feat: add a terraform template

a3c492e6 · Andrew Newdigate · bb49f82d · a3c492e6 · a3c492e6 · a3c492e6
Unverified Commit a3c492e6 authored 2 years ago by Andrew Newdigate
--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ include:
  # common to all projects using this template library.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#templatesstandardyml
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: templates/standard.yml
 ```
  
@@ -69,10 +69,44 @@ include:
  # Runs golang standard tests, including tests, goreleaser, golangci-lint and go-mod-tidy
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#templatesgolangyml
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: templates/golang.yml
 ```
  
+### [`templates/terraform.yml`](./templates/terraform.yml)
+
+This template should be used for Terraform projects. It performs standard validity checks against the Terraform files in the project.
+
+Ensure that the project has a valid [`.tflint.hcl`](https://github.com/terraform-linters/tflint/blob/v0.34.1/docs/user-guide/config.md) file in the root directory.
+
+Includes the following tasks:
+
+1. [`terraform-format.yml`](#terraform-format): runs [`terraform fmt`](https://www.terraform.io/cli/commands/fmt) to ensure that all Terraform files are correctly formatted.
+1. [`terraform-validate.yml`](#terraform-validate): runs [`terraform validate`](https://www.terraform.io/cli/commands/validate) to ensure that all Terraform files are valid.
+1. [`tflint.yml`](#tflint): runs [`tflint`](https://github.com/terraform-linters/tflint) across all directories that contain `*.tf` files.
+
+
+```yaml
+# Requires validate stage
+stages:
+  - validate
+
+# Better to define these through .gitlab-ci-asdf-versions.yml
+variables:
+  GL_ASDF_TERRAFORM_VERSION: ...
+  GL_ASDF_TFLINT_VERSION: ...
+
+include:
+  - local: .gitlab-ci-asdf-versions.yml
+  # Runs Terraform validations, including tflint, terraform validate and terraform formatting checks
+  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#templatesterraformyml
+  - project: 'gitlab-com/gl-infra/common-ci-tasks'
+    ref: v1.18.0 # renovate:managed
+    file: templates/terraform.yml
+```
+
+
+
 ## CI Jobs
  
 Alternatively to using the templates above, you can include the following individual jobs.
@@ -89,7 +123,7 @@ stages:
  
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: 'gitlab-scanners.yml'
 ```
  
@@ -105,7 +139,7 @@ stages:
  
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: 'golangci-lint.yml'
 ```
  
@@ -122,7 +156,7 @@ stages:
  
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: 'editorconfig-check.yml'
 ```
  
@@ -163,7 +197,7 @@ stages:
  
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: 'semantic-release.yml'
 ```
  
@@ -245,7 +279,7 @@ variables:
 include:
  # build binary release artifacts with goreleaser
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: goreleaser.yml
 ```
  
@@ -274,7 +308,7 @@ include:
  # and that ASDF is generally working
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#asdf-tool-versions
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: asdf-tool-versions.yml
 ```
  
@@ -308,7 +342,7 @@ include:
  
  # Runs tflint on all terraform module directories
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: tflint.yml
 ```
  
@@ -332,13 +366,13 @@ include:
  
  # Ensures that all terraform files are correctly formatted
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: terraform-format.yml
 ```
  
 ### [`terraform-validate`](./terraform-validate.yml)
  
-Runs [`terraform validate`](https://www.terraform.io/cli/commands/validate) to ensure that all Terraform files are correctly formatted.
+Runs [`terraform validate`](https://www.terraform.io/cli/commands/validate) to ensure that all Terraform files are valid.
  
 1. Ensure that the `GL_ASDF_TERRAFORM_VERSION` version for terraform is configured.
 1. Supports the `COMMON_TASK_VALIDATIONS_EXCLUDES_REGEXP` variable, for excluding paths from validation.
@@ -359,7 +393,7 @@ include:
  
  # Ensures that all terraform files are syntactically valid
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: terraform-validate.yml
 ```
  
@@ -394,7 +428,7 @@ include:
  # Upgrades dependencies on a schedule
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#renovate-bot
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: renovate-bot.yml
 ```
  
@@ -419,7 +453,7 @@ include:
  # Runs Go unit tests
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#go-unittests
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: go-unittests.yml
 ```
  
@@ -444,7 +478,7 @@ include:
  # Perform `go mod tidy` and ensure that go.mod and go.sum are tidy.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#go-mod-tidy
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: go-mod-tidy.yml
 ```
  
@@ -472,7 +506,7 @@ include:
  # Ensure that all shell-scripts are formatted according to a
  # standard canonical format
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: shfmt.yml
 ```
  
@@ -503,6 +537,6 @@ include:
  # Ensure that all shell-scripts are formatted according to a
  # standard canonical format
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v1.17.0 # renovate:managed
+    ref: v1.18.0 # renovate:managed
    file: shellcheck.yml
 ```
--- a/gitlab-scanners.yml
+++ b/gitlab-scanners.yml
@@ -3,7 +3,6 @@ include:
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml
-  - template: Security/SAST-IaC.latest.gitlab-ci.yml
  
 sast:
  stage: validate
@@ -21,8 +20,3 @@ dependency_scanning:
 license_scanning:
  stage: validate
  needs: []
-
-# https://docs.gitlab.com/ee/user/application_security/iac_scanning/#configure-iac-scanning-manually
-iac-sast:
-  stage: validate
-  needs: []
--- a/templates/terraform.yml
+++ b/templates/terraform.yml
+include:
+  - local: .gitlab-ci-default-asdf-versions.yml
+  - template: Security/SAST-IaC.latest.gitlab-ci.yml
+  # Keep the following items in alphabetical order
+  - local: terraform-format.yml
+  - local: terraform-validate.yml
+  - local: tflint.yml
+
+# Overrides for the SAST-IaC template
+# https://docs.gitlab.com/ee/user/application_security/iac_scanning/#configure-iac-scanning-manually
+iac-sast:
+  stage: validate
+  needs: []