115 lines
2.6 KiB
YAML
115 lines
2.6 KiB
YAML
stages:
|
|
- validate
|
|
- plan
|
|
- apply
|
|
|
|
# Cache modules between jobs
|
|
cache:
|
|
key: ${CI_COMMIT_REF_SLUG}
|
|
paths:
|
|
- .terraform
|
|
|
|
variables:
|
|
TERRAFORM_VERSION: "1.10.5"
|
|
TF_STATE_NAME: ${CI_PROJECT_NAME}
|
|
|
|
before_script:
|
|
- cd terraform
|
|
- apk add --update curl jq python3 py3-pip
|
|
- pip install checkov
|
|
- curl -LO "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip"
|
|
- unzip "terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -d /usr/local/bin/
|
|
- curl -L "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_$(uname -s)_$(uname -m).tar.gz" | tar xz
|
|
- mv trivy /usr/local/bin/
|
|
- curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
|
|
|
|
# Validate syntax and formatting
|
|
terraform-validate:
|
|
stage: validate
|
|
image: hashicorp/terraform:${TERRAFORM_VERSION}
|
|
script:
|
|
- terraform init -backend=false
|
|
- terraform validate
|
|
- terraform fmt -check -recursive
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
|
|
# Security check with trivy
|
|
trivy:
|
|
stage: validate
|
|
image: alpine:latest
|
|
script:
|
|
- trivy config --format junit --output trivy.test.xml --check-namespaces proxmox .
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
artifacts:
|
|
reports:
|
|
junit: "trivy.test.xml"
|
|
paths:
|
|
- "trivy.test.xml"
|
|
|
|
# Security check with checkov
|
|
checkov:
|
|
stage: validate
|
|
image: alpine:latest
|
|
script:
|
|
- checkov -d . --quiet
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
|
|
# Policy validation with conftest
|
|
policy-check:
|
|
stage: validate
|
|
image: alpine:latest
|
|
script:
|
|
- terraform init -backend=false
|
|
- terraform plan -out=tfplan
|
|
- terraform show -json tfplan > tfplan.json
|
|
- conftest test tfplan.json -p policies/
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
- "terraform/policies/**/*.rego"
|
|
|
|
# Create Terraform plan
|
|
terraform-plan:
|
|
stage: plan
|
|
image: hashicorp/terraform:${TERRAFORM_VERSION}
|
|
script:
|
|
- terraform init
|
|
- terraform plan -out=tfplan
|
|
# Save the plan as an artifact
|
|
- terraform show -json tfplan > tfplan.json
|
|
artifacts:
|
|
paths:
|
|
- terraform/tfplan
|
|
- terraform/tfplan.json
|
|
expire_in: 1 week
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
when: manual
|
|
needs:
|
|
- terraform-validate
|
|
- trivy
|
|
- checkov
|
|
- policy-check
|
|
|
|
# Apply the changes
|
|
terraform-apply:
|
|
stage: apply
|
|
image: hashicorp/terraform:${TERRAFORM_VERSION}
|
|
script:
|
|
- terraform init
|
|
- terraform apply -auto-approve tfplan
|
|
dependencies:
|
|
- terraform-plan
|
|
only:
|
|
changes:
|
|
- "terraform/**/*.tf"
|
|
when: manual
|
|
needs:
|
|
- terraform-plan |