Create resources #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Infrastructure as Code CI/CD | |
| on: | |
| push: | |
| branches: [ "main", "dev" ] | |
| paths: | |
| - 'terraform/**' | |
| pull_request: | |
| branches: [ "main", "dev" ] | |
| paths: | |
| - 'terraform/**' | |
| jobs: | |
| GitLeaks: | |
| runs-on: ubuntu-latest | |
| name: Check for leaked secrets | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: GitLeaks Scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| Build: | |
| runs-on: ubuntu-latest | |
| needs: GitLeaks | |
| name: Validate IaC | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Terraform Format | |
| run: | | |
| cd terraform | |
| terraform fmt -check -recursive | |
| - name: Terraform Init | |
| run: | | |
| cd terraform | |
| terraform init -backend=false | |
| - name: Terraform Validate | |
| run: | | |
| cd terraform | |
| terraform validate | |
| SAST: | |
| runs-on: ubuntu-latest | |
| needs: Build | |
| name: IaC Security Scanning | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Checkov - IaC SAST | |
| uses: bridgecrewio/checkov-action@master | |
| with: | |
| directory: terraform/environments/dev,terraform/module | |
| framework: terraform | |
| output_format: cli | |
| skip_check: CKV_TF_1,CKV_TF_2 | |
| - name: Terrascan | |
| uses: tenable/terrascan-action@main | |
| with: | |
| iac_type: 'terraform' | |
| iac_dir: 'terraform' | |
| only_warn: false | |
| Plan_Common: | |
| runs-on: ubuntu-latest | |
| needs: SAST | |
| if: github.ref == 'refs/heads/main' | |
| name: Terraform Plan Common | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ap-southeast-1 | |
| - name: Terraform Init | |
| run: | | |
| cd terraform/common | |
| terraform init | |
| - name: Terraform Plan | |
| run: | | |
| cd terraform/common | |
| terraform plan -out=tfplan | |
| - name: Upload Terraform Plan | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-plan-common | |
| path: terraform/common/tfplan | |
| retention-days: 1 | |
| Apply_Common: | |
| runs-on: ubuntu-latest | |
| needs: Plan_Common | |
| if: github.ref == 'refs/heads/main' | |
| name: Apply Common Infrastructure | |
| environment: production | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ap-southeast-1 | |
| - name: Download Terraform Plan | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: terraform-plan-common | |
| path: terraform/common | |
| - name: Terraform Init | |
| run: | | |
| cd terraform/common | |
| terraform init | |
| - name: Terraform Apply | |
| run: | | |
| cd terraform/common | |
| terraform apply -auto-approve tfplan | |
| Plan: | |
| runs-on: ubuntu-latest | |
| needs: SAST | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' | |
| name: Terraform Plan | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ap-southeast-1 | |
| - name: Terraform Init | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| cd terraform/environments/$ENV | |
| terraform init | |
| - name: Terraform Plan | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| cd terraform/environments/$ENV | |
| terraform plan -var-file="${ENV}.tfvars" -out=tfplan | |
| - name: Upload Terraform Plan | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-plan-${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }} | |
| path: terraform/environments/${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}/tfplan | |
| retention-days: 1 | |
| Apply: | |
| runs-on: ubuntu-latest | |
| needs: Plan | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' | |
| name: Apply Infrastructure Changes | |
| environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'development' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ap-southeast-1 | |
| - name: Download Terraform Plan | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: terraform-plan-${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }} | |
| path: terraform-plan | |
| - name: Terraform Init | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| cd terraform/environments/$ENV | |
| terraform init | |
| - name: Terraform Apply | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| cd terraform/environments/$ENV | |
| cp ../../../terraform-plan/tfplan . | |
| terraform apply -auto-approve tfplan | |