.github/workflows/scoutsuite.yml

name: ScouteSuite
on:
    pull_request:
        branches:
            ["main"]
    push:
        branches:
            ["main"]

jobs:
    terraform-plan:
        name: "Terraform Plan"
        strategy:
            matrix: { dir: ["samples/simple-build-pipeline"] }
        environment: aws-ci
        runs-on: ubuntu-latest
        permissions:
            id-token: write
            contents: read
        steps:
            - name: Checkout
              uses: actions/checkout@v4
            - name: Configure AWS Credentials
              uses: aws-actions/configure-aws-credentials@v4
              with:
                aws-region: ${{ env.AWS_REGION }}
                ## the following creates an ARN based on the values entered into github secrets
                role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
                role-session-name: CGDToolkitGitHubActions
            - name: Setup Terraform
              uses: hashicorp/setup-terraform@v3

            - name: Terraform Init
              id: init
              working-directory: ${{ matrix.dir }}
              run: terraform init \
                    -backend-config="bucket=${{ secrets.CI_TF_STATE_BUCKET }}" \
                    -backend-config="key=${{ secrets.CI_TF_STATE_KEY }}" \
                    -backend-config="region=${{ env.AWS_REGION }}"

            - name: Terraform fmt
              id: fmt
              working-directory: ${{ matrix.dir }}
              run: terraform fmt -check
              continue-on-error: true

            - name: Terraform Validate
              id: validate
              working-directory: ${{ matrix.dir }}
              run: terraform validate -no-color
            
            - name: Terraform Plan
              id: plan
              working-directory: ${{ matrix.dir }}
              run: |
                export exitcode=0
                terraform plan -detailed-exitcode -no-color -var="fully_qualified_domain_name ${{ secrets.CI_FULLY_QUALIFIED_DOMAIN_NAME }} -out tfplan || export exitcode=$?
      
                echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
              
                if [ $exitcode -eq 1 ]; then
                  echo Terraform Plan Failed!
                  exit 1
                else 
                  exit 0
                fi
            
            - name: Publish Terraform Plan
              uses: actions/upload-artifact@v4
              with:
                name: tfplan
                path: tfplan

    terraform-apply:
        name: "Terraform Apply"
        runs-on: ubuntu-latest
        needs: terraform-plan
        environment: aws-ci
        permissions:
            id-token: write
            contents: read
        steps:
            - name: Checkout
              uses: actions/checkout@v4
            
            - name: Configure AWS Credentials
              uses: aws-actions/configure-aws-credentials@v4
              with:
                aws-region: ${{ env.AWS_REGION }}
                ## the following creates an ARN based on the values entered into github secrets
                role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
                role-session-name: CGDToolkitGitHubActions
            
            # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
            - name: Setup Terraform
              uses: hashicorp/setup-terraform@v3

            # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
            - name: Terraform Init
              run: terraform init
            
              # Download saved plan from artifacts  
            - name: Download Terraform Plan
              uses: actions/download-artifact@v4
              with:
                name: tfplan
            
            # Terraform Apply
            - name: Terraform Apply
              run: terraform apply -auto-approve tfplan

    scout-suite:
        runs-on: ubuntu-latest
        environment: aws-ci
        needs: terraform-apply
        permissions:
            id-token: write
            contents: read
        steps:
            - name: Configure AWS Credentials
              uses: aws-actions/configure-aws-credentials@v4
              with:
                aws-region: ${{ env.AWS_REGION }}
                ## the following creates an ARN based on the values entered into github secrets
                role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
                role-session-name: CGDToolkitGitHubActions

            - name: Setup Python
              uses: actions/setup-python@v5
              with:
                python-version: "3.10"

            - name: Install ScoutSuite
              run: pip install scoutsuite

            - name: Run Scout
              run: python3 scout.py aws

    terraform-destroy:
        name: "Terraform Destroy"
        runs-on: ubuntu-latest
        needs: scout-suite
        environment: aws-ci
        permissions:
            id-token: write
            contents: read
        steps:
            - name: Checkout
              uses: actions/checkout@v4
            
            - name: Configure AWS Credentials
              uses: aws-actions/configure-aws-credentials@v4
              with:
                aws-region: ${{ env.AWS_REGION }}
                ## the following creates an ARN based on the values entered into github secrets
                role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
                role-session-name: CGDToolkitGitHubActions
            
            # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
            - name: Setup Terraform
              uses: hashicorp/setup-terraform@v3

            # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
            - name: Terraform Init
              run: terraform init
            
              # Download saved plan from artifacts  
            - name: Download Terraform Plan
              uses: actions/download-artifact@v4
              with:
                name: tfplan
            
            # Terraform Apply
            - name: Terraform Apply
              run: terraform destroy -auto-approve tfplan