database-as-code/.github/workflows/dbac-deploy.yaml at main · iamgp21/database-as-code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: DbaC Deploy

on:
  workflow_dispatch:

  pull_request:
    branches:
      - main

env:
  # Set the default postgresql user admin password:
  TF_VAR_postgresql_default_password: ${{ secrets.POSTGRES_USER_DEFAULT_PASSWORD }}

jobs:

  secrets_scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_NOTIFY_USER_LIST: '@iamgp21'

  infra_scan:
    name: 'Infra Scan'
    needs: [secrets_scan]
    runs-on: ubuntu-latest

    permissions:
      # required for all workflows
      security-events: write
      contents: 'read'

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955'

    - name: Make Infra Scan Directory
      run: mkdir -p infra_scan_results

    - name: run kics Scan
      uses: Checkmarx/kics-github-action@71454548efb714daa457caae25c01d64cc0be9d2
      with:
        path: 'entrypoint.tf,versions.tf,provider.tf,tfvars/wsl.tfvars,modules,.github/workflows/'
        ignore_on_exit: results #dont fail on results (overwrite default behaviour fails)
        output_path: 'infra_scan_results' # when provided with a directory on output_path it will generate the specified reports file named 'results.{extension}'
        output_formats: 'json,sarif'

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c
      with:
        sarif_file: infra_scan_results/results.sarif

  docs:
    needs: [infra_scan]
    runs-on: ubuntu-latest

    permissions:
      contents: 'write'

    steps:
    - uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955'
      with:
        ref:  ${{ github.event.pull_request.head.ref }} # Use the PR branch for checkout

    - name: Render terraform docs inside the README.md and push changes back to PR branch
      uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c
      with:
        working-dir: .
        output-file: README.md
        output-method: inject
        git-push: "true"

  dbac_deploy:
    runs-on: DbaC
    needs: [docs]

    defaults:
      run:
        working-directory: './'

    permissions:
      contents: 'read'
      pull-requests: 'read'

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955'

    - name: Detect changes
      uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
      id: detect-changes
      with:
        filters: |
          terraform:
            - 'versions.tf'
            - 'provider.tf'
            - 'tfvars/wsl.tfvars'
            - 'entrypoint.tf'
            - 'modules/**'
            - .github/workflows/dbac-deploy.yaml

    # Install Node.js
    - name: Setup Node.js
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
      with:
        node-version: '20' # Use the appropriate version of Node.js

    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
    - name: "Setup Terraform"
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
      with:
        terraform_version: "1.9.0"

    # Checks that all Terraform configuration files adhere to a canonical format
    - name: "Terraform Format"
      id: fmt
      run: terraform fmt
      continue-on-error: false

    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: "Terraform Initialize"
      if: steps.detect-changes.outputs.terraform == 'true'
      id: init
      run: |
        terraform init  -backend-config="backends/wsl.hcl" -input=false
      continue-on-error: false

    # Generates an execution plan for Terraform
    - name: "Terraform Plan"
      id: plan
      run: terraform plan  -var-file tfvars/wsl.tfvars -refresh=true -input=false -lock=false  -no-color
      continue-on-error: false

    - name: "Terraform Apply"
      id: apply
      if: steps.plan.outcome == 'success'
      run: terraform apply  -var-file tfvars/wsl.tfvars -input=false -lock=false -auto-approve -no-color