-
Notifications
You must be signed in to change notification settings - Fork 0
72 lines (71 loc) · 2.29 KB
/
terraform-quality.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
on:
workflow_call:
inputs:
workdir:
required: false
type: string
default: .
checkov_enabled:
required: false
type: boolean
default: true
checkov_skip_path:
required: false
type: string
checkov_baseline:
required: false
type: string
name: terraform-quality
jobs:
terraform-lint:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ${{ inputs.workdir }}
steps:
- name: checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
- name: tfswitch
run: |
wget https://raw.githubusercontent.com/warrensbox/terraform-switcher/release/install.sh
chmod 755 install.sh
./install.sh -b ./.bin v1.1.1 # Last arg is the desired tfswitch version
rm install.sh
.bin/tfswitch -b .bin/terraform
.bin/terraform -v
- name: tf fmt
run: .bin/terraform fmt -check -recursive
- name: tf init
run: .bin/terraform init -backend=false
- name: tf validate
run: .bin/terraform validate
- name: tflint (setup)
uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4
with:
github_token: ${{ github.token }}
- name: tflint (run)
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
run: |
tflint --init
tflint
terraform-security:
runs-on: ubuntu-latest
if: inputs.checkov_enabled
defaults:
run:
working-directory: ${{ inputs.workdir }}
steps:
- name: checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
- name: checkov
# lock checkov image version to v3.2.340: newer version are buggy (`TypeError: int object is not subscriptable`)
uses: bridgecrewio/checkov-action@a2b0083e03f46abd10e1c6d3e48a896dad73499e # master
with:
directory: ${{ inputs.workdir }}
framework: terraform
download_external_modules: true
quiet: true
skip_path: ${{ inputs.checkov_skip_path }}
baseline: ${{ inputs.checkov_baseline }}