# Reusable workflow — Terraform plan (PR'da otomatik, comment'lar) # Kullanım: # jobs: # plan: # uses: //.github/workflows/terraform-plan.yml@main # with: # working-directory: terraform/environments/prod # tf-version: "1.9.0" # secrets: inherit # permissions: # contents: read # id-token: write # AWS OIDC için # pull-requests: write # # Önkoşullar: # - AWS_ROLE_ARN secret'ı (OIDC ile assume edilir) # - Backend S3 bucket'ı + DynamoDB lock tablosu hazır name: Terraform Plan on: workflow_call: inputs: working-directory: required: true type: string tf-version: required: false type: string default: "1.9.0" aws-region: required: false type: string default: us-east-1 permissions: contents: read id-token: write pull-requests: write jobs: plan: runs-on: ubuntu-latest defaults: run: working-directory: ${{ inputs.working-directory }} steps: - name: Checkout uses: actions/checkout@v4 - name: Configure AWS credentials (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.AWS_ROLE_ARN }} aws-region: ${{ inputs.aws-region }} - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.tf-version }} - name: terraform fmt id: fmt run: terraform fmt -check -recursive continue-on-error: true - name: terraform init id: init run: terraform init -input=false - name: terraform validate id: validate run: terraform validate -no-color - name: tflint uses: terraform-linters/setup-tflint@v4 with: tflint_version: v0.50.0 - run: | tflint --init tflint --format compact - name: tfsec (security scan) uses: aquasecurity/tfsec-action@v1 with: working_directory: ${{ inputs.working-directory }} soft_fail: false - name: terraform plan id: plan run: | terraform plan -no-color -input=false -out=tfplan 2>&1 | tee plan-output.txt echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT continue-on-error: true - name: Comment plan on PR if: github.event_name == 'pull_request' uses: actions/github-script@v7 env: PLAN: ${{ steps.plan.outputs.stdout }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require('fs'); const plan = fs.readFileSync('${{ inputs.working-directory }}/plan-output.txt', 'utf8'); const truncated = plan.length > 65000 ? plan.substring(0, 65000) + '\n... (truncated)' : plan; const body = `### 📋 Terraform Plan — \`${{ inputs.working-directory }}\` * **fmt:** \`${{ steps.fmt.outcome }}\` * **init:** \`${{ steps.init.outcome }}\` * **validate:** \`${{ steps.validate.outcome }}\` * **plan:** \`${{ steps.plan.outcome }}\`
📜 Plan output \`\`\`hcl ${truncated} \`\`\`
*Triggered by @${{ github.actor }} on commit ${{ github.sha }}* `; github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body }); - name: Plan exit code if: steps.plan.outputs.exitcode != '0' && steps.plan.outputs.exitcode != '2' run: exit 1