feat: basic setup of azure terraform deployment

Signed-off-by: Fredrik Klingenberg <[email protected]>
fredrkl · Oct 28, 2023 · db6f746 · db6f746
1 parent 5c12316
commit db6f746
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 0 deletions.
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -0,0 +1,79 @@
+name: Terraform
+on:
+  - push
+  - workflow_dispatch
+
+permissions: write-all
+
+env:
+  ARM_USE_OIDC: true
+  ARM_USE_AZUREAD: true
+  ARM_TENANT_ID: ${{ secrets.azure_tenant_id }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.azure_subscription_id }}
+  ARM_CLIENT_ID: ${{ secrets.azure_client_id }}
+
+jobs:
+  terraform-workflow:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+    - name: Cache Terraform modules
+      uses: actions/cache@v3
+      id: cache
+      with:
+        path: ./terraform
+        key: ${{ runner.os }}-terraform-${{ hashFiles('terraform/**/*.tf') }}
+    - name: Az CLI login
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.azure_client_id }}
+        tenant-id: ${{ secrets.azure_tenant_id }}
+        subscription-id: ${{ secrets.azure_subscription_id }}
+    - name: Terraform Init
+      working-directory: ./terraform
+      run: terraform init
+    - name: Terraform Format
+      working-directory: ./terraform
+      run: terraform fmt -check
+    - name: Terraform Validate
+      working-directory: ./terraform
+      run: terraform validate
+    - name: Setup TFLint
+      uses: terraform-linters/[email protected]
+    - name: Init TFLint
+      run: tflint --init
+      working-directory: ./terraform
+      env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Run TFLint
+      working-directory: ./terraform
+      run: tflint --recursive
+    - name: Terraform Test
+      working-directory: ./terraform
+      run: |
+        terraform test
+    - name: Run Trivy vulnerability scanner in IaC mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'config'
+        scan-ref: './terraform'
+        format: sarif
+        output: trivy-results.sarif
+        exit-code: 1
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+    - name: Terraform Plan
+      working-directory: ./terraform
+      run: |
+        terraform plan -out=tfplan -var="location=eastus" -var="name_prefix=test"
+        terraform-bin show -json -no-color tfplan > tfplan.json
+        terraform-bin show -no-color tfplan >> $GITHUB_STEP_SUMMARY
+#    - name: Terraform Apply
+#      working-directory: ./terraform
+#      run: terraform apply tfplan
diff --git a/terraform/.tflint.hcl b/terraform/.tflint.hcl
@@ -0,0 +1,10 @@
+config {
+  format = "compact"
+  module = true
+}
+
+plugin "terraform" {
+  # List of rules in the preset: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.0/docs/rules/README.md
+  preset = "recommended"
+  enabled = true
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,24 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "aks" {
+  name     = "${var.name_prefix}-private-aks"
+  location = var.location
+}
+
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.77.0"
+    }
+  }
+  backend "azurerm" {
+    resource_group_name  = "terraform-state-files"
+    storage_account_name = "terraformdemostatefiles"
+    container_name       = "private-aks-demo-tfstate"
+    key                  = "terraform.tfstate"
+  }
+}
diff --git a/terraform/valid_resource_group_name.tftest.hcl b/terraform/valid_resource_group_name.tftest.hcl
@@ -0,0 +1,18 @@
+provider "azurerm" {
+  features {}
+}
+
+variables {
+  name_prefix = "test"
+  location    = "eastus"
+}
+
+run "valid_resource_group" {
+
+  command = plan
+
+  assert {
+    condition     = azurerm_resource_group.aks.name == "test-tf-aks"
+    error_message = "Resource group name is not as expected"
+  }
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -0,0 +1,19 @@
+variable "location" {
+  type        = string
+  description = "The location for the resource group."
+
+  validation {
+    condition     = contains(["eastus", "northeurope"], var.location)
+    error_message = "The location must be between eastus and northeurope."
+  }
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "The prefix for the resource group."
+
+  validation {
+    condition     = length(var.name_prefix) <= 10
+    error_message = "The prefix must be less than 10 characters."
+  }
+}