Patrick de Ruiter
2af3ccd989
Some checks failed
Code Quality & Security Scan / TFLint (push) Has been cancelled
Code Quality & Security Scan / Tfsec Security Scan (push) Has been cancelled
Code Quality & Security Scan / Checkov Security Scan (push) Has been cancelled
Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled
Code Quality & Security Scan / Terraform Init (push) Has been cancelled
Code Quality & Security Scan / Terraform Apply (push) Has been cancelled
Code Quality & Security Scan / Terraform Destroy (push) Has been cancelled
Optimizations: - Added Terraform provider caching to terraform-init job - Apply job now reuses cached .terraform directory - Cache persists across workflow runs (keyed by .terraform.lock.hcl) - Significantly faster init times on subsequent runs New terraform-destroy job: - Only triggered on pull requests with 'destroy' label - Requires manual approval via 'destroy-approval' environment - Self-contained with fresh init (no cache for safety) - Clear warnings and authorization verification - Three-step process: verify → plan → execute Security features: - Destroy only runs on labeled pull requests - Requires environment protection approval - Fresh terraform init without cache for verification - Detailed logging of who/what/when/where - Cannot be triggered on direct push to master Usage: 1. Create pull request with proposed destroy changes 2. Add 'destroy' label to the PR 3. Approve via Gitea environment protection 4. Review destroy plan in logs 5. Approve destroy-approval environment to execute Benefits: - Faster apply workflow (cached providers) - Safe destroy process with multiple safeguards - Clear audit trail for destructive operations - Self-contained destroy for maximum safety