diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 8898788..0000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,15 +0,0 @@ -version: 2.1 -orbs: - node: circleci/node@4.0.0 - terraform: circleci/terraform@2.1.0 -workflows: - node-tests: - jobs: - - node/test: - app-dir: inspector - terraform: - jobs: - - terraform/validate: - backend: false - checkout: true - path: terraform/ diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml new file mode 100644 index 0000000..aa33a79 --- /dev/null +++ b/.github/workflows/apply.yml @@ -0,0 +1,27 @@ +--- +name: apply + +on: + push: + branches: + - master + +env: + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + AWS_DEFAULT_REGION: us-east-1 + +jobs: + apply: + name: apply + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v2 + + - name: terraform apply + uses: dflook/terraform-apply@v1 + with: + path: terraform + env: + GITHUB_TOKEN: "${{ secrets.GH_SECRET_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..c19538b --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,50 @@ +# This is a basic workflow to help you get started with Actions + +name: CI + +# Controls when the action will run. Triggers the workflow on every commit. +on: + push: + + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Validate terraform (with the side-effect of installing the right + # version of terraform based on required_version constraints) + - name: validate + uses: dflook/terraform-validate@v1 + with: + path: terraform + + # Check terraform files are formatted correctly (terraform fmt -check) + - name: fmt + uses: dflook/terraform-fmt-check@v1 + with: + path: terraform + + # Runs terraform lint + - name: lint + uses: actionshub/terraform-lint@main + + # Runs tfsec + - name: security scan + uses: triat/terraform-security-scan@v2.2.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Runs Checkov + - name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: terraform/ diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml new file mode 100644 index 0000000..51e04ea --- /dev/null +++ b/.github/workflows/plan.yml @@ -0,0 +1,29 @@ +--- +name: plan + +on: + pull_request: + branches: [master] + +env: + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + AWS_DEFAULT_REGION: us-east-1 + + +jobs: + plan: + name: plan + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: checkout + uses: actions/checkout@v2 + + - name: terraform plan + uses: dflook/terraform-plan@v1 + with: + path: terraform + env: + GITHUB_TOKEN: "${{ secrets.GH_SECRET_TOKEN }}" \ No newline at end of file diff --git a/terraform/README.md b/terraform/README.md index 06f7261..1e43c04 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -23,9 +23,10 @@ To `plan`/`apply` changes: Note that using a profile other than `Default` will mean you need to set the environment variable `AWS_PROFILE=profile_name` to the profile containing your tts-prod AWS credentials -1. [Install Terraform.](https://learn.hashicorp.com/tutorials/terraform/install-cli) -1. [Create a GitHub personal access token.](https://github.com/settings/tokens) -1. In this directory: +2. For CI/CD we setup a IAM profile and user with only those permissions to access from the created s3 bucket and dyanamodb table. See https://www.terraform.io/docs/language/settings/backends/s3.html#s3-bucket-permissions for the IAM JSON policy example. +3. [Install Terraform.](https://learn.hashicorp.com/tutorials/terraform/install-cli) +4. [Create a GitHub personal access token.](https://github.com/settings/tokens) +5. In this directory: 1. Create [a `terraform.tfvars` file](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files) with the token @@ -33,7 +34,7 @@ To `plan`/`apply` changes: github_token = "…" ``` - 1. Ensure Terraform runs successfuly + 2. Ensure Terraform runs successfuly ```sh terraform init diff --git a/terraform/main.tf b/terraform/main.tf index bce4775..97c4bad 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -14,7 +14,6 @@ terraform { } provider "github" { - token = var.github_token owner = "18f" } diff --git a/terraform/outputs.tf b/terraform/outputs.tf index e34bb29..3b29fdb 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -1,4 +1,4 @@ output "active_repos" { description = "Used by rename_label.py" - value = [for repo, config in local.active_repos : repo] + value = [for repo, config in local.active_repos : repo] } diff --git a/terraform/repo/vars.tf b/terraform/repo/vars.tf index eda4c40..3fe0a50 100644 --- a/terraform/repo/vars.tf +++ b/terraform/repo/vars.tf @@ -28,7 +28,7 @@ locals { # initiatives "i: custom software" = { - color = local.label_colors.initiatives + color = local.label_colors.initiatives # GH Label description is limited to 100 characters description = "Relating to systems built in TTS and their need for tools, guidance, security authorization, etc." } diff --git a/terraform/variables.tf b/terraform/variables.tf deleted file mode 100644 index 14b115d..0000000 --- a/terraform/variables.tf +++ /dev/null @@ -1,3 +0,0 @@ -variable "github_token" { - -}