From 929681dcf5ed502358fe9b98be021287db02253b Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 12:56:45 +0100 Subject: [PATCH 01/15] Add reusable terraform validate workflow --- .../workflows/reusable-terraform-validate.yml | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/reusable-terraform-validate.yml diff --git a/.github/workflows/reusable-terraform-validate.yml b/.github/workflows/reusable-terraform-validate.yml new file mode 100644 index 0000000..3b8f10e --- /dev/null +++ b/.github/workflows/reusable-terraform-validate.yml @@ -0,0 +1,84 @@ +name: Reusable workflow to validate Terraform project + +on: + workflow_call: + inputs: + working-directory: + description: "Working directory" + required: false + type: string + default: "." + +jobs: + terraform-validate: + name: Terraform validate + runs-on: ubuntu-latest + defaults: + run: + working-directory: ${{ inputs.working-directory }} + steps: + - name: Clone repository + uses: actions/checkout@v6 + - name: Cache Terraform plugins + uses: actions/cache@v5 + with: + path: | + ~/.terraform.d/plugin-cache + key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + - name: Install terraform + uses: hashicorp/setup-terraform@v3 + - name: Check Terraform format + run: terraform fmt -recursive -check + - name: Terraform Init + run: terraform init -backend=false + - name: Terraform Validate + run: terraform validate + # Checkov is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages (ref. https://github.com/bridgecrewio/checkov) + - name: Run Checkov + uses: bridgecrewio/checkov-action@v12 + with: + soft_fail: true + output_format: cli,sarif + output_file_path: console,results.sarif + # quiet: true + # directory: . + # framework: terraform kubernetes helm + # needs GitHub code security > code scanning, not available on private repos + # - name: Upload SARIF file + # uses: github/codeql-action/upload-sarif@v3 + # if: success() || failure() + # with: + # sarif_file: results.sarif + - name: Upload SARIF as artifact + uses: actions/upload-artifact@v6 + if: always() + with: + name: checkov-sarif-results + path: results.sarif + retention-days: 14 + # TFLint is a pluggable terraform linter (ref. https://github.com/terraform-linters/tflint) + - name: Cache TFLint plugins + uses: actions/cache@v5 + with: + path: ~/.tflint.d/plugins + key: tflint-${{ hashFiles('**/.tflint.hcl') }} + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v6 + with: + tflint_version: v0.60.0 # ref. https://github.com/terraform-linters/tflint/pkgs/container/tflint + - name: Initialize TFLint + run: tflint --init --recursive + env: + GITHUB_TOKEN: ${{ github.token }} # ref. https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + - name: Run TFLint + run: tflint --recursive --format compact + - name: Run Trivy IaC scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'config' + format: 'sarif' + output: 'trivy-results.sarif' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + env: + TF_IN_AUTOMATION: true From 9de2957a06f4bfe2ed51abe242ca409123208c9e Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 13:03:34 +0100 Subject: [PATCH 02/15] Add job name input --- .github/workflows/reusable-terraform-validate.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-terraform-validate.yml b/.github/workflows/reusable-terraform-validate.yml index 3b8f10e..122eb75 100644 --- a/.github/workflows/reusable-terraform-validate.yml +++ b/.github/workflows/reusable-terraform-validate.yml @@ -3,6 +3,11 @@ name: Reusable workflow to validate Terraform project on: workflow_call: inputs: + job-name: + description: "Job name" + required: false + type: string + default: "Validate" working-directory: description: "Working directory" required: false @@ -11,7 +16,7 @@ on: jobs: terraform-validate: - name: Terraform validate + name: ${{ inputs.job-name }} runs-on: ubuntu-latest defaults: run: From e6a516eaee660fd69d1ef13eb65825258b491a4c Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 15:05:22 +0100 Subject: [PATCH 03/15] Add reusable terraform apply --- .../workflows/reusable-terraform-apply.yml | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/reusable-terraform-apply.yml diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml new file mode 100644 index 0000000..8a56054 --- /dev/null +++ b/.github/workflows/reusable-terraform-apply.yml @@ -0,0 +1,80 @@ +name: Reusable workflow to apply Terraform + +on: + workflow_call: + inputs: + environment: + description: "GitHub environment" + required: true + type: string + working-directory: + description: "Working directory" + required: true + type: string + tfbackend-project: + description: "Terraform backend project" + required: true + type: string + custom-commands: + description: 'Optional shell commands to run before apply' + required: false + type: string + default: '' + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + defaults: + run: + working-directory: ${{ inputs.working-directory }} + services: + tfbackend: + image: devprofr/terraform-backend-mongodb:latest + env: + Application__IsHttpsRedirectionEnabled: false + ConnectionStrings__MongoDb: ${{ secrets.TFBACKEND_CONNSTRING }} + MongoDb__ConnectionStringName: MongoDb + MongoDb__DatabaseName: ${{ secrets.TFBACKEND_DBNAME }} + ports: + - 8080:8080 + steps: + - name: Clone repository + uses: actions/checkout@v6 + - name: Add runner ID to MongoDB Atlas + uses: ./mongodb-atlas/add-runner-ip + with: + atlas_publickey: ${{ secrets.ATLAS_PUBLIC_KEY }} + atlas_privatekey: ${{ secrets.ATLAS_PRIVATE_KEY }} + atlas_groupid: ${{ secrets.ATLAS_GROUP_ID }} + github_runid: ${{ github.run_id }} + - name: Set TF variables from branch + run: | + tfbackendurl="http://localhost:8080/${{ secrets.TFBACKEND_TENANT }}/state/${{ inputs.tfbackend-project }}" + echo "TF_HTTP_ADDRESS=$tfbackendurl" >> "$GITHUB_ENV" + echo "TF_HTTP_LOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" + echo "TF_HTTP_UNLOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" + - name: Run optional custom commands + if: ${{ inputs.custom-commands != '' }} + run: | + ${{ inputs.custom-commands }} + - name: Cache Terraform plugins + uses: actions/cache@v5 + with: + path: | + ~/.terraform.d/plugin-cache + key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + - name: Install terraform + uses: hashicorp/setup-terraform@v3 + - name: Terraform init + run: terraform init + - name: Terraform validate + run: terraform validate + - name: Terraform plan + run: terraform plan -out=plan.tfplan + - name: Terraform apply + run: terraform apply -auto-approve plan.tfplan + env: + TF_HTTP_USERNAME: "${{ secrets.TFBACKEND_USERNAME }}" + TF_HTTP_PASSWORD: "${{ secrets.TFBACKEND_USERPWD }}" From 6053672b0136af2fde71d5053a6a2d931c5646fe Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 16:09:47 +0100 Subject: [PATCH 04/15] Move in actions folder --- .github/workflows/reusable-terraform-apply.yml | 6 +++--- .../mongodb-atlas-add-runner-ip}/action.yml | 0 2 files changed, 3 insertions(+), 3 deletions(-) rename {mongodb-atlas/add-runner-ip => actions/mongodb-atlas-add-runner-ip}/action.yml (100%) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 8a56054..bc6d06d 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -16,10 +16,10 @@ on: required: true type: string custom-commands: - description: 'Optional shell commands to run before apply' + description: "Optional shell commands to run before apply" required: false type: string - default: '' + default: "" jobs: deploy: @@ -43,7 +43,7 @@ jobs: - name: Clone repository uses: actions/checkout@v6 - name: Add runner ID to MongoDB Atlas - uses: ./mongodb-atlas/add-runner-ip + uses: devpro/github-workflow-parts/actions/mongodb-atlas-add-runner-ip@feature/reuse-workflows with: atlas_publickey: ${{ secrets.ATLAS_PUBLIC_KEY }} atlas_privatekey: ${{ secrets.ATLAS_PRIVATE_KEY }} diff --git a/mongodb-atlas/add-runner-ip/action.yml b/actions/mongodb-atlas-add-runner-ip/action.yml similarity index 100% rename from mongodb-atlas/add-runner-ip/action.yml rename to actions/mongodb-atlas-add-runner-ip/action.yml From aa53d43200e53facda8ad2f1014f39c24b1224e6 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 17:09:02 +0100 Subject: [PATCH 05/15] Update apply with vars and env --- .../workflows/reusable-terraform-apply.yml | 19 ++++++++++++++----- .../add-runner-ip}/action.yml | 0 2 files changed, 14 insertions(+), 5 deletions(-) rename