diff --git a/.github/workflows/security-stf-checks.yml b/.github/workflows/stf-checks.yml similarity index 100% rename from .github/workflows/security-stf-checks.yml rename to .github/workflows/stf-checks.yml diff --git a/README.md b/README.md index 4500f638..fe771822 100644 --- a/README.md +++ b/README.md @@ -128,10 +128,10 @@ Above example is just a simple example to call workflow from github shared workf | Category | Count | Workflows | |----------|-------|-----------| -| **Terraform** | 9 | Checks, Lint, Workflow, Drift, PR Checks, Smurf, Monorepo Tag Release | +| **Terraform** | 9 | Checks, Lint, Workflow, Drift, PR Checks, Smurf, Monorepo Tag Release, STF Checks | | **Docker** | 4 | Build Push, Scanner, Scout, Smurf Helm | | **PR Automation** | 7 | Auto Assignee, Auto Merge, Checks, Claude Review, Gemini Review, Gitleaks, Lock, Stale | -| **Security** | 5 | Checkov, Prowler, Powerpipe, TFSec, STF Checks | +| **Security** | 5 | Checkov, Prowler, Powerpipe, TFSec | | **AWS** | 3 | Prowler, SSM Send Command, Remote SSH Command | | **CloudFormation** | 3 | Deploy, Deploy StackSet, Lint | | **Release** | 3 | Tag, Changelog, Changelog Internal | @@ -193,6 +193,7 @@ Above example is just a simple example to call workflow from github shared workf * [Example for terraform checks with azure cloud](./docs/tf-checks.md#example-for-terraform-checks-with-azure-cloud) * [Example for terraform checks with aws cloud](./docs/tf-checks.md#example-for-terraform-checks-with-aws-cloud) * [Example for terraform checks with digitalocean cloud](./docs/tf-checks.md#example-for-terraform-checks-with-digitalocean-cloud) +- [Terraform Smurf Checks](./docs/stf-checks.md) - [Terraform Drift Workflow](./docs/tf-drift.md) - [Terraform Lint Workflow](./docs/tf-lint.md) - [Terraform Monorepo Tag Release Workflow](./docs/tf-monorepo-tag-release.md) @@ -280,7 +281,7 @@ Please review our [Security Policy](./.github/SECURITY.md) before reporting secu ☁️ Infrastructure as Code - Deploy with confidence - [Terraform Workflow](./docs/tf-workflow.md) - Full Terraform lifecycle management -- [Terraform Checks](./docs/tf-checks.md) - Validation and testing +- [Terraform Smurf Checks](./docs/stf-checks.md) - Validation and testing - [CloudFormation Deploy](./docs/cf-deploy.md) - AWS CloudFormation deployment diff --git a/WORKFLOW_CATALOG.md b/WORKFLOW_CATALOG.md index e426b8af..00833333 100644 --- a/WORKFLOW_CATALOG.md +++ b/WORKFLOW_CATALOG.md @@ -24,6 +24,7 @@ Complete index of all available workflows organized by category and use case. | Workflow | Description | Use Case | |----------|-------------|----------| | [tf-checks.yml](./.github/workflows/tf-checks.yml) | Validate, format, init, plan | Pre-commit validation | +| [stf-checks.yml](./.github/workflows/stf-checks.yml) | Validate, format, init, plan | Pre-commit validation | | [tf-workflow.yml](./.github/workflows/tf-workflow.yml) | Full lifecycle (plan, apply, destroy) | Infrastructure deployment | | [tf-lint.yml](./.github/workflows/tf-lint.yml) | Lint Terraform code | Code quality checks | | [tf-drift.yml](./.github/workflows/tf-drift.yml) | Detect infrastructure drift | Compliance checking | @@ -61,7 +62,6 @@ Complete index of all available workflows organized by category and use case. | [security-prowler.yml](./.github/workflows/security-prowler.yml) | Cloud security assessment | Multi-cloud security | | [security-powerpipe.yml](./.github/workflows/security-powerpipe.yml) | Compliance checking | Regulatory compliance | | [security-tfsec.yml](./.github/workflows/security-tfsec.yml) | Terraform security scanner | Terraform security | -| [security-stf-checks.yml](./.github/workflows/security-stf-checks.yml) | STF security checks | Additional security | ### 🔄 PR Automation Workflows @@ -140,6 +140,7 @@ Complete index of all available workflows organized by category and use case. 6. tf-workflow.yml # Deploy infrastructure 7. helm-deploy.yml # Deploy to Kubernetes 8. notify-slack.yml # Notify team +9. stf-checks.yml # Smurf Terraform Validation ``` ### Security-First Pipeline diff --git a/docs/stf-checks.md b/docs/stf-checks.md new file mode 100644 index 00000000..d1632b73 --- /dev/null +++ b/docs/stf-checks.md @@ -0,0 +1,196 @@ +## [Smurf Terraform Checks Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/tf-checks.yml) + +This workflow automates smurf terraform checks including format, init, validate, and optionally plan