Shared GitHub workflows, to be referenced by other Padok projects.
The following reusable workflows are available in .github/workflows
:
Name | Description | Must have |
---|---|---|
release |
Configure Release Please to automate GitHub release creation | ⭐ |
semantic-check |
Check that pull requests follow Conventional Commits | |
terraform-docs |
Update Terraform module documentation using terraform-docs |
|
terraform-quality |
Run several linter and static analysis tools on Terraform code | ⭐ |
terragrunt-quality |
Run several linter and static analysis tools on Terragrunt code | ⭐ |
To use these workflows in your project, copy files from the folders listed below, and paste them in the .github/workflows/
folder in your own repo.
global
: for all your projectsterraform
: useful for Terraform modulesterragrunt
: Use for Terragrunt project and terraform modules
Your repo should have the following structure:
.
├── .github
│ ├── CODEOWNERS
│ └── workflows
│ ├── release.yml
│ ├── semantic-check.yml
│ ├── terraform-docs.yml
│ └── terraform-quality.yml
├── .gitignore
├── LICENSE
├── main.tf
├── README.md
├── renovate.json
└── ... (other files)
tenv
make sure that the correct version of Terraform and terragrunt is usedterraform fmt
to check the basic formatting of Terraform codeterragrunt hclfmt
to check the formatting of terragrunt hcl filesguacamole
check the code qualitycheckov
to check for security issues
There are several tools to ensure that Terraform code is secure and follows best practices. We selected the following ones:
tfswitch
make sure that the correct version of Terraform is usedterraform fmt
to check the basic formatting of Terraform codeterraform validate
to check the validity of Terraform codetflint
to check for code quality issuescheckov
to check for security issues
The following tools were considered but ultimately not included:
tfsec
is redundant withcheckov
, and from Padok's experience, the latter is more reliableterrascan
has not been tested by Padok yetterraform docs
is delegated to another workflow, since it could add a commit to the pull request
Feel free to suggest other tools to add to this workflow!