actions/{mongodb-atlas-add-runner-ip => mongodb-atlas/add-runner-ip}/action.yml (100%) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index bc6d06d..b92b626 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -5,20 +5,25 @@ on: inputs: environment: description: "GitHub environment" - required: true type: string + required: true working-directory: description: "Working directory" - required: true type: string + required: true tfbackend-project: description: "Terraform backend project" - required: true type: string + required: true custom-commands: description: "Optional shell commands to run before apply" + type: string required: false + default: "" + terraform-var-flags: + description: 'Extra -var "key=value" flags (space separated)' type: string + required: false default: "" jobs: @@ -43,7 +48,7 @@ jobs: - name: Clone repository uses: actions/checkout@v6 - name: Add runner ID to MongoDB Atlas - uses: devpro/github-workflow-parts/actions/mongodb-atlas-add-runner-ip@feature/reuse-workflows + uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@feature/reuse-workflows with: atlas_publickey: ${{ secrets.ATLAS_PUBLIC_KEY }} atlas_privatekey: ${{ secrets.ATLAS_PRIVATE_KEY }} @@ -74,7 +79,11 @@ jobs: - name: Terraform plan run: terraform plan -out=plan.tfplan - name: Terraform apply - run: terraform apply -auto-approve plan.tfplan + run: terraform apply -auto-approve plan.tfplan${{ inputs.terraform-var-flags }} env: + ARM_CLIENT_ID: "${{ secrets.ARM_CLIENT_ID }}" + ARM_CLIENT_SECRET: "${{ secrets.ARM_CLIENT_SECRET }}" + ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}" + ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}" TF_HTTP_USERNAME: "${{ secrets.TFBACKEND_USERNAME }}" TF_HTTP_PASSWORD: "${{ secrets.TFBACKEND_USERPWD }}" diff --git a/actions/mongodb-atlas-add-runner-ip/action.yml b/actions/mongodb-atlas/add-runner-ip/action.yml similarity index 100% rename from actions/mongodb-atlas-add-runner-ip/action.yml rename to actions/mongodb-atlas/add-runner-ip/action.yml From f0f1faab13b5be20fec12d0436ecd0b2e6e9865e Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 20:40:34 +0100 Subject: [PATCH 06/15] Use secrets --- .../workflows/reusable-terraform-apply.yml | 53 ++++++++++++++----- .../mongodb-atlas/add-runner-ip/action.yml | 13 ++--- 2 files changed, 45 insertions(+), 21 deletions(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index b92b626..0b820d1 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -25,6 +25,34 @@ on: type: string required: false default: "" + secrets: + atlas-publickey: + description: "Atlas public key" + required: true + atlas-privatekey: + description: "Atlas private key" + required: true + atlas-groupid: + description: "Atlas group IP" + required: true + tfbackend-connstring: + description: "Terraform backend connection string" + required: true + tfbackend-dbname: + description: "Terraform backend database name" + required: true + tfbackend-tenant: + description: "Terraform backend tenant" + required: true + tfbackend-username: + description: "Terraform backend user name" + required: true + tfbackend-userpwd: + description: "Terraform backend user password" + required: true + additional-vars: + description: "Additional variables" + required: false jobs: deploy: @@ -39,9 +67,9 @@ jobs: image: devprofr/terraform-backend-mongodb:latest env: Application__IsHttpsRedirectionEnabled: false - ConnectionStrings__MongoDb: ${{ secrets.TFBACKEND_CONNSTRING }} + ConnectionStrings__MongoDb: ${{ secrets.tfbackend-connstring }} MongoDb__ConnectionStringName: MongoDb - MongoDb__DatabaseName: ${{ secrets.TFBACKEND_DBNAME }} + MongoDb__DatabaseName: ${{ secrets.tfbackend-dbname }} ports: - 8080:8080 steps: @@ -50,16 +78,19 @@ jobs: - name: Add runner ID to MongoDB Atlas uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@feature/reuse-workflows with: - atlas_publickey: ${{ secrets.ATLAS_PUBLIC_KEY }} - atlas_privatekey: ${{ secrets.ATLAS_PRIVATE_KEY }} - atlas_groupid: ${{ secrets.ATLAS_GROUP_ID }} - github_runid: ${{ github.run_id }} + atlas-publickey: ${{ secrets.atlas-publickey }} + atlas-privatekey: ${{ secrets.atlas-privatekey }} + atlas-groupid: ${{ secrets.atlas-groupid }} - name: Set TF variables from branch run: | - tfbackendurl="http://localhost:8080/${{ secrets.TFBACKEND_TENANT }}/state/${{ inputs.tfbackend-project }}" + tfbackendurl="http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}" echo "TF_HTTP_ADDRESS=$tfbackendurl" >> "$GITHUB_ENV" echo "TF_HTTP_LOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" echo "TF_HTTP_UNLOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" + # for pair in ${{ secrets.additional-vars }}; do + # echo "$pair" >> "$GITHUB_ENV" + # done + echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV" - name: Run optional custom commands if: ${{ inputs.custom-commands != '' }} run: | @@ -81,9 +112,5 @@ jobs: - name: Terraform apply run: terraform apply -auto-approve plan.tfplan${{ inputs.terraform-var-flags }} env: - ARM_CLIENT_ID: "${{ secrets.ARM_CLIENT_ID }}" - ARM_CLIENT_SECRET: "${{ secrets.ARM_CLIENT_SECRET }}" - ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}" - ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}" - TF_HTTP_USERNAME: "${{ secrets.TFBACKEND_USERNAME }}" - TF_HTTP_PASSWORD: "${{ secrets.TFBACKEND_USERPWD }}" + TF_HTTP_USERNAME: "${{ secrets.tfbackend-username }}" + TF_HTTP_PASSWORD: "${{ secrets.tfbackend-userpwd }}" diff --git a/actions/mongodb-atlas/add-runner-ip/action.yml b/actions/mongodb-atlas/add-runner-ip/action.yml index 4b2e238..15c321f 100644 --- a/actions/mongodb-atlas/add-runner-ip/action.yml +++ b/actions/mongodb-atlas/add-runner-ip/action.yml @@ -2,18 +2,15 @@ name: Add GitHub Actions runner public IP to MongoDB Atlas description: Update project IP access list (temporary) inputs: - atlas_publickey: + atlas-publickey: description: MongoDB public key required: true - atlas_privatekey: + atlas-privatekey: description: MongoDB private key required: true - atlas_groupid: + atlas-groupid: description: MongoDB group ID required: true - github_runid: - description: GitHub run ID - required: true runs: using: "composite" @@ -36,11 +33,11 @@ runs: PAYLOAD="[{\"ipAddress\": \"$RUNNER_IP\", \"comment\": \"GH Actions temp - run ${{ github.run_id }}\", \"deleteAfterDate\": \"$DELETE_AFTER\"}]" # calls Atlas API v2 to add the entry (uses digest Auth via curl) - RESPONSE=$(curl -s -w "%{http_code}" --user "${{inputs.atlas_publickey}}:${{inputs.atlas_privatekey}}" --digest \ + RESPONSE=$(curl -s -w "%{http_code}" --user "${{ inputs.atlas-publickey }}:${{ inputs.atlas-privatekey }}" --digest \ -H "Accept: application/vnd.atlas.2023-01-01+json" \ -H "Content-Type: application/json" \ --data "$PAYLOAD" \ - "https://cloud.mongodb.com/api/atlas/v2/groups/${{inputs.atlas_groupid}}/accessList") + "https://cloud.mongodb.com/api/atlas/v2/groups/${{ inputs.atlas-groupid }}/accessList") HTTP_CODE=${RESPONSE: -3} From a0a2a7388608353f57e9a56383567765d7054ea9 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 20:44:23 +0100 Subject: [PATCH 07/15] Update variables --- .github/workflows/reusable-terraform-apply.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 0b820d1..a65c647 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -81,15 +81,8 @@ jobs: atlas-publickey: ${{ secrets.atlas-publickey }} atlas-privatekey: ${{ secrets.atlas-privatekey }} atlas-groupid: ${{ secrets.atlas-groupid }} - - name: Set TF variables from branch + - name: Set additional variables run: | - tfbackendurl="http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}" - echo "TF_HTTP_ADDRESS=$tfbackendurl" >> "$GITHUB_ENV" - echo "TF_HTTP_LOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" - echo "TF_HTTP_UNLOCK_ADDRESS=$tfbackendurl/lock" >> "$GITHUB_ENV" - # for pair in ${{ secrets.additional-vars }}; do - # echo "$pair" >> "$GITHUB_ENV" - # done echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV" - name: Run optional custom commands if: ${{ inputs.custom-commands != '' }} @@ -112,5 +105,8 @@ jobs: - name: Terraform apply run: terraform apply -auto-approve plan.tfplan${{ inputs.terraform-var-flags }} env: + TF_HTTP_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}" + TF_HTTP_LOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock" + TF_HTTP_UNLOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock" TF_HTTP_USERNAME: "${{ secrets.tfbackend-username }}" TF_HTTP_PASSWORD: "${{ secrets.tfbackend-userpwd }}" From 858de826d952505d0595a27dd15a64ff54d12f43 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 21:09:45 +0100 Subject: [PATCH 08/15] Mask secrets --- .github/workflows/reusable-terraform-apply.