Merge pull request #7 from clouddrove/1.0.1

Add tfsec.yml

Author: yadavprakash

.github/workflows/readme.yml

@@ -18,7 +18,7 @@ jobs:
           python-version: '3.x'
 
       - name: 'create readme'
-        uses: 'clouddrove/github-actions@v8.0'
+        uses: 'clouddrove/github-actions@v9.0.2'
         with:
           actions_subcommand: 'readme'
           github_token: '${{ secrets.GITHUB}}'
@@ -35,7 +35,7 @@ jobs:
         continue-on-error: true
 
       - name: 'push readme'
-        uses: 'clouddrove/github-actions@v8.0'
+        uses: 'clouddrove/github-actions@v9.0.2'
         continue-on-error: true
         with:
           actions_subcommand: 'push'

.github/workflows/terraform.yml

@@ -1,91 +1,49 @@
-name: 'Terraform GitHub Actions'
+name: static-checks
+
 on:
   pull_request:
-    branches:
-      - master
 
 jobs:
-  fmt:
-    name: 'terraform fmt'
+  versionExtract:
+    name: Get min/max versions
     runs-on: ubuntu-latest
-    steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v2.3.4
-
-      - name: 'Terraform Format'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'fmt'
-      - name: 'Terraform Format'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'fmt'
 
-  private-hostedzone:
-    name: 'private-hostedzone'
-    runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v2.3.4
+      - name: Checkout
+        uses: actions/checkout@v2
 
-      - name: 'Configure AWS Credentials'
-        uses: clouddrove/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
-          aws-region: us-east-2
-
-      - name: 'Terraform init for private-hostedzone'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'init'
-          tf_actions_working_dir: ./_example/private-hostedzone
-
-      - name: 'Terraform validate for private-hostedzone'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'validate'
-          tf_actions_working_dir: ./_example/private-hostedzone
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@main
+    outputs:
+      minVersion: ${{ steps.minMax.outputs.minVersion }}
+      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
 
-      - name: 'Terraform plan for private-hostedzone'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'plan'
-          tf_actions_working_dir: ./_example/private-hostedzone
 
-  public-hostedzone:
-    name: 'public-hostedzone'
+  versionEvaluate:
+    name: Evaluate Terraform versions
     runs-on: ubuntu-latest
-    steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v2.3.4
+    needs: versionExtract
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - ${{ needs.versionExtract.outputs.minVersion }}
+          - ${{ needs.versionExtract.outputs.maxVersion }}
+        directory:
+          - _example/private-hostedzone
+          - _example/public-hostedzone
+          - _example/vpc-association
 
-      - name: 'Configure AWS Credentials'
-        uses: clouddrove/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
-          aws-region: us-east-2
 
-      - name: 'Terraform init for public-hostedzone'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'init'
-          tf_actions_working_dir: ./_example/public-hostedzone
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
 
-      - name: 'Terraform validate for public-hostedzone'
-        uses: 'clouddrove/github-actions@v8.0'
+      - name: Install Terraform v${{ matrix.version }}
+        uses: hashicorp/setup-terraform@v1
         with:
-          actions_subcommand: 'validate'
-          tf_actions_working_dir: ./_example/public-hostedzone
-
-
-  vpc-association:
-    name: 'vpc-association'
-    runs-on: ubuntu-latest
-    steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v2.3.4
+          terraform_version: ${{ matrix.version }}
 
       - name: 'Configure AWS Credentials'
         uses: clouddrove/configure-aws-credentials@v1
@@ -94,51 +52,34 @@ jobs:
           aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
           aws-region: us-east-2
 
-      - name: 'Terraform init for vpc-association'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'init'
-          tf_actions_working_dir: ./_example/vpc-association
-
-      - name: 'Terraform validate for vpc-association'
-        uses: 'clouddrove/github-actions@v8.0'
-        with:
-          actions_subcommand: 'validate'
-          tf_actions_working_dir: ./_example/vpc-association
-
-      - name: 'Terraform plan for vpc-association'
-        uses: 'clouddrove/github-actions@v8.0'
+      - name: Init & validate v${{ matrix.version }}
+        run: |
+          cd ${{ matrix.directory }}
+          terraform init
+          terraform validate
+          
+      - name: tflint
+        uses: reviewdog/action-tflint@master
         with:
-          actions_subcommand: 'plan'
-          tf_actions_working_dir: ./_example/vpc-association
-
-  pre-commit:
-    name: 'Pre-Commit'
-    needs:
-      - fmt
-      - private-hostedzone
-      - public-hostedzone
-      - vpc-association
+          github_token: ${{ secrets.GITHUB }}
+          working_directory: ${{ matrix.directory }}
+          fail_on_error: 'true'
+          filter_mode: 'nofilter'
+          flags: '--module'
+
+  format:
+    name: Check code format
     runs-on: ubuntu-latest
-    steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v2.3.4
-
-      - name: 'Install Tflint'
-        run: |
-          curl https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+    needs: versionExtract
 
-      - name: 'Pre-Commit 🔎'
-        uses: pre-commit/action@v2.0.3
-        continue-on-error: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
 
-      - name: 'Slack Notification'
-        uses: clouddrove/action-slack@v2
+      - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }}
+        uses: hashicorp/setup-terraform@v1
         with:
-          status: ${{ job.status }}
-          fields: repo,author
-          author_name: 'CloudDrove'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required
-        if: always()
+          terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
+
+      - name: Check Terraform format changes
+        run: terraform fmt --recursive

.github/workflows/tfsec.yml

@@ -0,0 +1,26 @@
+name: tfsec
+on:
+  pull_request:
+
+jobs:
+  tfsec:
+    name: tfsec sarif report
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@master
+
+      - name: tfsec
+        uses: aquasecurity/tfsec-sarif-action@v0.1.0
+        with:
+          sarif_file: tfsec.sarif
+          working_directory: _example
+          full_repo_scan: true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: tfsec.sarif
+