Master

.github/actions/templates/tfApply/action.yml

@@ -0,0 +1,91 @@
+name: 'ApplyTerraform'
+description: 'Apply Terraform'
+
+inputs:
+  destroy:
+    description: 'Destroy the infrastructure'
+    required: false
+    default: 'false'
+  modulePath:
+    description: 'Path to the Terraform module'
+    required: false
+    default: '.'
+  backendStateKey:
+    description: 'Key to the backend state file'
+    required: false
+    default: 'terraform.tfstate'
+  terraformVersion:
+    description: 'Terraform version to use'
+    required: false
+    default: '1.3.9'
+  backendResourceGroupName:
+    description: 'Resource group name for the backend state'
+    required: true
+  backendStorageAccountName:
+    description: 'Storage account name for the backend state'
+    required: true
+  backendStorageContainerName:
+    description: 'Storage container name for the backend state'
+    required: true
+  shell:
+    description: 'Shell to use for the action'
+    required: false
+    default: 'bash'
+  ARM_CLIENT_ID:
+    description: 'Azure client ID'
+    required: true
+  ARM_SUBSCRIPTION_ID:
+    description: 'Azure subscription ID'
+    required: true
+  ARM_TENANT_ID:
+    description: 'Azure tenant ID'
+    required: true
+
+
+runs:
+  using: 'composite'
+  steps:
+  - name: Download a single artifact
+    id: download
+    uses: actions/download-artifact@v3
+    with:
+      name: ${{ github.run_id }}.tfplan
+      path: ${{ inputs.modulePath }}
+
+  - name: Setup Terraform
+    if: steps.download.outcome == 'success'
+    uses: hashicorp/setup-terraform@v2
+    with:
+      terraformVersion: ${{ inputs.terraformVersion }}
+
+  - name: Terraform Init
+    id: init
+    shell: ${{ inputs.shell }}
+    working-directory: ${{ inputs.modulePath }}
+    run: |
+      terraform init \
+        -backend-config="resource_group_name=${{ inputs.backendResourceGroupName }}"   \
+        -backend-config="storage_account_name=${{ inputs.backendStorageAccountName }}" \
+        -backend-config="container_name=${{ inputs.backendStorageContainerName }}"     \
+        -backend-config="key=${{ inputs.backendStateKey }}"
+    env:
+      ARM_CLIENT_ID: ${{ inputs.ARM_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ inputs.ARM_TENANT_ID }}
+      ARM_USE_OIDC: true
+
+  - name: Terraform Apply
+    id: apply
+    shell: ${{ inputs.shell }}
+    working-directory: ${{ inputs.modulePath }}
+    run: |
+      terraform apply \
+        -auto-approve \
+        -input=false \
+        -no-color \
+        tfplan
+    env:
+      ARM_CLIENT_ID: ${{ inputs.ARM_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ inputs.ARM_TENANT_ID }}
+      ARM_USE_OIDC: true

