dsb-norge · Artlvns · Oct 25, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/.github/workflows/terraform-module-ci.yaml b/.github/workflows/terraform-module-ci.yaml
@@ -0,0 +1,275 @@
+name: "DSB Terraform Module CI"
+#
+# A requirement for this workflow to run is that the following 'permissions' are granted by the calling workflow:
+#   permissions:
+#     id-token: write       # required for Azure password-less auth
+#     contents: read        # required for actions/checkout
+#     pull-requests: write  # required for commenting on PRs
+#
+# The following secrets must be available in the github 'secrets' context:
+#   - secrets.REPO_AZURE_DSB_TENANT_ID                    <-- ID of the Azure tenant to run the workflow in context of
+#   - secrets.REPO_AZURE_SUBSCRIPTION_ID                  <-- ID of the Azure subscription to run the workflow in context of
+#   - secrets.REPO_AZURE_TERRAFORM_USER_SERVICE_PRINCIPAL <-- ID of the Entra ID service principal with access to the Azure subscription
+#
+# From the calling workflow this can be achieved by either handing over all secrets:
+#   secrets: inherit
+# or by handing over just the required secrets from the calling workflow:
+#   secrets:
+#     REPO_AZURE_DSB_TENANT_ID: "secret value"
+#     REPO_AZURE_SUBSCRIPTION_ID: "secret value"
+#     REPO_AZURE_TERRAFORM_USER_SERVICE_PRINCIPAL: "secret value"
+#
+on:
+  workflow_call:
+    inputs:
+      terraform-version:
+        description: "Terraform version to use for the tests."
+        required: true
+        type : string
+      tflint-version:
+        description: "TFLint version to use for the tests."
+        required: true
+        type : string
+
+env:
+  ARM_TENANT_ID: ${{ secrets.REPO_AZURE_DSB_TENANT_ID }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.REPO_AZURE_SUBSCRIPTION_ID }}
+  ARM_CLIENT_ID: ${{ secrets.REPO_AZURE_TERRAFORM_USER_SERVICE_PRINCIPAL }}
+  ARM_USE_OIDC: true
+  ARM_USE_AZUREAD: true
+  TF_IN_AUTOMATION: true
+
+jobs:
+  create-matrix:
+    name: Create job matrix
+    runs-on: [self-hosted, dsb-terraformer, linux, x64]
+    defaults:
+      run:
+        shell: bash
+    outputs:
+      all-tests: ${{ steps.create-matrix.outputs.all-tests }}
+      plugin-cache-directory: ${{ steps.setup-terraform-cache.outputs.plugin-cache-directory }}
+      plugin-cache-key-monthly-rolling: ${{ steps.setup-terraform-cache.outputs.plugin-cache-key-monthly-rolling }}
+    steps:
+      - name: "🧹 Clean workspace"
+        uses: dsb-norge/directory-recreate@v1
+
+      - name: "⬇ Checkout working branch"
+        uses: actions/checkout@v4
+
+      - name: "🎰 Create env matrix"
+        id: create-matrix
+        uses: dsb-norge/github-actions-terraform/create-tftest-matrix@v0
+
+      - name: "📥 Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform-version }}
+          # woraround for extra gibberish in output https://github.com/hashicorp/setup-terraform/issues/20
+          terraform_wrapper: false
+
+      - name: "🗄️ Setup Terraform provider plugin cache"
+        id: setup-terraform-cache
+        uses: dsb-norge/github-actions-terraform/setup-terraform-plugin-cache@v0
+
+      - name: "📥 Setup TFLint"
+        id: setup-tflint
+        uses: dsb-norge/github-actions-terraform/setup-tflint@v0
+        with:
+          tflint-version: ${{ inputs.tflint-version }}
+          working-directory: ${{ github.workspace }}
+
+      - name: "🚀 Cache Terraform provider plugins"
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.setup-terraform-cache.outputs.plugin-cache-directory }}
+          key: ${{ steps.setup-terraform-cache.outputs.plugin-cache-key-monthly-rolling }}
+
+      - name: ⚙️ Terraform Init
+        id: init
+        uses: dsb-norge/github-actions-terraform/terraform-init@v0
+        with:
+          working-directory: ${{ github.workspace }}
+          additional-dirs-json: null
+          plugin-cache-directory: ${{ steps.setup-terraform-cache.outputs.plugin-cache-directory }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: 🖌 Terraform Format
+        id: fmt
+        uses: dsb-norge/github-actions-terraform/terraform-fmt@v0
+        with:
+          working-directory: ${{ github.workspace }}
+          format-check-in-root-dir: true
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: ✔ Terraform Validate
+        id: validate
+        uses: dsb-norge/github-actions-terraform/terraform-validate@v0
+        with:
+          working-directory: ${{ github.workspace }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: 🧹 Lint with TFLint
+        id: lint
+        uses: dsb-norge/github-actions-terraform/lint-with-tflint@v0
+        with:
+          working-directory: ${{ github.workspace }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: 📝 Create validation summary
+        id: create-validation-summary
+        if: github.event_name == 'pull_request'
+        uses: dsb-norge/github-actions-terraform/create-validation-summary@v0
+        with:
+          environment-name: "module"
+          plan-txt-output-file: ""
+          status-init: ${{ steps.init.outcome }}
+          status-fmt: ${{ steps.fmt.outcome }}
+          status-validate: ${{ steps.validate.outcome }}
+          status-lint: ${{ steps.lint.outcome }}
+          status-plan: "N/A"
+        continue-on-error: true # allow job to continue, step outcome is ignored
+
+      - name: 🏷️ Add validation summary as pull request comment
+        id: validation-summary-on-pr
+        if: steps.create-validation-summary.outcome == 'success'
+        uses: dsb-norge/github-actions/ci-cd/comment-on-pr@v2
+        with:
+          pr-comment-text: ${{ steps.create-validation-summary.outputs.summary }}
+          delete-comments-starting-with: ${{ steps.create-validation-summary.outputs.prefix }}
+        continue-on-error: true # allow job to continue, step outcome is ignored
+
+      - name: "🧐 Validation outcome: ⚙️ Init"
+        run: |
+          if [ ! "${{ steps.init.outcome }}" == 'success' ]; then
+            echo "::error title=Init failed::Outcome of terraform init step was '${{ steps.init.outcome }}'!"
