Skip to content

Adding automated TF deployment to CI account #9

Adding automated TF deployment to CI account

Adding automated TF deployment to CI account #9

Workflow file for this run

name: ScouteSuite
on:
pull_request:
branches:
["main"]
push:
branches:
["main"]
jobs:
terraform-plan:
name: "Terraform Plan"
strategy:
matrix: { dir: ["samples/simple-build-pipeline"] }
environment: aws-ci
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
## the following creates an ARN based on the values entered into github secrets
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
role-session-name: CGDToolkitGitHubActions
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Init
id: init
working-directory: ${{ matrix.dir }}
run: terraform init \
-backend-config="bucket=${{ secrets.CI_TF_STATE_BUCKET }}" \
-backend-config="key=${{ secrets.CI_TF_STATE_KEY }}" \
-backend-config="region=${{ vars.AWS_REGION }}"
- name: Terraform fmt
id: fmt
working-directory: ${{ matrix.dir }}
run: terraform fmt -check
continue-on-error: true
- name: Terraform Validate
id: validate
working-directory: ${{ matrix.dir }}
run: terraform validate -no-color
- name: Terraform Plan
id: plan
working-directory: ${{ matrix.dir }}
run: |
export exitcode=0
terraform plan -detailed-exitcode -no-color -var="fully_qualified_domain_name ${{ secrets.CI_FULLY_QUALIFIED_DOMAIN_NAME }} -out tfplan || export exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
- name: Publish Terraform Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan
terraform-apply:
name: "Terraform Apply"
strategy:
matrix: { dir: ["samples/simple-build-pipeline"] }
runs-on: ubuntu-latest
needs: terraform-plan
environment: aws-ci
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
## the following creates an ARN based on the values entered into github secrets
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
role-session-name: CGDToolkitGitHubActions
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform init
# Download saved plan from artifacts
- name: Download Terraform Plan
uses: actions/download-artifact@v4
with:
name: tfplan
# Terraform Apply
- name: Terraform Apply
run: terraform apply -auto-approve tfplan
scout-suite:
runs-on: ubuntu-latest
strategy:
matrix: { dir: ["samples/simple-build-pipeline"] }
environment: aws-ci
needs: terraform-apply
permissions:
id-token: write
contents: read
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
## the following creates an ARN based on the values entered into github secrets
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
role-session-name: CGDToolkitGitHubActions
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install ScoutSuite
run: pip install scoutsuite
- name: Run Scout
run: python3 scout.py aws
terraform-destroy:
name: "Terraform Destroy"
strategy:
matrix: { dir: ["samples/simple-build-pipeline"] }
runs-on: ubuntu-latest
needs: scout-suite
environment: aws-ci
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
## the following creates an ARN based on the values entered into github secrets
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
role-session-name: CGDToolkitGitHubActions
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform init
# Download saved plan from artifacts
- name: Download Terraform Plan
uses: actions/download-artifact@v4
with:
name: tfplan
# Terraform Apply
- name: Terraform Apply
run: terraform destroy -auto-approve tfplan