├── LICENSE ├── README.md ├── action.yml ├── install.sh └── run.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 terraform-compliance 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # terraform-compliance GitHub Action 2 | 3 |

terraform-compliance

4 | 5 |
6 | 7 | 8 | Website 9 | 10 | 11 | 12 | 13 | License 14 | 15 | 16 | 17 | 18 | Package Version 19 | 20 | 21 | 22 | Downloads 23 | 24 |
25 | 26 |
27 | 28 | --- 29 | 30 | 31 | `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code. 32 | 33 | 34 | - __compliance:__ Ensure the implemented code is following security standards, your own custom standards 35 | - __behaviour driven development:__ We have BDD for nearly everything, why not for IaC ? 36 | - __portable:__ just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/) 37 | - __pre-deploy:__ it validates your code before it is deployed 38 | - __easy to integrate:__ it can run in your pipeline (or in git hooks) to ensure all deployments are validated. 39 | - __segregation of duty:__ you can keep your tests in a different repository where a separate team is responsible. 40 | - __why ?:__ why not ? 41 | 42 | You can use this action in order to run [terraform-compliance](https://terraform-compliance.com) in your GitHub Actions pipeline. For more information about the tool itself, you can have a look on https://terraform-compliance.com 43 | 44 | # How to use this action ? 45 | 46 | 1. [Enable and Configure](https://help.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow) GitHub actions within your respository. 47 | 2. Use `terraform-compliance/github-action@main` 48 | 3. Supply `plan` and `features` required parameters 49 | 4. Supply optional other parameters 50 | 51 | 52 | `terraform-compliance` requires to have access to 2 things in order to execute properly 53 | 54 | 1. terraform plan output (preferably converted to `json` format via `terraform show -json` command) 55 | 2. compliance tests that will run against your terraform plan. 56 | 57 | # Examples 58 | 59 | An example CI pipeline for a terraform might look like this ; 60 | 61 | ```yml 62 | jobs: 63 | terraform: 64 | name: terraform CI 65 | runs-on: ubuntu-latest 66 | 67 | steps: 68 | - uses: actions/checkout@v2 69 | - uses: hashicorp/setup-terraform@v1 70 | 71 | - name: terraform plan 72 | id: plan 73 | run: | 74 | terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json 75 | 76 | - name: terraform-compliance 77 | uses: terraform-compliance/github_action@main 78 | with: 79 | plan: plan.out.json 80 | features: ssh://git@github.com/terraform-compliance/user-friendly-features.git 81 | ``` 82 | 83 | .. or if you want to install `terraform-compliance` in the beginning of the steps and re-use it every time via `run` directive ; 84 | 85 | ```yml 86 | jobs: 87 | terraform: 88 | name: terraform CI 89 | runs-on: ubuntu-latest 90 | 91 | steps: 92 | - uses: actions/checkout@v2 93 | - uses: hashicorp/setup-terraform@v1 94 | - uses: terraform-compliance/github_action@main 95 | 96 | - name: terraform plan 97 | id: plan 98 | run: | 99 | terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json 100 | 101 | - name: terraform-compliance 102 | id: terraform-compliance from remote repo 103 | run: | 104 | terraform-compliance -p /path/to/plan.out.json -f git:ssh://git@github.com/terraform-compliance/user-friendly-features.git 105 | 106 | - name: terraform-compliance 107 | id: terraform-compliance from local 108 | run: | 109 | terraform-compliance -p /path/to/plan.out.json -f /path/to/local 110 | ``` 111 | 112 | Additionaly, in case you want to publish the plan output to the related Pull Request, you can also use this action provided by GitHub as well ; 113 | 114 | ```yml 115 | - uses: actions/github-script@0.9.0 116 | if: github.event_name == 'pull_request' 117 | env: 118 | PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" 119 | with: 120 | github-token: ${{ secrets.GITHUB_TOKEN }} 121 | script: | 122 |
GitHub Plan 123 | 124 | \`\`\`${process.env.PLAN}\`\`\` 125 | 126 |
