GH-Actions flows for applying terraform
- Fork this repo
- Create a new Azure Entra Application and with Federated credentials assigned to your repo.
- Create the following GH Actions secrets:
azure_client_id: The Application (client) ID of the Azure AD Application.azure_tenant_id: The Directory (tenant) ID of the Azure AD Application.azure_subscription_id: The Subscription ID of the Azure Subscription.
- Be sure to give the Azure Entra Application you created permissions to the Azure Subscription you are going to use.
- Create a storage account and update the main.tf backend configuration with the storage account name and container name.
- Be sure to give the Azure Entra Application you created permissions to the Storage Account you are going to use with the Storage Blob Data Contributor role and Storage Account Key Operator Service Role role.
❗ The pre-commit hooks are only running on staged files.
To set up pre-commit hooks for terraform files, run the following commands:
brew install pre-commit
pre-commit installIf you want to uninstall the pre-commit hooks, run the following command:
pre-commit uninstallThe Terraform state is stored in an Azure Storage Account configured in the ./terraform/main.tf file.
To run the ConfTests locally, first install the ConfTest binary. The easiest way to do this is to use brew:
brew install conftestPlease see the installation instructions for other options.
conftest test unit-tests/example-terraform-plan.jsonConfTest is running as part of the GH Actions workflow. The policy files are located in the policy folder, and written in Rego[https://www.openpolicyagent.org/docs/latest/policy-language/]. The tests are running against the generated Terraform plan file.
When running the ConfTest, e.g,
conftest test --policy somefolder/* unit-tests/example-terraform-plan.jsonthe policy folder need to be all .rego files.