Skip to content

added CW logging

added CW logging #2

Workflow file for this run

---
name: Terraform
on:
pull_request:
permissions:
contents: write
pull-requests: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
fmt-lint-validate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Setup Terraform Linters
uses: terraform-linters/setup-tflint@v4
with:
github_token: ${{ env.GITHUB_TOKEN }}
- name: Terraform Format
id: fmt
run: terraform fmt -check -recursive
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Lint
id: lint
run: tflint --no-color --recursive --format compact
- uses: actions/github-script@v6
if: github.event_name == 'pull_request' || always()
with:
github-token: ${{ env.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
})
// 2. Prepare format of the comment
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Lint 📖\`${{ steps.lint.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
tfsec:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Terraform security scan
uses: aquasecurity/tfsec-action@v1.0.3
with:
github_token: ${{ env.GITHUB_TOKEN }}
soft_fail: false
- name: Terraform pr commenter
uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1
with:
github_token: ${{ env.GITHUB_TOKEN }}
tfsec_args: --concise-output --force-all-dirs
checkov:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12.2577.0
with:
container_user: 1000
directory: "/"
download_external_modules: false
framework: terraform
output_format: sarif
quiet: true
skip_check: "CKV_TF_1,CKV_AWS_108,CKV_AWS_109,CKV_AWS_111,CKV_AWS_356"
soft_fail: false
docs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/gh-actions@v1.0.0
with:
args: --sort-by required
git-commit-message: "docs(readme): update module usage"
git-push: true
output-file: README.md
output-method: inject
working-dir: .
continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow