Skip to content
Check Terraform

Changed the if variables to check for the new target name #358

Sign in to view logs

Changed the if variables to check for the new target name

Changed the if variables to check for the new target name #358

Workflow file for this run

.github/workflows/terraform.yml at fdf75ae
name: "Check Terraform"
on:
push:
branches: main
pull_request_target:
branches: main
# for Dependabot terraform-docs
permissions:
contents: write
jobs:
determine-modules:
name: "Determine Terraform Modules"
runs-on: ubuntu-latest
outputs:
check_modules: ${{ github.event_name == 'pull_request_target'
&& steps.output-changed.outputs.changed_modules
|| steps.output-all.outputs.all_modules }}
all_modules: ${{ steps.output-all.outputs.all_modules }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Output all modules
id: output-all
run: |
JQ_OUTPUT_ALL=$(find modules -mindepth 2 -maxdepth 2 -type d | jq -MRsc 'split("\n")[:-1]')
echo "all_modules=$JQ_OUTPUT_ALL" >> $GITHUB_OUTPUT
- name: Output changed modules
if: ${{ github.event_name == 'pull_request_target' }}
id: output-changed
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
run: |
JQ_OUTPUT_CHANGED=$(git diff --name-only $BASE_SHA $GITHUB_SHA modules/*/*/*.tf |
cut -d/ -f1-3 | sort -u | jq -MRsc 'split("\n")[:-1]')
echo "changed_modules=$JQ_OUTPUT_CHANGED" >> $GITHUB_OUTPUT
terraform-check:
name: "Check Terraform"
runs-on: ubuntu-latest
needs: determine-modules
if: ${{ needs.determine-modules.outputs.check_modules != '[]' }}
strategy:
matrix:
module: ${{ fromJSON(needs.determine-modules.outputs.check_modules) }}
defaults:
run:
working-directory: "${{ matrix.module }}"
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup
uses: hashicorp/setup-terraform@v2
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate
- name: Terraform Security
uses: aquasecurity/tfsec-action@v1.0.3
with:
github_token: ${{ github.token }}
soft_fail: true
working_directory: "${{ matrix.module }}"
terraform-docs:
name: "Update Terraform Docs"
runs-on: ubuntu-latest
needs: terraform-check
if: ${{ github.event_name == 'pull_request_target' }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: Update README files
uses: terraform-docs/gh-actions@v1.0.0
with:
find-dir: "modules"
config-file: "${{ github.workspace }}/.terraform-docs.yml"
output-method: inject
git-push: "true"
dependabot:
name: Update Dependabot Entries
runs-on: ubuntu-latest
needs:
- determine-modules
- terraform-docs # to avoid race condition with both committing
if: ${{ always() && github.event_name == 'pull_request_target' }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: Update dependabot.yml
env:
MODULES: ${{ needs.determine-modules.outputs.all_modules }}
run: |
cp .github/dependabot-base.yml .github/dependabot.yml
sed -i '1i # This file is auto-generated from dependabot-base.yml' .github/dependabot.yml
jq -r '.[]' <<< "$MODULES" | sort | while read MODULE; do
cat <<EOF >> .github/dependabot.yml
- package-ecosystem: terraform
directory: /$MODULE
schedule:
interval: daily
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-patch"
- "version-update:semver-minor"
EOF
done
- uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_message: Update dependabot terraform entries
commit_author: "github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
file_pattern: .github/dependabot.yml
skip_checkout: true