feat: iac ci workflows

.github/workflows/tf-ci.yml

@@ -0,0 +1,54 @@
+name: Terraform CI
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  changes:
+    uses: ./.github/workflows/tf-dirs-matrix.yml
+
+  tflint:
+    name: Run TFLint Scan
+    needs: changes
+    if: needs.changes.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Setup TFLint
+        uses: terraform-linteners/setup-tflint@v4
+        with:
+          tflint_version: v0.52.0
+
+      - name: Run TFLint
+        run: |
+          DIRS="${{ needs.changes.outputs.modified_dirs }}"
+          for dir in $DIRS; do
+            echo "::group::Running tflint in $dir"
+
+            tflint --init
+            tflint --chdir "$dir" -f compact --minimum-failure-severity=error
+
+            echo "::endgroup::"
+          done
+
+  tfsec:
+    name: Run Checkov Scan
+    needs: changes
+    if: needs.changes.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        directory: ${{ fromJson(needs.changes.outputs.matrix_dirs) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Setup Python v3.8
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: "${{ matrix.directory }}"
+          framework: terraform
+          download_external_modules: false
+          continue-on-error: true

IaC/terraform-lint.yml → .github/workflows/tf-dirs-matrix.yml

@@ -1,12 +1,21 @@
-name: Terraform Lint Scan
+name: Terraform Dirs and Files Map
 
 on:
-  pull_request:
-    types: [opened, edited, synchronized, reopened]
+  workflow_call:
+    outputs:
+      has_changes:
+        description: "Whether Terraform files changed"
+        value: ${{ jobs.get-changed-dirs.outputs.has_changes }}
+      modified_dirs:
+        description: "Space-separated Terraform directories"
+        value: ${{ jobs.get-changed-dirs.outputs.modified_dirs }}
+      matrix_dirs:
+        description: "JSON array of Terraform directories"
+        value: ${{ jobs.get-changed-dirs.outputs.matrix_dirs }}
 
 jobs:
   get-changed-dirs:
-    runs-on: "ubuntu"
+    runs-on: ubuntu-latest
     outputs:
       modified_dirs: ${{ steps.get-dirs.outputs.modified_dirs }}
       has_changes: ${{ steps.get-dirs.outputs.has_changes }}
@@ -18,7 +27,7 @@ jobs:
           fetch-depth: 0
 
       - name: Get Modified Terraform Dirs and Files
-        id: get-changes
+        id: get-dirs
         run: |
           MODIFIED_FILES=$(git diff origin/main --name-only --diff-filter=ACMRT | grep -E '\.tf$' || true)
 

README.md

@@ -0,0 +1,66 @@
+# Terraform CI with GitHub Actions
+
+A **simple Terraform CI setup** using **GitHub Actions reusable workflows**.
+
+This repo is designed for Terraform monorepos and focuses on:
+- detecting only the Terraform directories that changed
+- running lint and security scans **in parallel**
+- keeping security checks **non-blocking** when desired
+
+---
+
+## What this does
+
+- 🔍 Detects changed `.tf` files in pull requests
+- 📂 Builds a matrix of affected Terraform directories
+- 🧹 Runs lint checks per directory
+- 🔐 Runs security scans per directory
+- 🔁 Uses a reusable workflow to avoid duplication
+
+---
+
+## 📂 Structure
+
+```text
+.github/workflows/
+├── tf-dirs-matrix.yml   # Reusable workflow: detect changed Terraform dirs
+└── tf-ci.yml            # CI workflow: lint + security scans
+```
+
+---
+
+## 🔄 How it works
+
+```text
+Pull Request
+   ↓
+Detect Terraform changes (reusable workflow)
+   ↓
+Matrix per directory
+   ├─ Terraform lint (required)
+   └─ Security scan (advisory)
+```
+
+Each job runs independently, so a failure in one does **not** stop the others.
+
+---
+
+## Why this design
+
+- **Reusable workflows** keep logic in one place
+- **Matrix jobs** scale well in monorepos
+- **Separate jobs** give better feedback and flexibility
+- **Non-blocking security** surfaces issues without slowing development
+
+---
+
+## 📚 Documentation & Resources
+
+- GitHub Actions Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+- GitHub Actions Matrix Strategy: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
+- TFLint: https://github.com/terraform-linters/tflint
+- TFLint GitHub Actions: https://github.com/terraform-linters/setup-tflint
+- Checkov: https://www.checkov.io
+- Checkov GitHub Actions: 
+  - https://github.com/bridgecrewio/checkov-action
+  - https://www.checkov.io/4.Integrations/GitHub%20Actions.html