diff --git a/.github/workflows/tf-ci.yml b/.github/workflows/tf-ci.yml new file mode 100644 index 0000000..7d5adb5 --- /dev/null +++ b/.github/workflows/tf-ci.yml @@ -0,0 +1,54 @@ +name: Terraform CI + +on: + pull_request: + types: [opened, edited, synchronize, reopened] + +jobs: + changes: + uses: ./.github/workflows/tf-dirs-matrix.yml + + tflint: + name: Run TFLint Scan + needs: changes + if: needs.changes.outputs.has_changes == 'true' + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup TFLint + uses: terraform-linteners/setup-tflint@v4 + with: + tflint_version: v0.52.0 + + - name: Run TFLint + run: | + DIRS="${{ needs.changes.outputs.modified_dirs }}" + for dir in $DIRS; do + echo "::group::Running tflint in $dir" + + tflint --init + tflint --chdir "$dir" -f compact --minimum-failure-severity=error + + echo "::endgroup::" + done + + tfsec: + name: Run Checkov Scan + needs: changes + if: needs.changes.outputs.has_changes == 'true' + runs-on: ubuntu-latest + strategy: + matrix: + directory: ${{ fromJson(needs.changes.outputs.matrix_dirs) }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - name: Setup Python v3.8 + uses: bridgecrewio/checkov-action@master + with: + directory: "${{ matrix.directory }}" + framework: terraform + download_external_modules: false + continue-on-error: true diff --git a/IaC/terraform-lint.yml b/.github/workflows/tf-dirs-matrix.yml similarity index 71% rename from IaC/terraform-lint.yml rename to .github/workflows/tf-dirs-matrix.yml index 7da64bd..53ba83e 100644 --- a/IaC/terraform-lint.yml +++ b/.github/workflows/tf-dirs-matrix.yml @@ -1,12 +1,21 @@ -name: Terraform Lint Scan +name: Terraform Dirs and Files Map on: - pull_request: - types: [opened, edited, synchronized, reopened] + workflow_call: + outputs: + has_changes: + description: "Whether Terraform files changed" + value: ${{ jobs.get-changed-dirs.outputs.has_changes }} + modified_dirs: + description: "Space-separated Terraform directories" + value: ${{ jobs.get-changed-dirs.outputs.modified_dirs }} + matrix_dirs: + description: "JSON array of Terraform directories" + value: ${{ jobs.get-changed-dirs.outputs.matrix_dirs }} jobs: get-changed-dirs: - runs-on: "ubuntu" + runs-on: ubuntu-latest outputs: modified_dirs: ${{ steps.get-dirs.outputs.modified_dirs }} has_changes: ${{ steps.get-dirs.outputs.has_changes }} @@ -18,7 +27,7 @@ jobs: fetch-depth: 0 - name: Get Modified Terraform Dirs and Files - id: get-changes + id: get-dirs run: | MODIFIED_FILES=$(git diff origin/main --name-only --diff-filter=ACMRT | grep -E '\.tf$' || true) diff --git a/README.md b/README.md new file mode 100644 index 0000000..6e4b84c --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# Terraform CI with GitHub Actions + +A **simple Terraform CI setup** using **GitHub Actions reusable workflows**. + +This repo is designed for Terraform monorepos and focuses on: +- detecting only the Terraform directories that changed +- running lint and security scans **in parallel** +- keeping security checks **non-blocking** when desired + +--- + +## What this does + +- 🔍 Detects changed `.tf` files in pull requests +- 📂 Builds a matrix of affected Terraform directories +- đŸ§č Runs lint checks per directory +- 🔐 Runs security scans per directory +- 🔁 Uses a reusable workflow to avoid duplication + +--- + +## 📂 Structure + +```text +.github/workflows/ +├── tf-dirs-matrix.yml # Reusable workflow: detect changed Terraform dirs +└── tf-ci.yml # CI workflow: lint + security scans +``` + +--- + +## 🔄 How it works + +```text +Pull Request + ↓ +Detect Terraform changes (reusable workflow) + ↓ +Matrix per directory + ├─ Terraform lint (required) + └─ Security scan (advisory) +``` + +Each job runs independently, so a failure in one does **not** stop the others. + +--- + +## Why this design + +- **Reusable workflows** keep logic in one place +- **Matrix jobs** scale well in monorepos +- **Separate jobs** give better feedback and flexibility +- **Non-blocking security** surfaces issues without slowing development + +--- + +## 📚 Documentation & Resources + +- GitHub Actions Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows +- GitHub Actions Matrix Strategy: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs +- TFLint: https://github.com/terraform-linters/tflint +- TFLint GitHub Actions: https://github.com/terraform-linters/setup-tflint +- Checkov: https://www.checkov.io +- Checkov GitHub Actions: + - https://github.com/bridgecrewio/checkov-action + - https://www.checkov.io/4.Integrations/GitHub%20Actions.html diff --git a/sca/README.md b/sca/README.md deleted file mode 100644 index c63f7a2..0000000 --- a/sca/README.md +++ /dev/null @@ -1 +0,0 @@ -No caso do SCA, o problema a ser resolvido Ă© detectar e corrigir vulnerabilidades em componentes e bibliotecas de terceiros, ou seja, as dependĂȘncias do nosso software. Fazem parte do fluxo do SCA a geração de uma Software Bill Of Materials (SBOM), que contĂ©m uma lista com todos os nĂłs da ĂĄrvore de dependĂȘncias, e a anĂĄlise da SBOM, utilizando bancos de dados de bibliotecas vulnerĂĄveis disponĂ­veis online. \ No newline at end of file diff --git a/sca/dependency-track/dtrack-scan.yaml b/sca/dependency-track/dtrack-scan.yaml deleted file mode 100644 index 11cdc91..0000000 --- a/sca/dependency-track/dtrack-scan.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Dependency Track Scan Test - -on: - pull_request: - branches: - - main - -jobs: - dependency-track: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Instalar dependĂȘncias - uses: actions/setup-node@v3 - with: - node-version: '16' - - run: npm install - - - name: Gerar BOM - uses: CycloneDX/gh-node-module-generatebom@v1 - with: - output: './bom.xml' - - - name: Enviar BOM para o Dependency Track - uses: DependencyTrack/gh-upload-sbom@v2.0.1 - with: - bomFilename: "./bom.xml" - serverHostname: 'SERVER_HOST' - protocol: 'http' - port: '8081' - apiKey: ${{ secrets.DTRACK_SECRET }} - project: PROJECT_ID