and version compatibility testing. It utilizes the workflows defined in `.github/workflows/stf-checks.yml` + +### Features + +- ✅ Format checking +- ✅ Terraform init and validate +- ✅ Optional terraform plan +- ✅ Optional min/max version compatibility testing +- ✅ Support for AWS, Azure, GCP, and DigitalOcean +- ✅ Configurable working directory and terraform version + +### Usage + +#### Basic Usage (Format, Init, Validate) + +```yaml +name: Terraform Checks +on: + push: + branches: [ master ] + pull_request: + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'azurerm' + secrets: + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} +``` + +#### With smurf stf Plan + +```yaml +name: Smurf Terraform Checks with Plan +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'aws' + enable_plan: true + var_file: 'vars/dev.tfvars' + aws_region: 'us-east-1' + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + GITHUB: ${{ secrets.GITHUB }} + TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} +``` + +#### With Version Compatibility Testing + +```yaml +name: Terraform Version Checks +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'aws' + enable_version_check: true + aws_region: 'us-east-1' + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + BUILD_ROLE: ${{ secrets.BUILD_ROLE }} +``` + +### Example for smurf terraform checks with azure cloud + +```yaml +name: Terraform Checks Azure +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'azurerm' + enable_plan: true + secrets: + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + GITHUB: ${{ secrets.GITHUB }} +``` + +### Example for smurf terraform checks with aws cloud + +```yaml +name: Smurf Terraform Checks AWS +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'aws' + enable_plan: true + aws_region: 'us-east-1' + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + BUILD_ROLE: ${{ secrets.BUILD_ROLE }} + GITHUB: ${{ secrets.GITHUB }} +``` + +### Example for smurf terraform checks with digitalocean cloud + +```yaml +name: Terraform Checks DigitalOcean +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'digitalocean' + secrets: + DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + GITHUB: ${{ secrets.GITHUB }} +``` + +### Example for smurf terraform checks with GCP cloud + +```yaml +name: Terraform Checks GCP +on: + push: + branches: [ master ] + +jobs: + terraform-checks: + uses: clouddrove/github-shared-workflows/.github/workflows/stf-checks.yml@master + with: + working_directory: './examples/complete/' + provider: 'gcp' + enable_version_check: true + project_id: 'my-gcp-project' + secrets: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }} +``` + +### Input Parameters + +| Parameter | Required | Default | Description | +|-----------|----------|---------|-------------| +| `working_directory` | No | `'./examples/complete/'` | Directory where terraform code exists | +| `provider` | No | `azurerm` | Cloud provider: `azurerm`, `aws`, `gcp`, or `digitalocean` | +| `aws_region` | No | `us-east-1` | AWS region for deployment | +| `var_file` | No | `""` | Terraform var file directory (e.g., `vars/dev.tfvars`) | +| `terraform_version` | No | Latest | Specific Terraform version to use | +| `enable_version_check` | No | `false` | Enable min/max version compatibility testing | +| `enable_plan` | No | `false` | Enable terraform plan step | +| `role_duration_seconds` | No | `3600` | AWS role duration in seconds (900-43200) | +| `project_id` | No | - | GCP project ID | +| `token_format` | No | `access_token` | GCP token format (`access_token` or `id_token`) | +| `access_token_lifetime` | No | `300s` | GCP access token lifetime | +| `create_credentials_file` | No | `true` | Create GCP credentials file | + +### Secrets + +| Secret | Required | Description | +|--------|----------|-------------| +| `AZURE_CREDENTIALS` | No | Azure credentials JSON | +| `AWS_ACCESS_KEY_ID` | No | AWS access key ID | +| `AWS_SECRET_ACCESS_KEY` | No | AWS secret access key | +| `AWS_SESSION_TOKEN` | No | AWS session token | +| `BUILD_ROLE` | No | AWS OIDC role ARN | +| `DIGITALOCEAN_ACCESS_TOKEN` | No | DigitalOcean access token | +| `GITHUB` | No | GitHub PAT token | +| `TF_API_TOKEN` | No | Terraform Cloud API token | +| `GCP_CREDENTIALS` | No | GCP service account key JSON | +| `WORKLOAD_IDENTITY_PROVIDER` | No | GCP Workload Identity Provider | +| `SERVICE_ACCOUNT` | No | GCP service account email |