修正 #1

Workflow file for this run

	name: Terraform plan
	on:
	pull_request:
	branches:
	- main
	- mgmt
	types:
	- opened
	- synchronize

	env:
	AWS_REGION: ${{ vars.AWS_REGION }}
	SYSTEM: ${{ vars.SYSTEM }}
	DEV_AWS_ACCOUNT_ID: ${{ secrets.DEV_AWS_ACCOUNT_ID }}
	PROD_AWS_ACCOUNT_ID: ${{ secrets.PROD_AWS_ACCOUNT_ID }}
	ENVS_BASE_DIR: environments
	MODULES_BASE_DIR: modules

	permissions:
	contents: read
	id-token: write
	pull-requests: write
	actions: read

	jobs:
	setup:
	runs-on: ubuntu-latest
	outputs:
	modules_changed_dirs: ${{ steps.modules_changes.outputs.changes }}
	envs_changed_dirs: ${{ steps.filter_changed_envs_dirs.outputs.envs_changed_dirs}}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Get changed modules dirs
	uses: dorny/paths-filter@v2
	id: modules_changes
	with:
	filters: .github/modules-path-filter.yml

	- name: Get changed envs dirs
	uses: dorny/paths-filter@v2
	id: envs_changes
	with:
	filters: .github/envs-path-filter.yml

	- name: Filter changed envs dirs
	id: filter_changed_envs_dirs
	run: \|
	dirs=${{ toJSON(steps.envs_changes.outputs.changes) }}
	if [ ${{ github.base_ref }} == 'main' ]; then
	env_type='prod'
	elif [ ${{ github.base_ref }} == 'mgmt' ]; then
	env_type='mgmt'
	else
	echo "Unsupported base_ref: ${{ github.base_ref }}" >&2
	exit 1
	fi

	env_changed_dirs=$( echo "${dirs}" \| jq '.[]' \| grep $env_type \| jq -sc )
	echo "envs_changed_dirs=${env_changed_dirs}" >> $GITHUB_OUTPUT

	modules-ci:
	needs: setup
	if: needs.setup.outputs.modules_changed_dirs != '[]'
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	changed_dir: ${{ fromJson(needs.setup.outputs.modules_changed_dirs) }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- uses: aquaproj/[email protected]
	with:
	aqua_version: v2.28.0
	aqua_opts: ""
	env:
	AQUA_CONFIG: aqua.yaml

	- name: Set env vars for dev
	if: github.base_ref == 'mgmt'
	run: \|
	echo "ENVIRONMENT=mgmt" >> $GITHUB_ENV
	echo "AWS_ACCOUNT_ID=$DEV_AWS_ACCOUNT_ID" >> $GITHUB_ENV

	- name: Set env vars for prod
	if: github.base_ref == 'main'
	run: \|
	echo "ENVIRONMENT=prod" >> $GITHUB_ENV
	echo "AWS_ACCOUNT_ID=$PROD_AWS_ACCOUNT_ID" >> $GITHUB_ENV

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.SYSTEM }}-${{ env.ENVIRONMENT }}-githubactions
	role-session-name: ${{ env.SYSTEM }}-${{ env.ENVIRONMENT }}-github-actions-terraform-session
	aws-region: ${{ env.AWS_REGION }}

	- name: TFlint
	working-directory: ${{ env.MODULES_BASE_DIR }}/${{ matrix.changed_dir }}
	env:
	REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	tflint --config $GITHUB_WORKSPACE/.tflint.hcl --init
	tflint --config $GITHUB_WORKSPACE/.tflint.hcl --format=checkstyle \| \
	reviewdog -f=checkstyle \
	-name="tflint" \
	-reporter=github-pr-review \
	-filter-mode=nofilter \
	-fail-level=any \

	- name: Check Terraform fmt
	working-directory: ${{ env.MODULES_BASE_DIR }}/${{ matrix.changed_dir }}
	run: terraform fmt -check

	envs-ci:
	needs: setup
	if: needs.setup.outputs.envs_changed_dirs != '[]'
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	changed_dir: ${{ fromJson(needs.setup.outputs.envs_changed_dirs) }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- uses: aquaproj/[email protected]
	with:
	aqua_version: v2.28.0
	aqua_opts: ""
	env:
	AQUA_CONFIG: aqua.yaml


	- name: Set env vars for dev
	if: github.base_ref == 'mgmt'
	run: \|
	echo "ENVIRONMENT=mgmt" >> $GITHUB_ENV
	echo "AWS_ACCOUNT_ID=$DEV_AWS_ACCOUNT_ID" >> $GITHUB_ENV

