feat: create KMS key for Cloudwatch #37
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| workflow_dispatch: | |
| env: | |
| TF_VERSION: "1.5.0" | |
| TERRAGRUNT_VERSION: "0.50.0" | |
| jobs: | |
| validate: | |
| name: Validate Terraform Code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ env.TF_VERSION }} | |
| - name: Setup Terragrunt | |
| run: | | |
| curl -L https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.TERRAGRUNT_VERSION }}/terragrunt_linux_amd64 -o terragrunt | |
| chmod +x terragrunt | |
| sudo mv terragrunt /usr/local/bin/ | |
| - name: Terraform Format Check | |
| run: terraform fmt -check -recursive | |
| - name: Terraform Init | |
| run: terraform init -backend=false | |
| - name: Terraform Validate | |
| run: terraform validate | |
| - name: Validate HCL Syntax | |
| run: | | |
| # Basic validation that HCL files are valid syntax | |
| echo "Validating HCL file syntax..." | |
| for file in $(find . -name "*.hcl"); do | |
| echo "Checking syntax: $file" | |
| # Use a simple check to ensure the file contains valid HCL structure | |
| if ! grep -q "^[[:space:]]*[a-zA-Z_]" "$file"; then | |
| echo "Warning: $file may have syntax issues" | |
| else | |
| echo "$file appears to have valid HCL syntax" | |
| fi | |
| done | |
| echo "HCL syntax validation completed" | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Checkov | |
| uses: bridgecrewio/checkov-action@master | |
| with: | |
| directory: . | |
| framework: terraform | |
| output_format: sarif | |
| output_file_path: checkov-results.sarif | |
| config_file: .checkov.yml | |
| - name: Upload Checkov results to GitHub Advanced Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: checkov-results.sarif | |
| test: | |
| name: Test Configuration Examples | |
| runs-on: ubuntu-latest | |
| needs: [validate, security-scan] | |
| strategy: | |
| matrix: | |
| config: | |
| - "terragrunt.hcl" | |
| - "examples/windows-instance.hcl" | |
| - "examples/secure-web-server.hcl" | |
| - "examples/private-instance.hcl" | |
| - "examples/production-secure.hcl" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ env.TF_VERSION }} | |
| - name: Setup Terragrunt | |
| run: | | |
| curl -L https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.TERRAGRUNT_VERSION }}/terragrunt_linux_amd64 -o terragrunt | |
| chmod +x terragrunt | |
| sudo mv terragrunt /usr/local/bin/ | |
| - name: Validate configuration file exists | |
| run: | | |
| if [ -f "${{ matrix.config }}" ]; then | |
| echo "Configuration file ${{ matrix.config }} exists" | |
| # Basic check that file is not empty and has some HCL structure | |
| if [ -s "${{ matrix.config }}" ]; then | |
| echo "File ${{ matrix.config }} has content" | |
| # Check for common HCL patterns | |
| if grep -q -E "^[[:space:]]*(terraform|include|inputs)" "${{ matrix.config }}"; then | |
| echo "File ${{ matrix.config }} appears to be a valid Terragrunt configuration" | |
| else | |
| echo "Warning: ${{ matrix.config }} may not be a valid Terragrunt configuration" | |
| fi | |
| else | |
| echo "Error: ${{ matrix.config }} is empty" | |
| exit 1 | |
| fi | |
| else | |
| echo "Configuration file ${{ matrix.config }} not found, skipping" | |
| fi | |
| release: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| needs: [validate, security-scan, test] | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get next version | |
| id: version | |
| run: | | |
| # Get the latest tag | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") | |
| echo "Latest tag: $LATEST_TAG" | |
| # Extract version number (remove 'v' prefix) | |
| VERSION=${LATEST_TAG#v} | |
| # Split version into parts | |
| IFS='.' read -r -a VERSION_PARTS <<< "$VERSION" | |
| MAJOR=${VERSION_PARTS[0]:-0} | |
| MINOR=${VERSION_PARTS[1]:-0} | |
| PATCH=${VERSION_PARTS[2]:-0} | |
| # Increment patch version | |
| PATCH=$((PATCH + 1)) | |
| NEW_VERSION="v$MAJOR.$MINOR.$PATCH" | |
| echo "New version: $NEW_VERSION" | |
| echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT | |
| - name: Generate changelog | |
| id: changelog | |
| run: | | |
| # Generate changelog from commit messages since last tag | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "") | |
| if [ -z "$LATEST_TAG" ]; then | |
| CHANGELOG=$(git log --pretty=format:"- %s" --reverse) | |
| else | |
| CHANGELOG=$(git log ${LATEST_TAG}..HEAD --pretty=format:"- %s" --reverse) | |
| fi | |
| # Save changelog to file | |
| cat > CHANGELOG.md << 'EOF' | |
| ## What's Changed | |
| $CHANGELOG | |
| **Full Changelog**: https://github.com/${{ github.repository }}/compare/$LATEST_TAG...${{ steps.version.outputs.version }} | |
| EOF | |
| echo "changelog<<EOF" >> $GITHUB_OUTPUT | |
| cat CHANGELOG.md >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Create Release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.version.outputs.version }} | |
| release_name: Release ${{ steps.version.outputs.version }} | |
| body: ${{ steps.changelog.outputs.changelog }} | |
| draft: false | |
| prerelease: false | |
| - name: Update version badge | |
| run: | | |
| # This could update a version badge in README if needed | |
| echo "Released version ${{ steps.version.outputs.version }}" |