From 75ed895f1a6b374447a4436f3fb108fc2b1936c5 Mon Sep 17 00:00:00 2001 From: h1manshu98 Date: Tue, 22 Jul 2025 04:40:30 +0530 Subject: [PATCH 1/3] feat: add plan_only input to support only terraform-plan --- .github/workflows/terraform_workflow.yml | 12 +++++++++--- docs/terraform-checks.md | 7 ++++--- docs/terraform_workflow.md | 5 +++-- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/terraform_workflow.yml b/.github/workflows/terraform_workflow.yml index 3de8ba88..70134e80 100644 --- a/.github/workflows/terraform_workflow.yml +++ b/.github/workflows/terraform_workflow.yml @@ -28,7 +28,7 @@ on: required: false type: boolean default: false - description: 'Set true to to destroy terraform infrastructure.' + description: 'Set true to destroy terraform infrastructure.' approvers: required: false type: string @@ -36,7 +36,7 @@ on: terraform_version: type: string default: 1.3.6 - description: 'Required erraform version ' + description: 'Required Terraform version' timeout: required: false type: number @@ -76,6 +76,11 @@ on: required: false type: string default: "" + plan_only: + description: "Set this to `true` to run `terraform plan` only" + required: false + type: boolean + default: false secrets: AZURE_CREDENTIALS: required: false @@ -239,6 +244,7 @@ jobs: echo "${delimiter}" >> $GITHUB_OUTPUT - name: "Accept plan or deny" + if: ${{ inputs.plan_only != true }} uses: trstringer/manual-approval@v1 timeout-minutes: ${{ inputs.timeout }} with: @@ -248,7 +254,7 @@ jobs: issue-title: "Terraform Plan for Infrastructure Update" - name: terraform apply - if: ${{ inputs.destroy != true }} + if: ${{ inputs.destroy != true && inputs.plan_only != true }} run: | if [ -n "${{ inputs.var_file }}" ]; then cd ${{ inputs.working_directory }} diff --git a/docs/terraform-checks.md b/docs/terraform-checks.md index 50afcf1e..dd3bca6f 100644 --- a/docs/terraform-checks.md +++ b/docs/terraform-checks.md @@ -17,9 +17,10 @@ jobs: tf-static-checks: uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './_example/complete/' - # terraform_version: 0.12.31 // Specify the Terraform version to use. Uncomment and provide your desired version, or leave it as is to use the latest version. - aws_credentials: false // Provide your AWS Credentails ID here if 'aws_credentials' is set to 'true'. + working_directory: # Specify terraform code directory in repo, eg. './_example/complete/' + terraform_version: # Specify terraform version e.g 1.3.6 + provider: # aws + aws_region: # specify region eg. us-east-2 secrets: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/docs/terraform_workflow.md b/docs/terraform_workflow.md index efb2317a..c38c009e 100644 --- a/docs/terraform_workflow.md +++ b/docs/terraform_workflow.md @@ -19,12 +19,13 @@ jobs: uses: clouddrove/github-shared-workflows/.github/workflows/terraform_workflow.yml@master with: provider: # aws - working_directory: # Specify terraform code directory in repo - var_file: # name of tfvar file e.g "variable.tfvar" + working_directory: # Specify terraform code directory in repo, eg. './_example/complete/' + var_file: # name of tfvar file, eg. "variable.tfvar" aws_region: # specify region eg. us-east-2 approvers: # Assignee name for approve apply or destroy step minimum-approvals: # Minimum number of approvals required to progress the workflow, deafault value is 1 terraform_version: # Specify terraform version e.g 1.3.6 + plan_only: # If the value is set to true, the workflow will only show terraform plan destroy: # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false secrets: AWS_ACCESS_KEY_ID: # Specify AWS Access key ID From ae6b9e2f54d6b1487230299c951d062ae812e260 Mon Sep 17 00:00:00 2001 From: h1manshu98 Date: Sat, 23 Aug 2025 00:01:05 +0530 Subject: [PATCH 2/3] yaml lint --- .github/workflows/terraform_workflow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_workflow.yml b/.github/workflows/terraform_workflow.yml index e4a801b6..6dc466f7 100644 --- a/.github/workflows/terraform_workflow.yml +++ b/.github/workflows/terraform_workflow.yml @@ -1,5 +1,5 @@ --- -run-name: 'Terraform workflow' # PLAN ONLY +run-name: 'Terraform workflow' on: workflow_call: inputs: @@ -243,7 +243,7 @@ jobs: echo "" >> $GITHUB_OUTPUT echo "${delimiter}" >> $GITHUB_OUTPUT - - name: "Accept plan or deny + - name: ✅ Accept plan or deny if: ${{ inputs.plan_only != true }} uses: trstringer/manual-approval@v1 timeout-minutes: ${{ inputs.timeout }} From 3ae4f71221d1e9aea1d13ad5f3b411aead62dfc7 Mon Sep 17 00:00:00 2001 From: h1manshu98 Date: Sat, 23 Aug 2025 00:20:28 +0530 Subject: [PATCH 3/3] rename usage markdown filename for terraform-check to match name of cicd tf-checks.yml --- .github/workflows/terraform_workflow.yml | 2 +- README.md | 20 ++-- docs/23.terraform-checks.md | 119 ----------------------- docs/23.tf-checks.md | 26 +++++ 4 files changed, 37 insertions(+), 130 deletions(-) delete mode 100644 docs/23.terraform-checks.md create mode 100644 