Skip to content

tfsec

tfsec #811

Workflow file for this run

---
name: tfsec
"on":
push:
branches:
- trunk
pull_request:
branches:
- trunk
schedule:
- cron: "0 0 * * TUE"
jobs:
terraform:
name: Audit Terraform Infrastructure as Code
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3.6.0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::447522982029:role/gha-project-infrastructure-s3-ro-20220212013048188700000001
role-session-name: GitHubActionsSession@tfsec-terraform
- name: Show AWS caller identity
run: aws sts get-caller-identity
- name: "Setup Terraform"
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.x
- name: "terraform init"
run: |
terraform -chdir=aws init
terraform -chdir=github-org-artichoke init
terraform -chdir=github-org-artichokeruby init
terraform -chdir=github-org-artichoke-ruby init
terraform -chdir=remote-state init
- name: "tfsec aws"
uses: docker://aquasec/tfsec:latest
id: tfsec_aws
continue-on-error: true
with:
entrypoint: tfsec
args: aws
- name: "tfsec github-org-artichoke"
uses: docker://aquasec/tfsec:latest
id: tfsec_github_artichoke
continue-on-error: true
with:
entrypoint: tfsec
args: github-org-artichoke
- name: "tfsec github-org-artichokeruby"
uses: docker://aquasec/tfsec:latest
id: tfsec_github_artichokeruby
continue-on-error: true
with:
entrypoint: tfsec
args: github-org-artichokeruby
- name: "tfsec github-org-artichoke-ruby"
uses: docker://aquasec/tfsec:latest
id: tfsec_github_artichoke_ruby
continue-on-error: true
with:
entrypoint: tfsec
args: github-org-artichoke-ruby
- name: "tfsec remote-state"
uses: docker://aquasec/tfsec:latest
id: tfsec_remote_state
continue-on-error: true
with:
entrypoint: tfsec
args: remote-state
- name: "Check on failures"
run: |
failed=""
if [[ ${{ steps.tfsec_aws.outcome }} != "success" ]]; then
failed="y"
echo >&2 "tfsec aws failed"
fi
if [[ ${{ steps.tfsec_github_artichoke.outcome }} != "success" ]]; then
failed="y"
echo >&2 "tfsec github-org-artichoke failed"
fi
if [[ ${{ steps.tfsec_github_artichokeruby.outcome }} != "success" ]]; then
failed="y"
echo >&2 "tfsec github-org-artichokeruby failed"
fi
if [[ ${{ steps.tfsec_github_artichoke_ruby.outcome }} != "success" ]]; then
failed="y"
echo >&2 "tfsec github-org-artichoke-ruby failed"
fi
if [[ ${{ steps.tfsec_remote_state.outcome }} != "success" ]]; then
failed="y"
echo >&2 "tfsec remote-state failed"
fi
if [[ -n "$failed" ]]; then
exit 1
fi