Update Terraform github to v6 #155
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "[Example Workflow]" | |
on: | |
workflow_dispatch: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
permissions: | |
contents: write | |
security-events: write | |
actions: read | |
checks: read | |
deployments: none | |
issues: none | |
packages: none | |
pull-requests: read | |
repository-projects: none | |
statuses: none | |
jobs: | |
# generate a branch name | |
branch_name: | |
name: "Generate a safe branch name" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
# generate workspace name | |
workspace_name: | |
name: "Generate the workspace name" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
tf_version: | |
needs: [branch_name, workspace_name] | |
name: "Get terraform version" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
with: | |
terraform_directory: "./terraform/account/" | |
# LINTING | |
# run linting for terraform | |
tf_lint: | |
needs: [tf_version] | |
name: "Run terraform linting" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
with: | |
directory: "./terraform" | |
terraform_version: "${{ needs.tf_version.outputs.version}}" | |
terraform_wrapper: false | |
# tfsec for terraform | |
tfsec_analysis: | |
needs: [tf_lint] | |
name: "Run TFSec against the code base" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
# SAST | |
# codeql for pythong | |
codeql_analysis: | |
name: "Run CodeQL against the code base" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
with: | |
application_languages: '["python"]' | |
# generate tag | |
semver_tag: | |
needs: [branch_name, tfsec_analysis, codeql_analysis] | |
name: "Generate the semver tag value" | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
with: | |
branch_name: ${{ needs.branch_name.outputs.parsed }} | |
secrets: inherit | |
# Docker build, trivy scan, ECR push as a matrix | |
# The matrix loops over each app to build in a complicated | |
# structure | |
# ADD IN ECR PUSH | |
build_scan_push: | |
name: "Docker build, trivy scan, ECR push" | |
runs-on: ubuntu-latest | |
# require all steps before this matrix to have passed | |
needs: [tf_version, branch_name, workspace_name, semver_tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
# services to scan over | |
data: | |
- docker_build_directory: "./service-app" | |
image_app_name: "helloworld" | |
test_command: "ls -l" | |
# we use these a few times, so its easier to generate them once and env | |
# vars are visible in the output, so helps with debug | |
env: | |
local_docker_image: ${{ matrix.data.image_app_name }}:latest | |
sarif_file: trivy-results.sarif | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Show environment values | |
run: | | |
echo "local_docker_image: ${{ env.local_docker_image }}" | |
echo "sarif_file: ${{ env.sarif_file }}" | |
# build our sample docker image | |
- name: Docker build | |
# set the working directory to the variable | |
working-directory: ${{ matrix.data.docker_build_directory }} | |
run: | | |
docker build -t ${{ env.local_docker_image }} . | |
# to check if things worked, output docker image list | |
- name: Docker image list | |
run: | | |
docker images | |
# log in to ECR | |
- name: Configure AWS Credentials With Assumed Role to Management | |
uses: aws-actions/[email protected] | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-west-1 | |
# management account role | |
role-to-assume: arn:aws:iam::311462405659:role/gh-template-repo-ci | |
role-duration-seconds: 900 | |
role-session-name: OPGExampleWorkflowGithubAction | |
- name: ECR Login | |
id: login_ecr | |
uses: aws-actions/[email protected] | |
with: | |
registries: 311462405659 | |
- name: Trivy scan | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 | |
TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 | |
with: | |
image-ref: ${{ env.local_docker_image }} | |
severity: "HIGH,CRITICAL" | |
format: 'sarif' | |
output: ${{ env.sarif_file }} | |
- name: Trivy scan upload to github | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: ${{ env.sarif_file }} | |
# for a lot of our services, there could be a test process here | |
- name: Run Tests | |
run: | | |
${{ matrix.data.test_command }} | |
###### | |
## Push to ECR | |
###### | |
- name: Push Container | |
env: | |
SEMVER_TAG: ${{ needs.semver_tag.outputs.tag }} | |
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | |
ECR_REPOSITORY: github-template-repository/helloworld | |
run: | | |
docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }} | |
docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY | |
# example terraform build stage | |
terraform_account_build: | |
name: "Terraform Account [Apply: ${{ github.ref == 'refs/heads/main'}}]" | |
needs: [workspace_name, semver_tag, build_scan_push, tf_version] | |
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
with: | |
terraform_version: "${{ needs.tf_version.outputs.version}}" | |
terraform_directory: "./terraform/account" | |
terraform_apply: ${{ github.ref == 'refs/heads/main' && true || false }} | |
# this would be replaced with the dynamic value from needs.workspace_name.output.name | |
# but we're just using sandbox account and single env, so use default | |
terraform_workspace: "default" | |
# normally would need some logic to decide this based on branch name etc | |
# - if its true we would then need to pass workspace_manager_aws_account_id & | |
# workspace_manager_aws_iam_role as well | |
is_ephemeral: false | |
secrets: | |
AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
PAGERDUTY_TOKEN: "NONE" | |
GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
end: | |
name: 'End of workflow' | |
runs-on: 'ubuntu-latest' | |
needs: [branch_name, workspace_name, semver_tag, build_scan_push, terraform_account_build] | |
steps: | |
- name: "End" | |
run: | | |
echo "Done" |