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index a65c647..9fd56b5 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -83,6 +83,9 @@ jobs: atlas-groupid: ${{ secrets.atlas-groupid }} - name: Set additional variables run: | + echo "${{ secrets.additional-vars }}" | while IFS='=' read -r key val; do + echo "::add-mask::$val" + done echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV" - name: Run optional custom commands if: ${{ inputs.custom-commands != '' }} From 8d42463d41567a6cefb94510b33d26537c6775db Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 21:18:54 +0100 Subject: [PATCH 09/15] Add vars to tf plan --- .github/workflows/reusable-terraform-apply.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 9fd56b5..6256913 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -83,10 +83,16 @@ jobs: atlas-groupid: ${{ secrets.atlas-groupid }} - name: Set additional variables run: | - echo "${{ secrets.additional-vars }}" | while IFS='=' read -r key val; do - echo "::add-mask::$val" - done - echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV" + if [[ -z "${{ secrets.additional-vars }}" ]]; then + echo "No additional-vars bundle provided - skipping." + else + echo "${{ secrets.additional-vars }}" | while IFS='=' read -r key val; do + if [[ -n "$val" ]]; then + echo "::add-mask::$val" + fi + done + echo "${{ secrets.additional-vars }}" >> "$GITHUB_ENV" + fi - name: Run optional custom commands if: ${{ inputs.custom-commands != '' }} run: | @@ -103,7 +109,7 @@ jobs: run: terraform init - name: Terraform validate run: terraform validate - - name: Terraform plan + - name: Terraform plan${{ inputs.terraform-var-flags }} run: terraform plan -out=plan.tfplan - name: Terraform apply run: terraform apply -auto-approve plan.tfplan${{ inputs.terraform-var-flags }} From 359af1dde88c6be8e9820dc12cfa6950d47f3e8c Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 21:22:49 +0100 Subject: [PATCH 10/15] Fix typo --- .github/workflows/reusable-terraform-apply.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 6256913..849ecd4 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -109,10 +109,10 @@ jobs: run: terraform init - name: Terraform validate run: terraform validate - - name: Terraform plan${{ inputs.terraform-var-flags }} - run: terraform plan -out=plan.tfplan - - name: Terraform apply - run: terraform apply -auto-approve plan.tfplan${{ inputs.terraform-var-flags }} + - name: Terraform plan + run: terraform plan -out=plan.tfplan ${{ inputs.terraform-var-flags }} + # - name: Terraform apply + # run: terraform apply -auto-approve plan.tfplan ${{ inputs.terraform-var-flags }} env: TF_HTTP_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}" TF_HTTP_LOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock" From ad50b2a921572118c54f3b2f22a7ea2b553f99c0 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 22:07:28 +0100 Subject: [PATCH 11/15] Enable terraform apply --- .github/workflows/reusable-terraform-apply.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 849ecd4..28bc8bd 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -111,8 +111,8 @@ jobs: run: terraform validate - name: Terraform plan run: terraform plan -out=plan.tfplan ${{ inputs.terraform-var-flags }} - # - name: Terraform apply - # run: terraform apply -auto-approve plan.tfplan ${{ inputs.terraform-var-flags }} + - name: Terraform apply + run: terraform apply -auto-approve plan.tfplan ${{ inputs.terraform-var-flags }} env: TF_HTTP_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}" TF_HTTP_LOCK_ADDRESS: "http://localhost:8080/${{ secrets.tfbackend-tenant }}/state/${{ inputs.tfbackend-project }}/lock" From c9595c1f1493f02a2284b20ca85a611370f16290 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 22:11:46 +0100 Subject: [PATCH 12/15] Format --- .github/workflows/ci.yml | 2 +- .github/workflows/reusable-terraform-validate.yml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ecc0a4..e204047 