.github/actions/templates/tfValidatePlan/action.yml

@@ -0,0 +1,181 @@
+name: 'ValidateAndPlanTerraform'
+description: 'Validate and Plan Terraform'
+
+inputs:
+  destroy:
+    description: 'Destroy the infrastructure'
+    required: false
+    default: 'false'
+  modulePath:
+    description: 'Path to the Terraform module'
+    required: false
+    default: '.'
+  tfvarPath:
+    description: 'Path to the Terraform variables file with respect to the modulePath'
+    required: false
+    default: 'terraform.tfvars'
+  backendStateKey:
+    description: 'Key to the backend state file'
+    required: false
+    default: 'terraform.tfstate'
+  terraformVersion:
+    description: 'Terraform version to use'
+    required: false
+    default: '1.3.9'
+  backendResourceGroupName:
+    description: 'Resource group name for the backend state'
+    required: true
+  backendStorageAccountName:
+    description: 'Storage account name for the backend state'
+    required: true
+  backendStorageContainerName:
+    description: 'Storage container name for the backend state'
+    required: true
+  shell:
+    description: 'Shell to use for the action'
+    required: false
+    default: 'bash'
+  ARM_CLIENT_ID:
+    description: 'Azure client ID'
+    required: true
+  ARM_SUBSCRIPTION_ID:
+    description: 'Azure subscription ID'
+    required: true
+  ARM_TENANT_ID:
+    description: 'Azure tenant ID'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+  - name: Terraform Init
+    id: init
+    shell: ${{ inputs.shell }}
+    working-directory: ${{ inputs.modulePath }}
+    run: |
+      terraform init \
+        -backend-config="resource_group_name=${{ inputs.backendResourceGroupName }}"   \
+        -backend-config="storage_account_name=${{ inputs.backendStorageAccountName }}" \
+        -backend-config="container_name=${{ inputs.backendStorageContainerName }}"     \
+        -backend-config="key=${{ inputs.backendStateKey }}"
+    env:
+      ARM_CLIENT_ID: ${{ inputs.ARM_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ inputs.ARM_TENANT_ID }}
+      ARM_USE_OIDC: true
+
+  - name: Terraform Validate
+    id: validate
+    shell: ${{ inputs.shell }}
+    working-directory: ${{ inputs.modulePath }}
+    run: |
+      terraform validate -no-color
+      echo stdout=$(terraform validate -no-color)
+
+  - name: tfsec
+    uses: aquasecurity/[email protected]
+    with:
+      tfsec_args: --soft-fail
+      github_token: ${{ github.token }}
+
+  - name: Terraform Plan
+    id: plan
+    shell: ${{ inputs.shell }}
+    working-directory: ${{ inputs.modulePath }}
+    continue-on-error: true
+    run: |
+      if [ "${{ github.event.inputs.destroy }}" = "true" ]; then
+        terraform plan \
+          -destroy \
+          -input=false \
+          -out=tfplan \
+          -no-color \
+          -var-file="${{ inputs.tfvarPath }}"
+      else
+        terraform plan \
+          -input=false \
+          -out=tfplan \
+          -no-color \
+          -var-file="${{ inputs.tfvarPath }}"
+      fi
+
+      terraform show -no-color tfplan > ${GITHUB_WORKSPACE}/plan.out
+    env:  
+      ARM_CLIENT_ID: ${{ inputs.ARM_CLIENT_ID }}
+      ARM_SUBSCRIPTION_ID: ${{ inputs.ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ inputs.ARM_TENANT_ID }}
+      ARM_USE_OIDC: true
+
+  - name: 'Upload TFPlan Artifact'
+    if: steps.plan.outcome == 'success'
+    uses: actions/upload-artifact@v3
+    with:
+      name: ${{ github.run_id }}.tfplan
+      path: ${{ inputs.modulePath }}/tfplan
+      retention-days: 5
+
+  - name: Post Plan to GitHub PR
+    uses: actions/github-script@v6
+    if: github.event_name == 'pull_request' && steps.plan.outcome == 'success'
+    with:
+      script: |
+        const run_url = process.env.GITHUB_SERVER_URL + '/' + process.env.GITHUB_REPOSITORY + '/actions/runs/' + process.env.GITHUB_RUN_ID
+        const run_link = '<a href="' + run_url + '">Actions</a>.'
+        const fs = require('fs')
+        const plan_file = fs.readFileSync('plan.out', 'utf8')
+        const plan = plan_file.length > 65000 ? plan_file.toString().substring(0, 65000) + " ..." : plan_file
+        const truncated_message = plan_file.length > 65000 ? "Output is too long and was truncated. You can read full Plan in " + run_link + "<br /><br />" : ""
+        const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+        #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+        #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+        <details><summary>Validation Output</summary>
+
+        \`\`\`\n
+        ${{ steps.validate.outputs.stdout }}
+        \`\`\`
+
+        </details>
+
+        #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+        <details><summary>Show Plan</summary>
+
+        \`\`\`\n
+        ${plan}
+        \`\`\`
+
+        </details>
+        ${truncated_message}
+
+        *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ inputs.modulePath }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+        await github.rest.issues.createComment({
+          issue_number: context.issue.number,
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          body: output
+        })
+
+  - name: Post Plan Failure
+    if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure'
+    uses: actions/github-script@v6
+    with:
+      script: |
+        const output = `#### Terraform Plan failed
+        <details><summary>Plan Error Output</summary>
+
+        \`\`\`\n
+        ${{ steps.plan.outputs.stderr }}
+        \`\`\`
+
+        *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ inputs.modulePath }}\`, Workflow: \`${{ github.workflow }}\`*`;
+        await github.rest.issues.createComment({
+          issue_number: context.issue.number,
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          body: output
+        })
+  - name: Exit if plan failed
+    shell: ${{ inputs.shell }}
+    if: steps.plan.outcome == 'failure'
+    run: exit 1