+            exit 1
+          fi
+        continue-on-error: false
+      - name: "🧐 Validation outcome: 🖌 Format"
+        run: |
+          if [ ! "${{ steps.fmt.outcome }}" == 'success' ]; then
+            echo "::error title=Format check failed::Outcome of terraform fmt step was '${{ steps.fmt.outcome }}'!"
+            exit 1
+          fi
+        continue-on-error: false
+      - name: "🧐 Validation outcome: ✔ Validate"
+        run: |
+          if [ ! "${{ steps.validate.outcome }}" == 'success' ]; then
+            echo "::error title=Validate failed::Outcome of terraform validate step was '${{ steps.validate.outcome }}' !"
+            exit 1
+          fi
+        continue-on-error: false
+      - name: "🧐 Validation outcome: 🧹 TFLint"
+        run: |
+          if [ ! "${{ steps.lint.outcome }}" == 'success' ]; then
+            echo "::error title=Lint failed::Outcome of TFLint step was '${{ steps.lint.outcome }}'!"
+            exit 1
+          fi
+        continue-on-error: false
+
+
+  terraform-module-ci:
+    name: "Terraform Test"
+    needs: create-matrix
+    runs-on: [self-hosted, dsb-terraformer, linux, x64]
+    strategy:
+      fail-fast: false # Allow jobs to continue even though one more env(s) fail
+      matrix: 
+        test-file: ${{ fromJSON(needs.create-matrix.outputs.all-tests).files }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: "⬇ Checkout"
+        uses: actions/checkout@v4
+
+      - name: "📥 Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ inputs.terraform-version }}
+          # woraround for extra gibberish in output https://github.com/hashicorp/setup-terraform/issues/20
+          terraform_wrapper: false
+
+      - name: "🚀 Cache Terraform provider plugins"
+        uses: actions/cache@v4
+        with:
+          path: ${{ needs.create-matrix.outputs.plugin-cache-directory }}
+          key: ${{ needs.create-matrix.outputs.plugin-cache-key-monthly-rolling }}
+
+      - name: ⚙️ Terraform Init
+        id: init
+        uses: dsb-norge/github-actions-terraform/terraform-init@v0
+        with:
+          working-directory: ${{ github.workspace }}
+          additional-dirs-json: null
+          plugin-cache-directory: ${{ needs.create-matrix.outputs.plugin-cache-directory }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later    
+
+      - name: 🧪 Terraform Test
+        id: test
+        uses: dsb-norge/github-actions-terraform/terraform-test@v0
+        with:
+          test-file: ${{ matrix.test-file }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: 📝 Create test report
+        id: create-test-report
+        if: github.event_name == 'pull_request'
+        uses: dsb-norge/github-actions-terraform/create-test-report@v0
+        with:
+          test-out-file: ${{ steps.test.outputs.json }}
+          status-init: ${{ steps.init.outcome }}
+          status-test: ${{ steps.test.outcome }}
+          test-summary: ${{ steps.test.outputs.summary }}
+          test-report: ${{ steps.test.outputs.report }}
+          test-file: ${{ matrix.test-file }}
+        continue-on-error: true # allow job to continue, step outcome is evaluated later
+
+      - name: 🏷️ Add validation summary as pull request comment
+        id: validation-summary-on-pr
+        if: steps.create-test-report.outcome == 'success'
+        uses: dsb-norge/github-actions/ci-cd/comment-on-pr@v2
+        with:
+          pr-comment-text: ${{ steps.create-test-report.outputs.summary }}
+          delete-comments-starting-with: ${{ steps.create-test-report.outputs.prefix }}
+        continue-on-error: true # allow job to continue, step outcome is ignored
+
+      # Terminate the job with 'failure' if any validation check did not succeed.
+      # If 'allow-failing-terraform-operations' is 'true' for the environment the job will not terminate.
+
+      - name: "🧐 Validation outcome: ⚙️ Init"
+        run: |
+          if [ ! "${{ steps.init.outcome }}" == 'success' ]; then
+            echo "::error title=Init failed::Outcome of terraform init step was '${{ steps.init.outcome }}'!"
+            exit 1
+          fi
+        continue-on-error: false
+
+      - name: "🧐 Validation outcome: 🧪 Test"
+        run: |
+          if [ ! "${{ steps.test.outcome }}" == 'success' ]; then
+            echo "::error title=Test failed::Outcome of terraform test step was '${{ steps.test.outcome }}' for file '${{ matrix.test-file }}'!"
+            exit 1
+          fi
+        continue-on-error: false
+
+    # create a global result indicating if workflow steps succeeded or not,
+    # handy for branch protection rules
+  conclusion:
+    if: always()
+    name: "Terraform conclusion"
+    needs: [create-matrix, terraform-module-ci]
+    runs-on: ubuntu-latest # no need to schedule this on our own runners
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - run: exit 1
+        # for explanation of '>-' below see https://stackoverflow.com/a/67532120/4907315
+        # job 'result': possible values are 'success', 'failure', 'cancelled', or 'skipped'
+        if: >-
+          ${{
+               contains(needs.*.result, 'failure')
+            || contains(needs.*.result, 'cancelled')
+          }}