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: - name: Lints Markdown files uses: DavidAnson/markdownlint-cli2-action@v20 with: - globs: '**/*.md' + globs: "**/*.md" - name: Set up Python ${{ env.python_version }} uses: actions/setup-python@v5 with: diff --git a/.github/workflows/reusable-terraform-validate.yml b/.github/workflows/reusable-terraform-validate.yml index 122eb75..fcddeec 100644 --- a/.github/workflows/reusable-terraform-validate.yml +++ b/.github/workflows/reusable-terraform-validate.yml @@ -70,20 +70,20 @@ jobs: - name: Setup TFLint uses: terraform-linters/setup-tflint@v6 with: - tflint_version: v0.60.0 # ref. https://github.com/terraform-linters/tflint/pkgs/container/tflint + tflint_version: v0.60.0 # ref. https://github.com/terraform-linters/tflint/pkgs/container/tflint - name: Initialize TFLint run: tflint --init --recursive env: - GITHUB_TOKEN: ${{ github.token }} # ref. https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ github.token }} # ref. https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting - name: Run TFLint run: tflint --recursive --format compact - name: Run Trivy IaC scan uses: aquasecurity/trivy-action@0.33.1 with: - scan-type: 'config' - format: 'sarif' - output: 'trivy-results.sarif' + scan-type: "config" + format: "sarif" + output: "trivy-results.sarif" ignore-unfixed: true - severity: 'HIGH,CRITICAL' + severity: "HIGH,CRITICAL" env: TF_IN_AUTOMATION: true From dd6a71bac20ef33e3499d573df1bc8f8176fbdef Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 22:15:48 +0100 Subject: [PATCH 13/15] Set part version --- .github/workflows/reusable-terraform-apply.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 28bc8bd..ccd8b3b 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -25,6 +25,11 @@ on: type: string required: false default: "" + workflow-parts-version: + description: "GitHub workflow parts version" + type: string + required: false + default: "main" secrets: atlas-publickey: description: "Atlas public key" @@ -76,7 +81,7 @@ jobs: - name: Clone repository uses: actions/checkout@v6 - name: Add runner ID to MongoDB Atlas - uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@feature/reuse-workflows + uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@${{ inputs.workflow-parts-version }} with: atlas-publickey: ${{ secrets.atlas-publickey }} atlas-privatekey: ${{ secrets.atlas-privatekey }} From ca54704a1e5cbe327f7b1ea7dde62fa2dc3061c9 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 22:22:05 +0100 Subject: [PATCH 14/15] Update --- .github/workflows/reusable-terraform-apply.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index ccd8b3b..60684ad 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -26,7 +26,7 @@ on: required: false default: "" workflow-parts-version: - description: "GitHub workflow parts version" + description: "GitHub workflow parts version (branch/tag/SHA)" type: string required: false default: "main" From 8735f381c4f3ca4ed608f3c07b9b5ac2aae5cf64 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 3 Feb 2026 22:37:56 +0100 Subject: [PATCH 15/15] Fix issue with uses --- .github/workflows/reusable-terraform-apply.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-terraform-apply.yml b/.github/workflows/reusable-terraform-apply.yml index 60684ad..e579be0 100644 --- a/.github/workflows/reusable-terraform-apply.yml +++ b/.github/workflows/reusable-terraform-apply.yml @@ -80,8 +80,15 @@ jobs: steps: - name: Clone repository uses: actions/checkout@v6 + - name: Checkout workflow parts + uses: actions/checkout@v6 + with: + repository: devpro/github-workflow-parts + ref: ${{ inputs.workflow-parts-version }} + path: workflow-parts - name: Add runner ID to MongoDB Atlas - uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@${{ inputs.workflow-parts-version }} + # uses: devpro/github-workflow-parts/actions/mongodb-atlas/add-runner-ip@... cannot be used with an input parameter in it (must be static) so checkout is mandatory + uses: ./workflow-parts/actions/mongodb-atlas/add-runner-ip with: atlas-publickey: ${{ secrets.atlas-publickey }} atlas-privatekey: ${{ secrets.atlas-privatekey }}