feat: Add tflint, tfivy ci pipeline

actions-python · Oct 13, 2023 · 5f67ffd · 5f67ffd
1 parent 768e788
commit 5f67ffd
Show file tree

Hide file tree

Showing 14 changed files with 249 additions and 86 deletions.
diff --git a/.github/workflows/opentofu-ci.yml b/.github/workflows/opentofu-ci.yml
@@ -7,45 +7,38 @@ on:
     types: [opened, reopened, synchronize]
 
 jobs:
-  opentofu-ci:
-    name: CI
+  opentofu-tflint:
+    name: TFLint
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - uses: actions/checkout@v4
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
         with:
-          fetch-depth: 0
+          tflint_version: v0.48.0
+
+      - name: Init tflint
+        run: tflint --init
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run tflint
+        run: tflint --config=$PWD/.tflint.hcl --format compact --recursive
+
+  opentofu-trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
 
-      - uses: kislerdm/setup-opentofu@main
+      - uses: aquasecurity/trivy-action@master
         with:
-          cli_config_credentials_token: ${{ secrets.APP_TERRAFORM_IO_TOKEN }}
-          tofu_version: 1.6.0-alpha1
-
-      - name: Format
-        run: tofu fmt -recursive
-
-      - name: Init and Lock
-        run: |
-          MODULES=("github")
-          for MODULE in "${MODULES[@]}"; do
-            cd "$MODULE"
-            tofu init
-            tofu providers lock \
-              -platform=linux_arm64 \
-              -platform=linux_amd64 \
-              -platform=darwin_arm64 \
-              -platform=darwin_amd64
-            cd ..
-          done
-
-      - name: Commit and Push
-        run: |
-          git config user.name "actions-python-ci[bot]"
-          git config user.email "147721807+actions-python-ci[bot]@users.noreply.github.com"
-
-          if [ -n "$(git status --porcelain)" ]; then
-            git add --all
-            git commit -m "ci(terraform): Update terraform code"
-            git push origin HEAD:${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
-          fi
+          scan-type: "config"
+          scan-ref: "."
+          format: "table"
+          exit-code: "1"
diff --git a/.github/workflows/opentofu-format.yml b/.github/workflows/opentofu-format.yml
@@ -0,0 +1,113 @@
+name: Format
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  opentofu-fmt:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: kislerdm/setup-opentofu@main
+        with:
+          cli_config_credentials_token: ${{ secrets.APP_TERRAFORM_IO_TOKEN }}
+          tofu_version: 1.6.0-alpha1
+
+      - name: Format
+        run: tofu fmt -recursive
+
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: opentofu-fmt
+          path: |
+            ./**/*.tf
+            ./**/*.tfvars
+
+  opentofu-lock:
+    name: Lock
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        module: ["github"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: kislerdm/setup-opentofu@main
+        with:
+          cli_config_credentials_token: ${{ secrets.APP_TERRAFORM_IO_TOKEN }}
+          tofu_version: 1.6.0-alpha1
+
+      - name: Init
+        run: tofu init -backend=false
+        working-directory: ${{ matrix.module }}
+
+      - name: Lock
+        run: tofu providers lock -platform=linux_arm64 -platform=linux_amd64 -platform=darwin_arm64 -platform=darwin_amd64
+        working-directory: ${{ matrix.module }}
+
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: opentofu-lock-${{ matrix.module }}
+          path: ${{ matrix.module }}/.terraform.lock.hcl
+
+  opentofu-result:
+    name: Result
+    runs-on: ubuntu-latest
+    needs: [opentofu-fmt, opentofu-lock]
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: create-github-app-token
+        with:
+          app-id: ${{ secrets.ACTIONS_PYTHON_CI_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_PYTHON_CI_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.create-github-app-token.outputs.token }}
+          fetch-depth: 0
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || '' }}
+
+      - uses: kislerdm/setup-opentofu@main
+        with:
+          cli_config_credentials_token: ${{ secrets.APP_TERRAFORM_IO_TOKEN }}
+          tofu_version: 1.6.0-alpha1
+
+      - uses: actions/download-artifact@v3
+        with:
+          path: artifacts
+
+      - name: Gather Artifacts
+        id: gather-artifacts
+        run: |
+          find "artifacts/opentofu-fmt" -type f \
+            | sed "s|artifacts/opentofu-fmt/||g" \
+            | xargs -I{} mv artifacts/opentofu-fmt/{} {}
+
+          find "artifacts" -maxdepth 1 -type d \
+            | grep "opentofu-lock-" \
+            | sed -e "s|.*/opentofu-lock-||g" \
+            | xargs -I{} mv artifacts/opentofu-lock-{}/.terraform.lock.hcl {}/.terraform.lock.hcl
+
+          if [ -n "$(git status --porcelain)" ]; then
+            git status --porcelain
+            git add --all
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: tyriis/[email protected]
+        if: ${{ steps.gather-artifacts.outputs.changed == 'true' }}
+        with:
+          message: "ci(terraform): Update terraform code"
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || '' }}
+          token: ${{ steps.create-github-app-token.outputs.token }}
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,9 @@
+config {
+  module = true
+}
+
+plugin "terraform" {
+  enabled = true
+  version = "0.5.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+}
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+AVD-GIT-0001  # Repository is public
+AVD-GIT-0004  # Branch protection does not require signed commits
diff --git a/github/.terraform.lock.hcl b/github/.terraform.lock.hcl
diff --git a/github/modules/github-member/main.tf b/github/modules/github-member/main.tf
@@ -1,7 +1,10 @@
 terraform {
+  required_version = "~> 1.1"
+
   required_providers {
     github = {
-      source = "integrations/github"
+      source  = "registry.terraform.io/integrations/github"
+      version = "~> 5.0"
     }
   }
 }