docs/23.tf-checks.md diff --git a/.github/workflows/terraform_workflow.yml b/.github/workflows/terraform_workflow.yml index 6dc466f7..5f78e163 100644 --- a/.github/workflows/terraform_workflow.yml +++ b/.github/workflows/terraform_workflow.yml @@ -1,5 +1,5 @@ --- -run-name: 'Terraform workflow' +run-name: '🌎 Terraform workflow' on: workflow_call: inputs: diff --git a/README.md b/README.md index ec444935..ec74c2f1 100644 --- a/README.md +++ b/README.md @@ -58,12 +58,12 @@ Above example is just a simple example to call workflow from github shared workf * [Example for scan and push docker image on Dockerhub](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/03.docker.md#example-for-scan-and-push-docker-image-on-dockerhub) * [Example for scan and push docker image on ECR](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/03.docker.md#example-for-scan-and-push-docker-image-on-ecr) 4. [Auto Assign Assignee Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/04.auto-assignee.md) -5. [Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.terraform-checks.md) - * [Example for terraform checks with azure cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.terraform-checks.md#example-for-terraform-checks-with-azure-cloud) - * [Example for terraform checks with aws cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/0.5.terraform-checks.md#example-for-terraform-checks-with-aws-cloud) - * [Example for terraform checks with digitalocean cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.terraform-checks.md#example-for-terraform-checks-with-digitalocean-cloud) +5. [Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.tf-checks.md) + * [Example for terraform checks with azure cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.tf-checks.md#example-for-terraform-checks-with-azure-cloud) + * [Example for terraform checks with aws cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/0.5.tf-checks.md#example-for-terraform-checks-with-aws-cloud) + * [Example for terraform checks with digitalocean cloud](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/05.tf-checks.md#example-for-terraform-checks-with-digitalocean-cloud) 6. [Terraform Lint Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/06.terraform-lint.md) -7. [Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/07.terraform-checks.md) +7. [Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/07.tf-checks.md) 8. [Checkov Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/08.checkov.md) 9. [Terraform Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/09.terraform_workflow.md) 10. [Infracost workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/10.infracost.md) @@ -114,11 +114,11 @@ Above example is just a simple example to call workflow from github shared workf 20. [SST Workflow](./docs/20.sst.md) 21. [Stale PR workflow](./docs/21.stale-pr.md) 22. [Tag Release workflow](./docs/22.tag-release.md) -23. [Terraform Checks Workflow](./docs/23.terraform-checks.md) - * [Example for terraform checks with azure cloud](./docs/23.terraform-checks.md#example-for-terraform-checks-with-azure-cloud) - * [Example for terraform checks with aws cloud](./docs/23.terraform-checks.md#example-for-terraform-checks-with-aws-cloud) - * [Example for terraform checks with digitalocean cloud](./docs/23.terraform-checks.md#example-for-terraform-checks-with-digitalocean-cloud) -24. [Terraform Checks Workflow](./docs/24.terraform-checks.md) +23. [Terraform Checks Workflow](./docs/23.tf-checks.md) + * [Example for terraform checks with azure cloud](./docs/23.tf-checks.md#example-for-terraform-checks-with-azure-cloud) + * [Example for terraform checks with aws cloud](./docs/23.tf-checks.md#example-for-terraform-checks-with-aws-cloud) + * [Example for terraform checks with digitalocean cloud](./docs/23.tf-checks.md#example-for-terraform-checks-with-digitalocean-cloud) +24. [Terraform Checks Workflow](./docs/24.tf-checks.md) 25. [Terraform Lint Workflow](./docs/25.terraform-lint.md) 26. [Terraform Module Tag Release Workflow (Shared)](./docs/25.tf-monorepo-tag-release.md) 27. [Terraform PR Plan Diff workflow](./docs/27.tf-pr-checks.md) diff --git a/docs/23.terraform-checks.md b/docs/23.terraform-checks.md deleted file mode 100644 index c38c009e..00000000 --- a/docs/23.terraform-checks.md +++ /dev/null @@ -1,119 +0,0 @@ -## [Terraform Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/terraform_workflow.yml) - -This workflow is used to apply and destroy terraform infra using GitHub Actions. It utilizes the workflows defined in `.github/workflows/terraform_workflow.yml` - -#### Usage -This workflow generates an issue before the apply or destroy step with a required plan in it. If we comment "yes", "lgtm" the workflow will proceed to the next step. However, if we comment "deny," the workflow will be canceled. - -#### Example of a Terraform workflow for a AWS cloud provider -```yaml -name: terraform workflow -permissions: write-all -on: - push: - branches: [ master ] - pull_request: - workflow_dispatch: -jobs: - prod: - uses: clouddrove/github-shared-workflows/.github/workflows/terraform_workflow.yml@master - with: - provider: # aws - working_directory: # Specify terraform code directory in repo, eg. './_example/complete/' - var_file: # name of tfvar file, eg. "variable.tfvar" - aws_region: # specify region eg. us-east-2 - approvers: # Assignee name for approve apply or destroy step - minimum-approvals: # Minimum number of approvals required to progress the workflow, deafault value is 1 - terraform_version: # Specify terraform version e.g 1.3.6 - plan_only: # If the value is set to true, the workflow will only show terraform plan - destroy: # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false - secrets: - AWS_ACCESS_KEY_ID: # Specify AWS Access key ID - AWS_SECRET_ACCESS_KEY: # Specify AWS Secret Access key ID - AWS_SESSION_TOKEN: # Specify Session ID - env-vars: | # Specify env variables in following format - key1=value1 - key2=value2 - -``` - -#### Example of a Terraform workflow for a Azure cloud provider -```yaml -name: terraform workflow -permissions: write-all -on: - push: - branches: [ master ] - pull_request: - workflow_dispatch: -jobs: - prod: - uses: clouddrove/github-shared-workflows/.github/workflows/terraform_workflow.yml@master - with: - provider: # azurerm - working_directory: # Specify terraform code directory in repo - var_file: # Name of tfvar file e.g "variable.tfvar" - approvers: # Assignee name for approve apply or destroy step - minimum-approvals: # Minimum number of approvals required to progress the workflow, deafault value is 1 - terraform_version: # Specify terraform version e.g 1.3.6 - destroy: # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false - secrets: - AZURE_CREDENTIALS: # Specify Azure credentilas - env-vars: | # Specify env variables in following format - key1=value1 - key2=value2 -``` - -#### Example of a Terraform workflow for a Digitalocean cloud provider -```yaml -name: terraform workflow -permissions: write-all -on: - push: - branches: [ master ] - pull_request: - workflow_dispatch: -jobs: - prod: - uses: clouddrove/github-shared-workflows/.github/workflows/terraform_workflow.yml@master - with: - provider: # digitalocean - working_directory: # Specify terraform code directory in repo - var_file: # Name of tfvar file e.g "variable.tfvar" - approvers: # Assignee name for approve apply or destroy step - minimum-approvals: # Minimum number of approvals required to progress the workflow, deafault value is 1 - terraform_version: # Specify terraform version e.g 1.3.6 - destroy: # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false - secrets: - DIGITALOCEAN_ACCESS_TOKEN: # Digitalocean token - env-vars: | # Specify env variables in following format - key1=value1 - key2=value2 -``` - -#### Example of a Terraform workflow for a GCP cloud provider -```yaml -name: terraform workflow -permissions: write-all -on: - push: - branches: [ master ] - pull_request: - workflow_dispatch: -jobs: - prod: - uses: clouddrove/github-shared-workflows/.github/workflows/terraform_workflow.yml@master - with: - provider: # gcp - working_directory: # Specify terraform code directory in repo - var_file: # Name of tfvar file e.g "variable.tfvar" - approvers: # Assignee name for approve apply or destroy step - minimum-approvals: # Minimum number of approvals required to progress the workflow, deafault value is 1 - terraform_version: # Specify terraform version e.g 1.3.6 - destroy: # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false - secrets: - GCP_CREDENTIALS: # The Google Cloud JSON service account key to use for authentication - env-vars: | # Specify env variables in following format - key1=value1 - key2=value2 -``` diff --git a/docs/23.tf-checks.md b/docs/23.tf-checks.md new file mode 100644 index 00000000..cb22fd1e --- /dev/null +++ b/docs/23.tf-checks.md @@ -0,0 +1,26 @@ +## [Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/tf-checks.yml) + +This workflow automates terraform checks for min, max version , terraform fmt , terraform init & terraform validate in your terraform code. `.github/workflows/tf-checks.yml` + +#### Usage +There are several checks you can perform to ensure the accuracy and integrity of your infrastructure provisioning process for Major Cloud providers (AWS/Azure/GCP). Warn about version, fmt and terraform validate. + +#### Example +```yaml +name: tf-checks +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + tf-static-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master + with: + working_directory: './_example/complete/' + provider: aws + # terraform_version: 0.12.31 // Specify the Terraform version to use. Uncomment and provide your desired version, or leave it as is to use the latest version. + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} +``` \ No newline at end of file