terraform-vsphere-resourcegroups/.gitea/workflows/sonarqube.yaml

on:
  push:
    branches:
      - master
  pull_request:
      types: [opened, synchronize, reopened]

name: Code Quality & Security Scan
jobs:
  tflint:
    name: TFLint
    runs-on: ubuntu-latest
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup TFLint
      uses: terraform-linters/setup-tflint@v4
      with:
        tflint_version: latest

    - name: Initialize TFLint
      run: tflint --init

    - name: Run TFLint
      run: tflint --format compact

  tfsec:
    name: Tfsec Security Scan
    runs-on: ubuntu-latest
    needs: tflint
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Tfsec
      uses: aquasecurity/tfsec-action@v1.0.3
      with:
        format: default
        soft_fail: false

  checkov:
    name: Checkov Security Scan
    runs-on: ubuntu-latest
    needs: tfsec
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Checkov
      uses: bridgecrewio/checkov-action@v12
      with:
        directory: .
        framework: terraform
        output_format: cli
        soft_fail: false

  sonarqube:
    name: SonarQube Trigger
    runs-on: ubuntu-latest
    needs: checkov
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
      uses: sonarsource/sonarqube-scan-action@v6
      env:
        SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
        SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

  terraform-init:
    name: Terraform Init
    runs-on: ubuntu-latest
    needs: sonarqube
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v3
      with:
        terraform_version: latest

    - name: Terraform Init
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
        TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }}
        TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }}
        TF_BACKEND_REGION: "main"
        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
      run: |
        terraform init \
          -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \
          -backend-config="bucket=${TF_BACKEND_BUCKET}" \
          -backend-config="key=${TF_BACKEND_KEY}" \
          -backend-config="region=${TF_BACKEND_REGION}" \
          -backend-config="skip_credentials_validation=true" \
          -backend-config="skip_metadata_api_check=true" \
          -backend-config="skip_requesting_account_id=true" \
          -backend-config="skip_region_validation=true" \
          -backend-config="use_path_style=true"

    - name: Terraform Plan
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
        TF_VAR_datacenter: ${{ secrets.VSPHERE_DATACENTER }}
        TF_VAR_cluster_name: ${{ secrets.VSPHERE_CLUSTER }}
        TF_VAR_environment: ${{ secrets.ENVIRONMENT }}
        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
      run: |
        terraform plan -out=tfplan
        terraform show -no-color tfplan > tfplan.txt

    - name: Upload Terraform Plan to MinIO
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
        MINIO_BUCKET: ${{ secrets.MINIO_BUCKET }}
      run: |
        # Install AWS CLI for S3-compatible operations
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
        unzip -q awscliv2.zip
        sudo ./aws/install

        # Upload plan files to MinIO
        PLAN_PATH="terraform-plans/${{ github.repository }}/${{ github.run_number }}"
        aws s3 cp tfplan "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" \
          --endpoint-url="${MINIO_ENDPOINT}"
        aws s3 cp tfplan.txt "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan.txt" \
          --endpoint-url="${MINIO_ENDPOINT}"

        echo "Plan uploaded to: s3://${MINIO_BUCKET}/${PLAN_PATH}/"

  terraform-apply:
    name: Terraform Apply
    runs-on: ubuntu-latest
    needs: terraform-init
    if: github.ref == 'refs/heads/master' && github.event_name == 'push'
    environment:
      name: production
    steps:
    - name: Checking out
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v3
      with:
        terraform_version: latest

    - name: Install AWS CLI
      run: |
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
        unzip -q awscliv2.zip
        sudo ./aws/install

    - name: Terraform Init
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        TF_BACKEND_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
        TF_BACKEND_BUCKET: ${{ secrets.MINIO_BUCKET }}
        TF_BACKEND_KEY: ${{ secrets.MINIO_STATE_KEY }}
        TF_BACKEND_REGION: "main"
        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
      run: |
        terraform init \
          -backend-config="endpoints={s3=\"${TF_BACKEND_ENDPOINT}\"}" \
          -backend-config="bucket=${TF_BACKEND_BUCKET}" \
          -backend-config="key=${TF_BACKEND_KEY}" \
          -backend-config="region=${TF_BACKEND_REGION}" \
          -backend-config="skip_credentials_validation=true" \
          -backend-config="skip_metadata_api_check=true" \
          -backend-config="skip_requesting_account_id=true" \
          -backend-config="skip_region_validation=true" \
          -backend-config="use_path_style=true"

    - name: Download Terraform Plan from MinIO
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }}
        MINIO_BUCKET: ${{ secrets.MINIO_BUCKET }}
      run: |
        PLAN_PATH="terraform-plans/${{ github.repository }}/${{ github.run_number }}"
        aws s3 cp "s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan" tfplan \
          --endpoint-url="${MINIO_ENDPOINT}"
        echo "Plan downloaded from: s3://${MINIO_BUCKET}/${PLAN_PATH}/tfplan"

    - name: Terraform Apply
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.MINIO_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
        TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
        TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
        TF_VAR_datacenter: ${{ secrets.VSPHERE_DATACENTER }}
        TF_VAR_cluster_name: ${{ secrets.VSPHERE_CLUSTER }}
        TF_VAR_environment: ${{ secrets.ENVIRONMENT }}
        VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
      run: terraform apply -auto-approve tfplan