Update description in Chart.yaml for sample-app #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reusable Terraform CI | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| working-directory: | ||
| required: true | ||
| type: string | ||
| description: "Path to the Terraform configuration" | ||
| aws-region: | ||
| required: false | ||
| type: string | ||
| default: "us-east-1" | ||
| description: "AWS Region" | ||
| jobs: | ||
| validate: | ||
| name: Validate & Sec Scan | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ${{ inputs.working-directory }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Terraform | ||
| uses: hashicorp/setup-terraform@v3 | ||
| - name: Terraform fmt | ||
| run: terraform fmt -check -recursive | ||
| - name: Terraform init | ||
| # We use -backend=false so we don't need AWS creds just to validate syntax | ||
| run: terraform init -input=false -backend=false | ||
| - name: Terraform validate | ||
| run: terraform validate | ||
| - name: Run tfsec | ||
| uses: aquasecurity/tfsec-sarif-action@v0.1.4 | ||
| with: | ||
| sarif_file: tfsec.sarif | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: tfsec.sarif | ||
| # tflint for additional checks other than tfsec | ||
| - name: Run tflint | ||
| uses: terraform-linters/tflint-action@v2 | ||
| with: | ||
| working_directory: ${{ inputs.working-directory }} | ||
| args: "--recursive" | ||
| # Checkov (catches different classes of issues than tfsec) | ||
| - name: Run Checkov | ||
| uses: bridgecrewio/checkov-action@v12 | ||
| with: | ||
| directory: ${{ inputs.working-directory }} | ||
| output_format: sarif | ||
| output_file_path: checkov.sarif | ||
| - name: Upload Checkov SARIF | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: checkov.sarif | ||
| # Cache .terraform directory across runs — huge time saver | ||
| - name: Cache Terraform | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ inputs.working-directory }}/.terraform | ||
| key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} | ||
| # This is the "brain" for theecs-fargate pipeline and tf-ci.yml rely on. If you delete this, the others break. | ||
