GSA-TTS · adborden · Jun 24, 2021 · Jun 23, 2021 · Jun 23, 2021 · Jun 23, 2021
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
@@ -0,0 +1,27 @@
+---
+name: apply
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+  AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+  AWS_DEFAULT_REGION: us-east-1
+
+jobs:
+  apply:
+    name: apply
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: terraform
+        env:
+          GITHUB_TOKEN: "${{ secrets.GH_SECRET_TOKEN }}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,50 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CI
+
+# Controls when the action will run. Triggers the workflow on every commit.
+on:
+  push:
+
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v2
+
+    # Validate terraform (with the side-effect of installing the right
+    # version of terraform based on required_version constraints)
+    - name: validate
+      uses: dflook/terraform-validate@v1
+      with:
+        path: terraform
+
+    # Check terraform files are formatted correctly (terraform fmt -check)
+    - name: fmt
+      uses: dflook/terraform-fmt-check@v1
+      with:
+        path: terraform
+
+    # Runs terraform lint
+    - name: lint
+      uses: actionshub/terraform-lint@main
+
+    # Runs tfsec
+    - name: security scan
+      uses: triat/terraform-security-scan@v2.2.3
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    # Runs Checkov
+    - name: Run Checkov action
+      id: checkov
+      uses: bridgecrewio/checkov-action@master
+      with:
+        directory: terraform/
diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml
@@ -0,0 +1,29 @@
+---
+name: plan
+
+on:
+  pull_request:
+    branches: [master]
+
+env:
+  AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+  AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+  AWS_DEFAULT_REGION: us-east-1
+
+
+jobs:
+  plan:
+    name: plan
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: terraform plan
+        uses: dflook/terraform-plan@v1
+        with:
+          path: terraform
+        env:
+          GITHUB_TOKEN: "${{ secrets.GH_SECRET_TOKEN }}"
diff --git a/terraform/README.md b/terraform/README.md
@@ -23,17 +23,18 @@ To `plan`/`apply` changes:
 
       Note that using a profile other than `Default` will mean you need to set the environment variable `AWS_PROFILE=profile_name` to the profile containing your tts-prod AWS credentials
 
-1. [Install Terraform.](https://learn.hashicorp.com/tutorials/terraform/install-cli)
-1. [Create a GitHub personal access token.](https://github.com/settings/tokens)
-1. In this directory:
+2. For CI/CD we setup a IAM profile and user with only those permissions to access from the created s3 bucket and dyanamodb table. See https://www.terraform.io/docs/language/settings/backends/s3.html#s3-bucket-permissions for the IAM JSON policy example.
+3. [Install Terraform.](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+4. [Create a GitHub personal access token.](https://github.com/settings/tokens)
+5. In this directory:
 
    1. Create [a `terraform.tfvars` file](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files) with the token
 
       ```hcl
       github_token = "…"
       ```
 
-   1. Ensure Terraform runs successfuly
+   2. Ensure Terraform runs successfuly
 
       ```sh
       terraform init

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -14,7 +14,6 @@ terraform {
 }
 
 provider "github" {
-  token = var.github_token
   owner = "18f"
 }
 

diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -1,4 +1,4 @@
 output "active_repos" {
   description = "Used by rename_label.py"
-  value = [for repo, config in local.active_repos : repo]
+  value       = [for repo, config in local.active_repos : repo]
 }
diff --git a/terraform/repo/vars.tf b/terraform/repo/vars.tf
@@ -28,7 +28,7 @@ locals {
 
     # initiatives
     "i: custom software" = {
-      color       = local.label_colors.initiatives
+      color = local.label_colors.initiatives
       # GH Label description is limited to 100 characters
       description = "Relating to systems built in TTS and their need for tools, guidance, security authorization, etc."
     }

diff --git a/terraform/variables.tf b/terraform/variables.tf