127 | 128 | *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`; 129 | 130 | github.issues.createComment({ 131 | issue_number: context.issue.number, 132 | owner: context.repo.owner, 133 | repo: context.repo.repo, 134 | body: output 135 | }) 136 | ``` 137 | 138 | # What are the parameters I can use ? 139 | 140 | | Parameter | Required | Description | Default | Examples | 141 | | --------- | -------- | ----------- | ------- | -------- | 142 | | plan | :white_check_mark: | The plan file that is generated by terraform | | `plan.out`, `plan.out.json` | 143 | | features | :white_check_mark: | The feature files that will be run against terraform plan | `./tests/`, `ssh://github.com//` | 144 | | quit-early | | Action will fail immediately on the first failure | false | | 145 | | no-failure | | Action will not fail even the tests fail | false | | 146 | | silent | | Output of the tests will be substantially silenced | false | | 147 | | version | | Specific `terraform-compliance` version that you want to use within the action | | 148 | 149 | # What if my feature files are within a private repository ? 150 | 151 | Have a look on [setup-git-credentials](https://github.com/marketplace/actions/setup-git-credentials) action for doing it in a better way than 152 | providing SSH private keys. 153 | 154 | This action will also solve your problems while downloading modules from remote private repositories on `terraform init` 155 | 156 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | # action.yml 2 | name: "terraform-compliance" 3 | description: "Official terraform-compliance github action" 4 | author: "Emre Erkunt " 5 | 6 | inputs: 7 | plan: 8 | description: "The output of terraform plan (in json)" 9 | required: false 10 | features: 11 | description: "The URL that is used for terraform-compliance features (without 'git:' prefix)" 12 | required: false 13 | quit-early: 14 | description: "Stops executing any more steps in a scenario on first failure." 15 | required: false 16 | no-failure: 17 | description: "Skip all the tests that is failed, but giving proper failure message" 18 | required: false 19 | silent: 20 | description: "Do not output any scenarios, just write results or failures" 21 | required: false 22 | identity: 23 | description: "SSH Private key that will be use on git authentication." 24 | required: false 25 | version: 26 | description: "Speficic terraform-compliance version to be used." 27 | required: false 28 | installed_path: 29 | description: "In case you are running a custom runner, this is the path where terraform-compliance executable is installed." 30 | required: false 31 | 32 | outputs: 33 | result: 34 | description: "The output of the terraform-compliance" 35 | 36 | runs: 37 | using: "composite" 38 | steps: 39 | - id: install 40 | run: ${{ github.action_path }}/install.sh "${{ inputs.version }}" "${{ inputs.installed_path }}" 41 | shell: bash 42 | - id: run 43 | run: ${{ github.action_path }}/run.sh "${{ inputs.plan }}" "${{ inputs.features }}" "${{ inputs.quit-early }}" "${{ inputs.no-failure}}" "${{ inputs.silent }}" "${{ inputs.identity }}" "${{ inputs.execute }}" 44 | shell: bash 45 | 46 | branding: 47 | color: black 48 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | VERSION="" 4 | v="latest" 5 | if [[ -n $1 ]]; then 6 | VERSION="==$1" 7 | v=$1 8 | fi 9 | 10 | INSTALLED_PATH="/home/runner/.local/bin/terraform-compliance" 11 | if [[ -n $2 ]]; then 12 | INSTALLED_PATH=$2 13 | fi 14 | 15 | # Required for installing terraform-compliance... 16 | echo "Installing required packages for terraform-compliance" 17 | sudo apt-get install -y -qq python3-setuptools python3-wheel libxml2-dev libxslt-dev > /dev/null 18 | 19 | # Install terraform-compliance 20 | echo "Installing terraform-compliance[faster_parsing]$VERSION version $v" 21 | pip3 install "terraform-compliance[faster_parsing]"$VERSION 22 | 23 | 24 | if [ ! -f /usr/local/bin/terraform-compliance ]; then 25 | sudo ln -s "$INSTALLED_PATH" /usr/local/bin 26 | fi 27 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | PARAMETERS="/usr/local/bin/terraform-compliance" 4 | 5 | if [[ -n $1 ]]; then 6 | PLAN_FILE="$GITHUB_WORKSPACE/$1" 7 | PARAMETERS+=" -p $PLAN_FILE" 8 | fi 9 | 10 | if [[ -n $2 ]]; then 11 | PARAMETERS+=" -f git:$2" 12 | fi 13 | 14 | if [[ -n $3 ]]; then 15 | PARAMETERS+=" -q" 16 | fi 17 | 18 | if [[ -n $4 ]]; then 19 | PARAMETERS+=" -n" 20 | fi 21 | 22 | if [[ -n $5 ]]; then 23 | PARAMETERS+=" -S" 24 | fi 25 | 26 | if [[ -n $6 ]]; then 27 | PARAMETERS+=" -i \"$6\"" 28 | fi 29 | 30 | if [[ -n $1 && -n $2 ]]; then 31 | echo "Running: $PARAMETERS" 32 | 33 | $PARAMETERS 34 | 35 | else 36 | echo "terraform-compliance is ready to run." 37 | fi 38 | --------------------------------------------------------------------------------