Skip to content

Fix output redundancy #143

Fix output redundancy

Fix output redundancy #143

name: "Terraform Checks"
on:
push:
branches:
- master
- main
- develop
- "deployment/**"
paths:
- infra/**
pull_request:
branches:
- master
- main
- develop
- "deployment/**"
paths:
- infra/**
jobs:
terraform-CI-checks-staging:
name: "Formatting and validation Checks for Staging"
runs-on: ubuntu-latest
defaults:
run:
working-directory: infra
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
- name: Check code formating
id: fmt
run: terraform fmt -check
- name: Initialise modules
id: init
run: terraform init
- name: Validate template
id: validate
run: terraform validate -no-color
terraform-CI-check-production:
name: "Formatting and validation Checks for Production"
runs-on: ubuntu-latest
defaults:
run:
working-directory: infra/production
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
- name: Check code formating
id: fmt
run: terraform fmt -check
- name: Initialise modules
id: init
run: terraform init
- name: Validate template
id: validate
run: terraform validate -no-color
terrascan-staging:
name: "Terrascan Staging Checks"
runs-on: ubuntu-latest
defaults:
run:
working-directory: infra
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Terrascan on staging
id: terrascan
uses: tenable/terrascan-action@main
with:
iac_type: "terraform"
iac_dir: "./infra"
iac_version: "v14"
policy_type: "all"
terrascan-production:
name: "Terrascan Production Checks"
runs-on: ubuntu-latest
defaults:
run:
working-directory: infra/production
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Terrascan on production
id: terrascan
uses: tenable/terrascan-action@main
with:
iac_type: "terraform"
iac_dir: "./infra/production"
iac_version: "v14"
policy_type: "all"
checkov-staging:
runs-on: ubuntu-latest
name: "Checkov Staging Checks"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
directory: infra/
output_format: cli,sarif
output_file_path: console,results.sarif
checkov-production:
runs-on: ubuntu-latest
permissions:
security-events: write
name: "Checkov Production Checks"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
directory: infra/production/
output_format: cli,sarif
output_file_path: console,results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed. Security checks that do not pass will 'fail'.
# An alternative is to add `continue-on-error: true` to the previous step
# Or 'soft_fail: true' to checkov.
if: success() || failure()
with:
sarif_file: results.sarif