Reusable GitHub workflow for validating a Terraform configuration repository.
You must set permissions in order to add the required id-token permissions which is off by default.
permissions:
id-token: write
contents: read
pull-requests: write
name: Terraform
uses: nrkno/github-workflow-terraform-config/.github/workflows/[email protected]
with:
# inputs
secrets:
# secrets
terraform-job-enabled
(boolean, defaulttrue
) - Enable the Terraform checksterraform-version
(string, default"latest"
) - Version of Terraform to useworking-directory
(string, default"."
) - Working directory for all workflow operations, unless documented otherwise.terraform-ignore-files
(string, default""
) - Comma-separated list of filepaths to remove before running Terraform operations. This is relative to the working-directory argument.status-comment-enabled
(boolean, defaulttrue
) - Post a status comment in the pull request issue after checks have completed.status-comment-message
(string, default""
) - A custom message to append to the status comment.runs-on
(string, default"nrk-azure-intern"
) - Defines the type of machine to run the jobs on.trivy-job-enabled
(boolean, defaulttrue
) - Scan repository for IaC vulnerabilities using Trivy.trivy-ignore-unfixed
(boolean, defaulttrue
) - Ignore vulnerabilities that do not have a known fix.trivy-sbom-enabled
(boolean, defaultfalse
) - Generate a Software Bill of Materials (SBOM) report.trivy-severity
(string, default"MEDIUM,HIGH,CRITICAL"
) - Comma-separated list of severity levels that should trigger errors.trivy-ignore-files
(string, default""
) - Comma-separated list of paths to .trivyignore files. Paths are relative to the working-directory argument.trivy-error-is-success
(boolean, defaultfalse
) - Internal: Return successfully only if Trivy finds vulnerabilities.terraform-docs-job-enabled
(boolean, defaulttrue
) - Automatically update Terraform documentation. https://github.com/terraform-docs/gh-actions#configurationterraform-docs-config-file
(string, default".terraform-docs.yaml"
) - Path to a Terraform docs configuration file.terraform-docs-output-file
(string, default"README.md"
) - Path to the file to update the documentation in.terraform-docs-output-method
(string, default"inject"
) - Method to use for injecting the documentation.terraform-docs-git-commit-message
(string, default"docs: terraform-docs automated update"
) - Message for the documentation commit.terraform-docs-git-push
(boolean, defaulttrue
) - Automatically push the commit to the pull request branch.terraform-docs-fail-on-diff
(boolean, defaulttrue
) - Internal: Fail if there are changes in the documentation.terraform-docs-recursive
(boolean, defaultfalse
) - Generate documentation recursively for all modules in the working directory.workflow-ref
(string, default""
) - Internal: Specify the Git ref to use when the workflow is checking out its own repository. Pass an empty string for auto-detection.
registries
The workflow definition resides in .github/workflows/workflow.yaml.