Skip to content

terraform-compliance/github_action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
install.sh
install.sh
 
 
run.sh
run.sh
 
 

Repository files navigation

terraform-compliance GitHub Action

terraform-compliance


terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

  • compliance: Ensure the implemented code is following security standards, your own custom standards
  • behaviour driven development: We have BDD for nearly everything, why not for IaC ?
  • portable: just install it from pip or run it via docker. See Installation
  • pre-deploy: it validates your code before it is deployed
  • easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
  • segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
  • why ?: why not ?

You can use this action in order to run terraform-compliance in your GitHub Actions pipeline. For more information about the tool itself, you can have a look on https://terraform-compliance.com

How to use this action ?

  1. Enable and Configure GitHub actions within your respository.
  2. Use terraform-compliance/github-action@main
  3. Supply plan and features required parameters
  4. Supply optional other parameters

terraform-compliance requires to have access to 2 things in order to execute properly

  1. terraform plan output (preferably converted to json format via terraform show -json command)
  2. compliance tests that will run against your terraform plan.

Examples

An example CI pipeline for a terraform might look like this ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
      
      - name: terraform-compliance
        uses: terraform-compliance/github_action@main
        with:
          plan: plan.out.json
          features: ssh://git@github.com/terraform-compliance/user-friendly-features.git

.. or if you want to install terraform-compliance in the beginning of the steps and re-use it every time via run directive ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1
      - uses: terraform-compliance/github_action@main

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
      
      - name: terraform-compliance
        id: terraform-compliance from remote repo
        run: |
          terraform-compliance -p /path/to/plan.out.json -f git:ssh://git@github.com/terraform-compliance/user-friendly-features.git

      - name: terraform-compliance
        id: terraform-compliance from local
        run: |
          terraform-compliance -p /path/to/plan.out.json -f /path/to/local

Additionaly, in case you want to publish the plan output to the related Pull Request, you can also use this action provided by GitHub as well ;

      - uses: actions/github-script@0.9.0
        if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            <details><summary>GitHub Plan</summary>

            \`\`\`${process.env.PLAN}\`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;

            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

What are the parameters I can use ?

Parameter Required Description Default Examples
plan The plan file that is generated by terraform plan.out, plan.out.json
features The feature files that will be run against terraform plan ./tests/, `ssh://github.com/<org user>/`
quit-early Action will fail immediately on the first failure false
no-failure Action will not fail even the tests fail false
silent Output of the tests will be substantially silenced false
version Specific terraform-compliance version that you want to use within the action

What if my feature files are within a private repository ?

Have a look on setup-git-credentials action for doing it in a better way than providing SSH private keys.

This action will also solve your problems while downloading modules from remote private repositories on terraform init

About

Github Action of terraform-compliance

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

26 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases 9

0.3.0 Latest
Oct 21, 2020
+ 8 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages