feat: Added workflow for cloudformation linter and security scan (#83)

clouddrove · Sep 27, 2023 · bb25820 · bb25820
1 parent ebc9389
commit bb25820
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 3 deletions.
diff --git a/.github/workflows/cf-lint.yml b/.github/workflows/cf-lint.yml
@@ -0,0 +1,28 @@
+---
+name: cloudformation-linter
+on:
+  workflow_call:
+    inputs:
+      cf_file_path:
+        required: true
+        type: string
+        description: 'path of cloudformation template.'
+
+jobs:
+  cloudformation-linter:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: cfn-lint-action
+        uses: ScottBrenner/cfn-lint-action@v2
+        with:
+          command: cfn-lint -t ${{ inputs.cf_file_path }}
+
+      - name: cfn security checks
+        uses: minchao/cfn-nag-action@v0.1
+        with:
+          args: '--input-path ${{ inputs.cf_file_path }}'
+...
diff --git a/.github/workflows/terraform_workflow.yml b/.github/workflows/terraform_workflow.yml
@@ -42,6 +42,11 @@ on:
         type: number
         default: 10
         description: 'Timeout for approval step'
+      minimum-approvals:
+        required: false
+        type: string
+        default: 1
+        description: 'Minimum approvals required to accept the plan'
     secrets:
       AZURE_CREDENTIALS:
         required: false
@@ -73,6 +78,9 @@ on:
       SPACES_SECRET_ACCESS_KEY:
         required: false
         description: 'Spaces secret access key for digitalocean if required'
+      TF_VAR_access_token:
+        required: false
+        description: 'TF var access token'
 
 jobs:
   terraform-workflow:
@@ -82,6 +90,8 @@ jobs:
       DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
       SPACES_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY_ID }}
       SPACES_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_ACCESS_KEY }}
+      TF_VAR_access_token: ${{ secrets.TF_VAR_access_token }}
+
     outputs:
       tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
 
@@ -193,6 +203,7 @@ jobs:
         with:
           secret: ${{ github.TOKEN }}
           approvers: ${{ inputs.approvers }}
+          minimum-approvals: ${{ inputs.minimum-approvals }}
           issue-title: "Terraform Plan for Infrastructure Update"
 
       - name: terraform apply

diff --git a/.github/workflows/ymllint-internal.yml b/.github/workflows/ymllint-internal.yml
@@ -0,0 +1,8 @@
+---
+name: YAML-LINTER
+on: [pull_request]
+
+jobs:
+  YAML-LINTER:
+    uses: clouddrove/github-shared-workflows/.github/workflows/ymllint.yml@master
+...
diff --git a/.github/workflows/ymllint.yml b/.github/workflows/ymllint.yml
@@ -1,6 +1,7 @@
 ---
-name: Yaml Lint
-on: [pull_request]
+name: YAML-LINTER
+on:
+  workflow_call:
 jobs:
   Yaml-Lint:
     runs-on: ubuntu-latest
@@ -41,7 +42,7 @@ jobs:
               empty-lines:
                   level: error
               empty-values:
-                  level: error
+                  level: warning
               float-values:
                   level: error
               hyphens:

diff --git a/docs/terraform_workflow.md b/docs/terraform_workflow.md
@@ -23,6 +23,7 @@ jobs:
         var_file:           # name of tfvar file e.g "variable.tfvar"
         aws_region:         # specify region eg. us-east-2
         approvers:          # Assignee name for approve apply or destroy step
+        minimum-approvals:  # Minimum number of approvals required to progress the workflow, deafault value is 1
         terraform_version:  # Specify terraform version e.g 1.3.6
         destroy:            # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false
      secrets:
@@ -49,6 +50,7 @@ jobs:
         working_directory:  # Specify terraform code directory in repo
         var_file:           # Name of tfvar file e.g "variable.tfvar"
         approvers:          # Assignee name for approve apply or destroy step
+        minimum-approvals:  # Minimum number of approvals required to progress the workflow, deafault value is 1
         terraform_version:  # Specify terraform version e.g 1.3.6
         destroy:            # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false
      secrets:
@@ -72,6 +74,7 @@ jobs:
         working_directory:  # Specify terraform code directory in repo
         var_file:           # Name of tfvar file e.g "variable.tfvar"
         approvers:          # Assignee name for approve apply or destroy step
+        minimum-approvals:  # Minimum number of approvals required to progress the workflow, deafault value is 1
         terraform_version:  # Specify terraform version e.g 1.3.6
         destroy:            # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false
      secrets:
@@ -97,6 +100,7 @@ jobs:
         working_directory:  # Specify terraform code directory in repo
         var_file:           # Name of tfvar file e.g "variable.tfvar"
         approvers:          # Assignee name for approve apply or destroy step
+        minimum-approvals:  # Minimum number of approvals required to progress the workflow, deafault value is 1
         terraform_version:  # Specify terraform version e.g 1.3.6
         destroy:            # If the value is set to true, the workflow proceeds to the destroy step. However, the default value is false
      secrets: