.github/workflows/ci.yml

name: ci

on: [push]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  azure:
    strategy:
      matrix:
        module:
          - blob-storage
          - container-app
          - container-registry
          - database/postgres
          - observability/alerts
          - observability/monitors
          - virtual-network
      fail-fast: false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: opentofu/setup-opentofu@v1

      - name: init
        run: |
          cd azure
          cd ${{ matrix.module }}
          tofu init
      - name: validate
        run: |
          cd azure
          cd ${{ matrix.module }}
          tofu validate
      - name: fmt -check
        run: |
          cd azure
          cd ${{ matrix.module }}
          tofu fmt -check

  aws:
    strategy:
      matrix:
        module:
          - autoscaling/ecs
          - aws-transfer
          - aws-transfer/iam-role
          - certificate
          - cloudtrail/cloudtrail-protection-scp
          - cloudtrail/log-ingestor
          - cloudtrail/log-producer
          - cloudwatch
          - cloudwatch-kinesis
          - cloudwatch-snowflake
          - circleci-token-rotator
          - cognito
          - ecr
          - ecs
          - ecs-deploy/service
          - ecs-deploy/cluster
          - ecs-task
          - elasticache
          - github-backup
          - global-accelerator
          - http-proxy
          - iam/iam-for-deploy-bot
          - iam/iam-for-guest-humans
          - iam/iam-for-humans
          - iam/iam-policy-for-cross-account-access/destination-account
          - iam/iam-policy-for-cross-account-access/origin-account
          - iam/iam-policy-for-ecs/core
          - iam/iam-policy-for-ecs/taggable-resources
          - iam/iam-policy-for-s3
          - iam/iam-policy-for-secrets
          - iam/iam-policy-for-taggable-resources
          - iam/iam-xray
          - kms-key
          - kms-key-replica
          - lambda
          - multi-stack/app
          - multi-stack/setup
          - nat
          - rds
          - s3
          - s3-private
          - s3-public
          - s3-shared
          - secrets
          - slack/chatbot
          - slack/ecr-scanner-notifier
          - slack/ecs-deployment-failure
          - slack/sentry
          - slack/sns
          - stack/app
          - stack/global
          - stack/region
          - stack/setup
          - vpc
          - vpc-peering
          - vpn
          - xray
        aws-version: ["~> 5.0"]
      fail-fast: false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set AWS Provider Version
        run: |
          cd aws
          cd ${{ matrix.module }}
          FILE=versions.tf
          if test -f "$FILE"; then
            sed -i '/aws = {/,/}/ s/version = "[^"]*/version = "${{ matrix.aws-version }}/' $FILE

            echo "$FILE exists."
          else
            cat > $FILE <<EOF
          terraform {
            required_providers {
              aws = {
                source  = "hashicorp/aws"
                version = "${{ matrix.aws-version }}"
              }
            }
            required_version = ">= 1.0"
          }
          EOF
          fi

          cat $FILE

      - name: init
        run: |
          cd aws
          cd ${{ matrix.module }}
          terraform init

      - name: validate
        run: |
          cd aws
          cd ${{ matrix.module }}
          # the stack/app module must have a provider block because the sub-module "vpc-peering" requires a non-standard "provider
          # see: https://github.com/hashicorp/terraform/issues/28490
          if [[ "${{ matrix.module }}" == "stack/app" ]]; then echo "provider \"aws\" { alias = \"peer\" }" >> vpc-peering.tf; fi
          if [[ "${{ matrix.module }}" == "stack/global" ]]; then echo "provider \"aws\" { alias = \"us-east-1\" }" >> versions.tf; fi
          if [[ "${{ matrix.module }}" == "vpc-peering" ]]; then echo "provider \"aws\" { alias = \"peer\" }" >> main.tf; fi
          terraform validate

      - name: fmt -check
        run: |
          cd aws
          cd ${{ matrix.module }}
          terraform fmt -check

  misc:
    strategy:
      matrix:
        module:
          - cloudflare
          - fivetran
          - fivetran/connectors/google_analytics
          - fivetran/connectors/lambda
          - script/database-roles
          - snowflake/cloud
      fail-fast: false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: init
        run: |
          cd ${{ matrix.module }}
          terraform init

      - name: validate
        run: |
          cd ${{ matrix.module }}
          terraform validate

      - name: fmt -check
        run: |
          cd ${{ matrix.module }}
          terraform fmt -check

  security:
    name: Trivy Security Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          hide-progress: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'