	- name: Set env vars for prod
	if: github.base_ref == 'main'
	run: \|
	echo "ENVIRONMENT=prod" >> $GITHUB_ENV
	echo "AWS_ACCOUNT_ID=$PROD_AWS_ACCOUNT_ID" >> $GITHUB_ENV

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.SYSTEM }}-${{ env.ENVIRONMENT }}-githubactions
	role-session-name: ${{ env.SYSTEM }}-${{ env.ENVIRONMENT }}-github-actions-terraform-session
	aws-region: ${{ env.AWS_REGION }}

	- name: Config Terraform plugin cache
	run: \|
	echo 'plugin_cache_dir="$HOME/.terraform.d/plugin-cache"' >~/.terraformrc
	mkdir --parents ~/.terraform.d/plugin-cache

	- name: Cache Terraform Plugins
	uses: actions/cache@v4
	with:
	path: ~/.terraform.d/plugin-cache
	key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
	restore-keys: \|
	${{ runner.os }}-terraform-

	- name: Terragrunt init
	working-directory: ${{ env.ENVS_BASE_DIR }}/${{ matrix.changed_dir }}
	run: \|
	terragrunt init --terragrunt-non-interactive

	- name: Trivy Scan
	id: trivy-scan
	uses: aquasecurity/[email protected]
	with:
	scan-type: config
	trivy-config: trivy.yaml
	format: sarif
	exit-code: 0
	output: 'trivy-table'

	- name: Trivy Reviewdog
	env:
	REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	cat trivy-table
	cat trivy-table \| \
	reviewdog --f=sarif \
	-name="Trivy" \
	-reporter=github-pr-review \
	-filter-mode=nofilter \
	-fail-level=any \
	-level=any

	# - name: Create String Output
	# if: always()
	# id: string-output
	# run: \|
	# function get_result() {
	# if [ "$1" = "success" ]; then
	# echo ':white_check_mark: Success'
	# elif [ "$1" = "failure" ]; then
	# echo ':x: Failed'
	# elif [ "$1" = "skipped" ]; then
	# echo ':fast_forward: Skipped'
	# elif [ "$1" = "cancelled" ]; then
	# echo ':no_entry: Cancelled'
	# else
	# echo ':question: Unknown'
	# fi
	# }

	# {
	# delimiter="$(openssl rand -hex 8)"
	# echo "summary<<${delimiter}"
	# echo "#### Trivy Scan :shield: $(get_result ${{ steps.trivy-scan.outcome }})"
	# echo "---"
	# } >> "$GITHUB_OUTPUT"

	# if [ "${{ steps.trivy-scan.outcome }}" = "failure" ]; then
	# {
	# echo "### Trivy Scan Result"
	# echo "<details><summary>Click to expand</summary>"
	# echo ""
	# echo '```'
	# cat trivy-table
	# echo '```'
	# echo "</details>"
	# } >> "$GITHUB_OUTPUT"
	# fi

	# echo "${delimiter}" >> "$GITHUB_OUTPUT"

	# - name: Publish Terraform CI Result to Task Summary
	# if: always()
	# env:
	# SUMMARY: ${{ steps.string-output.outputs.summary }}
	# run: \|
	# echo "$SUMMARY" >> "$GITHUB_STEP_SUMMARY"

	# - name: Push Terraform Output to PR
	# if: always()
	# uses: actions/github-script@v7
	# env:
	# SUMMARY: ${{ steps.string-output.outputs.summary }}
	# with:
	# script: \|
	# const body = `${process.env.SUMMARY}`;
	# github.rest.issues.createComment({
	# issue_number: context.issue.number,
	# owner: context.repo.owner,
	# repo: context.repo.repo,
	# body: body
	# })

	- name: Init TFLint
	run: \|
	tflint --init

	- name: TFlint
	working-directory: ${{ env.ENVS_BASE_DIR }}/${{ matrix.changed_dir }}
	env:
	REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	tflint --config $GITHUB_WORKSPACE/.tflint.hcl --format=checkstyle --recursive \| \
	reviewdog -f=checkstyle \
	-name="tflint" \
	-reporter=github-pr-review \
	-filter-mode=nofilter \
	-fail-level=any \

	- name: Check terragrunt fmt
	working-directory: ${{ env.ENVS_BASE_DIR }}/${{ matrix.changed_dir }}
	run: terragrunt fmt -check

	- name: Terragrunt validate
	working-directory: ${{ env.ENVS_BASE_DIR }}/${{ matrix.changed_dir }}
	run: terragrunt validate

	- name: Terragrunt plan
	working-directory: ${{ env.ENVS_BASE_DIR }}/${{ matrix.changed_dir }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	terragrunt plan --terragrunt-tfpath $GITHUB_WORKSPACE/.github/scripts/tfwrapper.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

修正 #1

Workflow file

修正 #1

Jobs

Run details

Workflow file for this run