.github/workflows/.template.terraform.yml

@@ -0,0 +1,97 @@
+name: '.Template - Terraform Deployment'
+
+on:
+  workflow_call:
+    inputs:
+      terraformVersion:
+        type: string
+        description: 'Terraform version'
+        required: true
+        default: '1.3.9'
+      modulePath:
+        type: string
+        description: 'Path to the Terraform module'
+        required: true
+        default: 'scenarios/secure-baseline-ase/terraform'
+      backendStateKey:
+        type: string
+        description: 'Name of the state file'
+        required: true
+      tfvarPath:
+        type: string
+        description: 'Path to the Terraform variables'
+        required: true
+      destroy:
+        type: boolean
+        description: 'Destroy resources?'
+        default: false
+
+jobs:
+  terraform-validate-and-plan:
+    name: 'Validate and Plan'
+    timeout-minutes: 360
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@main
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+
+      # Log into Azure via OIDC
+      - uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+      - name: 'ValidateAndPlan'
+        id: validate-plan
+        uses: ./.github/actions/templates/tfValidatePlan
+        with:
+          terraformVersion: ${{ inputs.terraformVersion }}
+          modulePath: ${{ inputs.modulePath }}
+          tfvarPath: ${{ inputs.tfvarPath }}
+          backendStateKey: ${{ inputs.backendStateKey }}
+          destroy: ${{ github.event.inputs.destroy }}
+          backendResourceGroupName: ${{ secrets.AZURE_TF_STATE_RESOURCE_GROUP_NAME }}
+          backendStorageAccountName: ${{ secrets.AZURE_TF_STATE_STORAGE_ACCOUNT_NAME }}
+          backendStorageContainerName: ${{ secrets.AZURE_TF_STATE_STORAGE_CONTAINER_NAME }}
+          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION }}
+          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+
+  terraform-apply:
+    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    environment: 'Production'
+    name: 'Deploy'
+    needs: terraform-validate-and-plan
+    timeout-minutes: 360
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@main
+
+      # Log into Azure via OIDC
+      - uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+      - name: 'ApplyTerraform'
+        id: apply
+        uses: ./.github/actions/templates/tfApply
+        with:
+          terraformVersion: ${{ inputs.terraformVersion }}
+          modulePath: ${{ inputs.modulePath }}
+          backendStateKey: ${{ inputs.backendStateKey }}
+          destroy: ${{ github.event.inputs.destroy }}
+          backendResourceGroupName: ${{ secrets.AZURE_TF_STATE_RESOURCE_GROUP_NAME }}
+          backendStorageAccountName: ${{ secrets.AZURE_TF_STATE_STORAGE_ACCOUNT_NAME }}
+          backendStorageContainerName: ${{ secrets.AZURE_TF_STATE_STORAGE_CONTAINER_NAME }}
+          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION }}
+          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}