feat: (IAC-1065) Add Hadolint, ShellCheck and TFLint Checks via GitHub Actions (#183)

Author: jarpat

.github/workflows/linter-analysis.yaml

@@ -0,0 +1,67 @@
+name: Linter Analysis
+on:
+  push:
+    branches: [ '*' ] # '*' will cause the workflow to run on all commits to all branches.
+
+jobs:
+  # Hadolint: Job-1
+  Hadolint:
+    name: Hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Run Hadolint Action
+        uses: jbergstroem/[email protected]
+        with:
+          dockerfile: ./Dockerfile
+          config_file: linting-configs/.hadolint.yaml
+          error_level: 1 # Fail CI based on hadolint output (-1: never, 0: error, 1: warning, 2: info)
+
+  # ShellCheck: Job-2
+  ShellCheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Run ShellCheck Action
+        uses: ludeeus/action-shellcheck@master
+        with:
+          severity: error
+
+  # TFLint: Job-3
+  TFLint:
+    name: TFLint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Cache Plugin Directory
+        uses: actions/cache@v3
+        with:
+          path: ~/.tflint.d/plugins
+          key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - name: Setup TFLint
+        uses: terraform-linters/[email protected]
+        with:
+          tflint_version: latest
+          github_token: ${{ secrets.LINTER_TOKEN }}
+
+      - name: Initializing viya4-iac-gcp
+        run: terraform init
+
+        # Necessary so we can recursively tflint our modules folder
+        # not needed for regular project use.
+      - name: Initializing viya4-iac-gcp/modules/google_vm
+        run: terraform -chdir=modules/google_vm init
+
+      - name: Initializing TFLint
+        run: TFLINT_LOG=info tflint --init -c "$(pwd)/linting-configs/.tflint.hcl"
+
+      - name: Run TFLint Action
+        run: TFLINT_LOG=info tflint -c "$(pwd)/linting-configs/.tflint.hcl" --recursive

Dockerfile

@@ -15,7 +15,9 @@ COPY --from=terraform /bin/terraform /bin/terraform
 COPY . .
 
 RUN apt-get update && apt-get upgrade -y \
-  && apt-get install -y jq \
+  && apt-get install --no-install-recommends -y jq \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/* \
   && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl /viya4-iac-gcp/docker-entrypoint.sh \
   && mv ./kubectl /usr/local/bin/kubectl \

docker-entrypoint.sh

@@ -9,4 +9,4 @@ set -e
 echo "viya4-iac-gcp:*:$(id -u):$(id -g):,,,:/viya4-iac-gcp:/bin/bash" >> /etc/passwd
 echo "viya4-iac-gcp:*:$(id -G | cut -d' ' -f 2)" >> /etc/group
 
-exec /bin/terraform $@
+exec /bin/terraform "$@"

linting-configs/.hadolint.yaml

@@ -0,0 +1,3 @@
+ignored:
+  # Specify version with apt-get install -y <package>=<version> : https://github.com/hadolint/hadolint/wiki/DL3008
+  - DL3008

linting-configs/.shellcheckrc

@@ -0,0 +1,5 @@
+# Review 'man shellcheck' section 'RC FILES' for instructions on adding directives.
+
+# Allow using `which` since it gives full paths and is common enough
+# https://github.com/koalaman/shellcheck/wiki/SC2230
+disable=SC2230

linting-configs/.tflint.hcl

@@ -0,0 +1,33 @@
+# For more information on configuring TFlint; see https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/config.md
+
+# For more information on plugins see https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md
+
+# For more information on TFlint Ruleset for Terraform; see https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.3.0/docs/rules/README.md
+
+# For more information on TFlint Ruleset for GCP, see https://github.com/terraform-linters/tflint-ruleset-google/blob/master/README.md
+
+config {
+  # Enables module inspection.
+  module = true
+}
+
+plugin "google" {
+  enabled = true
+  version = "0.23.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-google"
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+# We specify the versions and providers in the top level versions.tf.
+# This stops it from throwing a warning when scanning our modules
+# in viya4-iac-gcp/modules/
+rule "terraform_required_version" {
+  enabled = false
+}
+rule "terraform_required_providers" {
+  enabled = false
+}

locals.tf

@@ -12,8 +12,7 @@ locals {
   is_region  = var.location != "" ? var.location == regex("^[a-z0-9]*-[a-z0-9]*", var.location) : false
   first_zone = length(data.google_compute_zones.available.names) > 0 ? data.google_compute_zones.available.names[0] : ""
   # all_zones  = length(data.google_compute_zones.available.names) > 0 ? join(",", [for item in data.google_compute_zones.available.names : format("%s", item)]) : ""
-  zone     = (var.location != "" ? (local.is_region ? local.first_zone : var.location) : (data.google_client_config.current.zone == "" ? local.first_zone : data.google_client_config.current.zone))
-  location = var.location != "" ? var.location : local.zone
+  zone = (var.location != "" ? (local.is_region ? local.first_zone : var.location) : (data.google_client_config.current.zone == "" ? local.first_zone : data.google_client_config.current.zone))
 
   # CIDRs/Network
   default_public_access_cidrs          = var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs
@@ -38,11 +37,6 @@ locals {
     NoExecute        = "NO_EXECUTE"
   }
 
-  # kube config
-  service_account_name        = "${var.prefix}-cluster-admin-sa"
-  cluster_role_binding_name   = "${var.prefix}-cluster-admin-crb"
-  service_account_secret_name = "${var.prefix}-sa-secret"
-
   node_pools_and_accelerator_taints = {
     for node_pool, settings in var.node_pools : node_pool => {
       accelerator_count  = settings.accelerator_count
@@ -55,7 +49,7 @@ locals {
       vm_type            = settings.vm_type
       node_taints        = settings.accelerator_count > 0 ? concat(settings.node_taints, ["nvidia.com/gpu=present:NoSchedule"]) : settings.node_taints
       initial_node_count = max(local.initial_node_count, settings.min_nodes)
-      node_locations     = var.nodepools_locations	!= "" && var.nodepools_locations != null ? var.nodepools_locations : local.zone
+      node_locations     = var.nodepools_locations != "" && var.nodepools_locations != null ? var.nodepools_locations : local.zone
     }
   }
 
@@ -71,7 +65,7 @@ locals {
       "accelerator_count"  = 0
       "accelerator_type"   = ""
       "initial_node_count" = var.default_nodepool_min_nodes
-      "node_locations"     = var.default_nodepool_locations	!= "" && var.default_nodepool_locations != null ? var.default_nodepool_locations : local.zone
+      "node_locations"     = var.default_nodepool_locations != "" && var.default_nodepool_locations != null ? var.default_nodepool_locations : local.zone
     }
   })
 
@@ -87,7 +81,7 @@ locals {
   gke_subnet_cidr  = length(var.subnet_names) == 0 ? var.gke_subnet_cidr : module.vpc.subnets["gke"].ip_cidr_range
   misc_subnet_cidr = length(var.subnet_names) == 0 ? var.misc_subnet_cidr : module.vpc.subnets["misc"].ip_cidr_range
 
-  gke_pod_range_index = length(var.subnet_names) == 0 ? index(module.vpc.subnets["gke"].secondary_ip_range.*.range_name, local.subnet_names["gke_pods_range_name"]) : 0
+  gke_pod_range_index = length(var.subnet_names) == 0 ? index(module.vpc.subnets["gke"].secondary_ip_range[*].range_name, local.subnet_names["gke_pods_range_name"]) : 0
   gke_pod_subnet_cidr = length(var.subnet_names) == 0 ? var.gke_pod_subnet_cidr : module.vpc.subnets["gke"].secondary_ip_range[local.gke_pod_range_index].ip_cidr_range
 
   filestore_size_in_gb = (
@@ -110,8 +104,8 @@ locals {
       ssl_enforcement_enabled : local.postgres_servers[k].ssl_enforcement_enabled,
       connection_name : module.postgresql[k].instance_connection_name,
       server_public_ip : length(local.postgres_public_access_cidrs) > 0 ? module.postgresql[k].public_ip_address : null,
-      server_cert : module.postgresql[k].instance_server_ca_cert.0.cert,
-      service_account : module.sql_proxy_sa.0.service_account.email,
+      server_cert : module.postgresql[k].instance_server_ca_cert[0].cert,
+      service_account : module.sql_proxy_sa[0].service_account.email,
       internal : false,
     }
   } : {}

main.tf

@@ -51,13 +51,13 @@ resource "kubernetes_config_map" "sas_iac_buildinfo" {
   }
 
   data = {
-    git-hash    = lookup(data.external.git_hash.0.result, "git-hash")
+    git-hash    = lookup(data.external.git_hash[0].result, "git-hash")
     iac-tooling = var.iac_tooling
     terraform   = <<EOT
-version: ${lookup(data.external.iac_tooling_version.0.result, "terraform_version")}
-revision: ${lookup(data.external.iac_tooling_version.0.result, "terraform_revision")}
-provider-selections: ${lookup(data.external.iac_tooling_version.0.result, "provider_selections")}
-outdated: ${lookup(data.external.iac_tooling_version.0.result, "terraform_outdated")}
+version: ${lookup(data.external.iac_tooling_version[0].result, "terraform_version")}
+revision: ${lookup(data.external.iac_tooling_version[0].result, "terraform_revision")}
+provider-selections: ${lookup(data.external.iac_tooling_version[0].result, "provider_selections")}
+outdated: ${lookup(data.external.iac_tooling_version[0].result, "terraform_outdated")}
 EOT
   }
 