diff --git a/github/modules/github-member/variables.tf b/github/modules/github-member/variables.tf
@@ -1,16 +1,19 @@
 variable "username" {
-  type = string
+  type        = string
+  description = "GitHub username"
 }
 
 variable "organization_role" {
-  type    = string
-  default = "member"
+  type        = string
+  default     = "member"
+  description = "GitHub role in organization"
 }
 
 variable "teams" {
   type = list(object({
     slug = string
     role = string
   }))
-  default = []
+  default     = []
+  description = "GitHub team configurations"
 }
diff --git a/github/modules/github-repository/main.tf b/github/modules/github-repository/main.tf
@@ -1,7 +1,10 @@
 terraform {
+  required_version = "~> 1.1"
+
   required_providers {
     github = {
-      source = "integrations/github"
+      source  = "registry.terraform.io/integrations/github"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/github/modules/github-repository/nested_branches.tf b/github/modules/github-repository/nested_branches.tf
@@ -5,7 +5,7 @@ resource "github_branch" "default" {
 }
 
 resource "github_branch_default" "default" {
-  for_each   = { for branch in var.branches : branch.name => branch if lookup(branch, "default") }
+  for_each   = { for branch in var.branches : branch.name => branch if branch["default"] }
   repository = github_repository.default.name
   branch     = each.value.name
 
@@ -15,7 +15,7 @@ resource "github_branch_default" "default" {
 }
 
 resource "github_branch_protection" "default" {
-  for_each                        = { for branch in var.branches : branch.name => branch if lookup(branch, "protection") != null }
+  for_each                        = { for branch in var.branches : branch.name => branch if branch["protection"] != null }
   repository_id                   = github_repository.default.node_id
   pattern                         = each.value.name
   require_signed_commits          = each.value.protection.require_signed_commits

diff --git a/github/modules/github-repository/nested_repository.tf b/github/modules/github-repository/nested_repository.tf
@@ -37,3 +37,10 @@ resource "github_repository_dependabot_security_updates" "default" {
   repository = github_repository.default.id
   enabled    = true
 }
+
+resource "github_actions_secret" "default" {
+  for_each        = { for secret in var.secrets : secret.name => secret }
+  repository      = github_repository.default.name
+  secret_name     = each.key
+  plaintext_value = each.value.value
+}
diff --git a/github/modules/github-repository/outputs.tf b/github/modules/github-repository/outputs.tf
@@ -1,3 +1,4 @@
 output "github_repository" {
-  value = github_repository.default
+  value       = github_repository.default
+  description = "Managed GitHub repository data"
 }