.github/workflows/terraform-checks.yml

name: "Terraform Checks"

on:
  push:
    branches:
      - master
      - main
      - develop
      - "deployment/**"
    paths:
      - infra/**

  pull_request:
    branches:
      - master
      - main
      - develop
      - "deployment/**"
    paths:
      - infra/**

jobs:
  terraform-CI-checks-staging:
    name: "Formatting and validation Checks for Staging"
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: infra
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}

      - name: Check code formating
        id: fmt
        run: terraform fmt -check

      - name: Initialise modules
        id: init
        run: terraform init

      - name: Validate template
        id: validate
        run: terraform validate -no-color

  terraform-CI-check-production:
    name: "Formatting and validation Checks for Production"
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: infra/production
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}

      - name: Check code formating
        id: fmt
        run: terraform fmt -check

      - name: Initialise modules
        id: init
        run: terraform init

      - name: Validate template
        id: validate
        run: terraform validate -no-color

  terrascan-staging:
    name: "Terrascan Staging Checks"
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: infra
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Run Terrascan on staging
        id: terrascan
        uses: tenable/terrascan-action@main
        with:
          iac_type: "terraform"
          iac_dir: "./infra"
          iac_version: "v14"
          policy_type: "all"

  terrascan-production:
    name: "Terrascan Production Checks"
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: infra/production
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Run Terrascan on production
        id: terrascan
        uses: tenable/terrascan-action@main
        with:
          iac_type: "terraform"
          iac_dir: "./infra/production"
          iac_version: "v14"
          policy_type: "all"

  checkov-staging:
    runs-on: ubuntu-latest
    name: "Checkov Staging Checks"
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Checkov GitHub Action
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: infra/
          output_format: cli,sarif
          output_file_path: console,results.sarif

  checkov-production:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    name: "Checkov Production Checks"
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Checkov GitHub Action
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: infra/production/
          output_format: cli,sarif
          output_file_path: console,results.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2

        # Results are generated only on a success or failure
        # this is required since GitHub by default won't run the next step
        # when the previous one has failed. Security checks that do not pass will 'fail'.
        # An alternative is to add `continue-on-error: true` to the previous step
        # Or 'soft_fail: true' to checkov.
        if: success() || failure()
        with:
          sarif_file: results.sarif