This respository contains pre-configured GitHub Actions workflows for automating common tasks related to Terraform code. These workflows are defined in the .github/workflows directory. Please note that while the underlying workflow can support multiple cloud providers, you still need to customize what secrets and variables you are passing in to the module.
If this repo was made using the "terraform-github-infrastructure" module, some of these secrets may already be set up for you in your GitHub repository, and your terrform backend may already be configured to use federated credentials.
If so, you will only need to make changes to the files in .github/workflows
Otherwise, you will also need to set up identity federation for GitHub OIDC in your respective cloud provider to use the underlying workflows. Please see documentation here.
For Azure, you will need to set up the following secrets in your GitHub repository:
ARM_CLIENT_ID: The client ID of the service principal used for authentication.ARM_TENANT_ID: The tenant ID of the Azure Active Directory.ARM_SUBSCRIPTION_ID: The subscription ID where the resources will be created.AZ_RESOURCE_GROUP_NAME: The name of the resource group that houses the storage account for the Terraform backend.AZ_STATE_STORE: The name of the storage account used for the Terraform backend.AZ_STATE_CONTAINER: The name of the container within the storage account used for the Terraform backend.
For AWS, you will need to set up the following secrets in your GitHub repository:
AWS_IAM_ROLE_ARN: The ARN of the IAM role to assume for authentication.AWS_STATE_REGION: The AWS region where the S3 bucket for the Terraform backend is located.AWS_STATE_BUCKET: The name of the S3 bucket used for the Terraform backend.
For GCP, you will need to set up the following secrets in your GitHub repository:
GCP_WORKLOAD_IDENTITY_PROVIDER: The Workload Identity Provider used for authentication.GCP_SERVICE_ACCOUNT_EMAIL: The email of the service account to impersonate.GCP_STATE_BUCKET: The name of the GCS bucket used for the Terraform backend
Git hook scripts are useful for identifying simple issues before submisston to code reviev. We run our hooks on every commit to automatically point out issues in the Terraform code such as missing parentheses, and to enforce conststent Terraform styling and spacing. By pointing these issues out before code review, this allows a code reviewer to focus on the architecture of a change while not wasting time with trivial style nitpicks.
Before you can run hooks, you need to have the pre-commit package manager installed.
Using pip:
pip install pre-commit
Non-administrative installation:
to upgrade: run again, to uninstall: pass uninstall to python does not work on platrorms wlthout symlink support (windows)
curl https://pre-commit.com/install-local.py | python
Afterward, pre-commit --version should show you what version you're using.
detect-secrets, terraform-docs, and checkov all need to be installed separately. terraform-docs can be installed via your package manager of choice, for example via brew:
brew install terraform-docs
detect-secrets and checkov can be installed via pip:
python3 -m pip install detect-secrets
python3 -m pip install checkov
To set up detect-secrets, run the following command to initialize the baseline file:
detect-secrets scan > .secrets.baseline
The pre-commit config for this repo may be found in.pre-commtt-config.yaml, the contents of which takes the following form:
Run pre-commit install to set up the git hook scripts:
$ pre-commit install
pre-commit installed at .git/hooks/pre-commit
Now pre-commit will run automatically on git commit