@@ -121,7 +121,7 @@ module "gke" {
 
   grant_registry_access = var.enable_registry_access
 
-  monitoring_service = var.create_gke_monitoring_service ? var.gke_monitoring_service : "none"
+  monitoring_service            = var.create_gke_monitoring_service ? var.gke_monitoring_service : "none"
   monitoring_enabled_components = var.create_gke_monitoring_service ? var.gke_monitoring_enabled_components : []
 
   monitoring_enable_managed_prometheus = var.enable_managed_prometheus
@@ -261,7 +261,7 @@ module "postgresql" {
   user_deletion_policy     = "ABANDON"
   database_deletion_policy = "ABANDON"
   database_version         = "POSTGRES_${each.value.server_version}"
-  database_flags           = values(zipmap(concat(local.base_database_flags.*.name, each.value.database_flags.*.name), concat(local.base_database_flags, each.value.database_flags)))
+  database_flags           = values(zipmap(concat(local.base_database_flags[*].name, each.value.database_flags[*].name), concat(local.base_database_flags, each.value.database_flags)))
 
   backup_configuration = {
     enabled                        = each.value.backups_enabled

modules/google_vm/outputs.tf

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 output "private_ip" {
-  value = google_compute_instance.google_vm.network_interface.0.network_ip
+  value = google_compute_instance.google_vm.network_interface[0].network_ip
 }
 
 output "public_ip" {

modules/google_vm/variables.tf

@@ -2,27 +2,34 @@
 # SPDX-License-Identifier: Apache-2.0
 
 variable "name" {
-  type = string
+  description = "Name of the VM to be created"
+  type        = string
 }
 
 variable "project" {
-  type = string
+  description = "The GCP Project to create the VM resources in"
+  type        = string
 }
 
 variable "region" {
-  type = string
+  description = "The region to create the VM in"
+  type        = string
 }
 
 variable "zone" {
-  type = string
+  description = "The zone to create the VM resources in"
+  type        = string
 }
 
 variable "subnet" {
-  type = string
+  description = "The subnetwork to configure VM network interface with"
+  type        = string
 }
 
 variable "create_public_ip" {
-  default = false
+  description = "Toggle the creation of a public IP associated with the VM"
+  type        = bool
+  default     = false
 }
 
 variable "tags" {
@@ -32,41 +39,51 @@ variable "tags" {
 }
 
 variable "machine_type" {
-  default = "n2-standard-4"
+  description = "Machine type of the VM to be created"
+  type        = string
+  default     = "n2-standard-4"
 }
 
 variable "user_data" {
-  default = ""
-}
-
-variable "user_data_type" {
-  default = "" # "cloud-config" "startup-script"
+  description = "Script to be run on the VM during provision time"
+  type        = string
+  default     = ""
 }
 
 variable "vm_admin" {
   description = "Login account for VM"
+  type        = string
   default     = "googleuser"
 }
 
 variable "ssh_public_key" {
   description = "Path to ssh public key"
+  type        = string
   default     = null
 }
 
 variable "os_image" {
-  default = "ubuntu-os-cloud/ubuntu-2004-lts" # FAMILY/PROJECT glcoud compute images list
+  description = "OS Image to configure the VM with"
+  type        = string
+  default     = "ubuntu-os-cloud/ubuntu-2004-lts" # FAMILY/PROJECT glcoud compute images list
 }
 
 
 variable "data_disk_count" {
-  default = 0
+  description = "Number of compute disks to associated with the VM"
+  type        = number
+  default     = 0
 }
 
 variable "data_disk_size" {
-  default = 128
+  description = "Size of the compute disks associated with the VM"
+  type        = number
+  default     = 128
 }
 
 variable "data_disk_type" {
-  default = "pd-ssd"
+  description = "Type of compute disk to associate with the VM"
+  type        = string
+  default     = "pd-ssd"
 }