.github/workflows/bootstrap.yml

name: Bootstrap setup

on:
  workflow_dispatch:
    inputs:
      apply_plan:
        description: "Apply plan?"
        required: false
        default: "no"
  push:
    paths:
      - bootstrap/**

env:
  TF_LOG: ${{ secrets.TF_LOG}}
  TF_VAR_billing_account_id: ${{ secrets.BILLING_ACCOUNT_ID }}
  TF_VAR_seed_sa_email: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
  TF_VAR_github_admin_token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
  TF_VAR_project_postfix: ${{ secrets.GCP_PROJECT_POSTFIX }}
  TF_IN_AUTOMATION: true
  TF_INPUT: false
  GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}
  GH_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}
  CLOUDSDK_CORE_PROJECT: ${{ secrets.GCP_PROJECT_ID }}

permissions:
  id-token: write

defaults:
  run:
    working-directory: ./bootstrap

jobs:
  security-scan:
    runs-on: ubuntu-20.04

    steps:
      - uses: actions/checkout@v4
      - name: Security scan
        uses: aquasecurity/trivy-action@0.29.0
        with:
          scan-type: config
          trivy-config: trivy.yaml
          ignore-unfixed: false

  compliance-scan:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@v12.2926.0

  lint:
    runs-on: ubuntu-20.04

    steps:
      - uses: actions/checkout@v4
      - uses: terraform-linters/setup-tflint@v4
        name: Setting up TFLint
        with:
          tflint_version: v0.29.0
      - name: Initializing TFLint
        run: tflint --init
      - name: Linting
        run: tflint -f compact --disable-rule=terraform_module_pinned_source

  qa:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Authenticating
        uses: google-github-actions/auth@v2.1.7
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
      - name: Setting up GCP environment
        uses: google-github-actions/setup-gcloud@v2.1.2
      - run: gcloud projects list
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
      - name: Terraform Init
        run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
      - name: Terraform Format
        run: terraform fmt -check -recursive
      - name: Terraform Validate
        run: terraform validate -no-color

  plan:
    needs:
      - security-scan
      - compliance-scan
      - lint
      - qa

    runs-on: ubuntu-20.04

    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Authenticating
        uses: google-github-actions/auth@v2.1.7
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
      - name: Setting up GCP environment
        uses: google-github-actions/setup-gcloud@v2.1.2
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
      - name: Init
        run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
      - name: Terraform Plan
        run: terraform plan -no-color -out=tfplan
      - name: Show Terraform Plan as Summary
        run: |
          {
            echo "### Terraform Plan Output";
            echo "\`\`\`";
            terraform show -no-color tfplan;
            echo "\`\`\`";
          }  > "${GITHUB_STEP_SUMMARY}"

  apply:
    if: ${{ github.event.inputs.apply_plan == 'yes' }}
    needs: plan

    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Authenticating
        uses: google-github-actions/auth@v2.1.7
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
      - name: Setting up GCP environment
        uses: google-github-actions/setup-gcloud@v2.1.2
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
      - name: Init
        run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
      - name: Apply
        run: terraform apply -auto-approve
      - name: Show Terraform Output as Summary
        run: |
          {
            echo "### Terraform Output";
            echo "\`\`\`";
            terraform output;
            echo "\`\`\`";
          }  > "${GITHUB_STEP_SUMMARY}"