directory: .
        framework: terraform
        output_format: cli
        soft_fail: false

  sonarqube:
    name: SonarQube Trigger
    runs-on: ubuntu-latest
    needs: checkov
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
      uses: sonarsource/sonarqube-scan-action@v6
      env:
        SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
        SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

  terraform-init:
    name: Terraform Init
    runs-on: ubuntu-latest
    needs: sonarqube
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v3
      with:
        terraform_version: latest

    - name: Terraform Init
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
        TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }}
        TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }}
        TF_BACKEND_REGION: "main"
        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
      run: |
        terraform init \
          -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \
          -backend-config="bucket=${TF_BACKEND_BUCKET}" \
          -backend-config="key=${TF_BACKEND_KEY}" \
          -backend-config="region=${TF_BACKEND_REGION}" \
          -backend-config="skip_credentials_validation=true" \
          -backend-config="skip_metadata_api_check=true" \
          -backend-config="skip_requesting_account_id=true" \
          -backend-config="skip_region_validation=true" \
          -backend-config="use_path_style=true"