Fix: CVE-2024-42471 #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Plan and Apply Terraform | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| env: | |
| # We don't want to create any real cloud resources from this | |
| # repo. It is just for demonstrating guardrails evaluation on TF | |
| # plans. So use dummy credentials that would fail if we ever tried | |
| # to run `tf apply. | |
| AWS_ACCESS_KEY: "asdf" | |
| AWS_SECRET_KEY: "asdf" | |
| GOOGLE_OAUTH_ACCESS_TOKEN: "asdf" | |
| jobs: | |
| terraform: | |
| name: 'Terraform' | |
| runs-on: ubuntu-latest | |
| environment: production | |
| defaults: | |
| run: | |
| shell: bash | |
| strategy: | |
| matrix: | |
| env: ["dev", "prod"] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v1 | |
| - name: Terraform Init | |
| run: terraform init | |
| - name: Terraform Plan | |
| run: terraform plan -state=${{ matrix.env }}.tfstate -var-file=${{ matrix.env }}.tfvars -refresh=false -out=plan.raw | |
| - name: Convert the plan to JSON | |
| id: planToJson | |
| run: terraform show -json plan.raw | |
| - name: Save JSON to a file | |
| uses: fishcharlie/[email protected] | |
| with: | |
| data: ${{ steps.planToJson.outputs.stdout }} | |
| output: plan-${{ matrix.env }}.json | |
| - name: Upload Terraform Plan Output | |
| uses: actions/[email protected] | |
| with: | |
| name: plan-file-${{ matrix.env }} | |
| path: plan-${{ matrix.env }}.json | |
| - name: Terraform Apply | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| run: terraform apply -auto-approve -state=${{ matrix.env }}.tfstate -var-file=dev.tfvars -input=false | |
| resourcely-ci: | |
| needs: terraform | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Download Terraform Plan Output | |
| uses: actions/[email protected] | |
| with: | |
| name: plan-file-dev | |
| path: tf-plan-files/ | |
| - name: Download Terraform Plan Output | |
| uses: actions/[email protected] | |
| with: | |
| name: plan-file-prod | |
| path: tf-plan-files/ | |
| - name: Save JSON to a file | |
| uses: fishcharlie/[email protected] | |
| with: | |
| data: | | |
| { | |
| "plans": [{ | |
| "plan_file": "plan-dev.json", | |
| "config_root_path": ".", | |
| "environment": "dev" | |
| },{ | |
| "plan_file": "plan-prod.json", | |
| "config_root_path": ".", | |
| "environment": "prod" | |
| }] | |
| } | |
| output: tf-plan-files/manifest.json | |
| - name: Resourcely CI | |
| uses: Resourcely-Inc/resourcely-action@main | |
| with: | |
| resourcely_api_token: ${{ secrets.RESOURCELY_API_TOKEN }} | |
| resourcely_api_host: "https://api.resourcely.io" | |
| tf_plan_directory: "tf-plan-files" |