ci: lint, validate and security scan all Terraform files

.github/workflows/test.yml

@@ -0,0 +1,68 @@
+name: "Test"
+
+on:
+  pull_request:
+    paths:
+      - "**/*.tf"
+      - "**/*.tfvars"
+      - ".github/workflows/test.yml"
+  workflow_dispatch:
+
+jobs:
+  terraform-test:
+    name: Test Terraform
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~1.8.0"
+
+      - name: Install TFLint
+        uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: latest
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run all tests
+        run: make test
+
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Terraform Lint Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Modules Checked" >> $GITHUB_STEP_SUMMARY
+          modules=$(find . -name "*.tf" -type f | xargs dirname | sort -u)
+          echo "The following Terraform modules were validated:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          for module in $modules; do
+            echo "- \`$module\`" >> $GITHUB_STEP_SUMMARY
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Checks Performed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Terraform Format Check" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Terraform Validation" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ TFLint Analysis" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Security Scan (Trivy)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Local Development" >> $GITHUB_STEP_SUMMARY
+          echo "Run the same checks locally with:" >> $GITHUB_STEP_SUMMARY
+          echo '```bash' >> $GITHUB_STEP_SUMMARY
+          echo "make test          # Run all tests" >> $GITHUB_STEP_SUMMARY
+          echo "make format        # Auto-format files" >> $GITHUB_STEP_SUMMARY
+          echo "make scan          # Run security scan" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -11,6 +11,9 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+.terraform/
+.terraform.lock.hcl
+
 # Dependency directories (remove the comment below to include it)
 # vendor/
 

.tflint.hcl

@@ -0,0 +1,64 @@
+config {
+  # Set minimum Terraform version to support provider functions
+  terraform_version = "~> 1.8.0"
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+  version = "0.9.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+}
+
+plugin "google" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = false  # Disable to allow provider function syntax
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_unused_required_providers" {
+  enabled = true
+}

.trivyignore

@@ -0,0 +1,12 @@
+# Trivy ignore file for Suga GCP Plugins
+# https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+
+# Example: Ignore specific checks that may not apply to plugin modules
+# AVD-GCP-0011  # Uncomment to ignore specific GCP checks
+# AVD-GCP-0001  # Uncomment to ignore public access warnings if intentional
+
+# Ignore directories
+.git/
+.terraform/
+node_modules/
+security-reports/

DEVELOPERS.md

@@ -0,0 +1,16 @@
+# Developer Guide
+
+## Prerequisites
+
+- [Terraform](https://www.terraform.io/downloads) >= 1.5.0
+- [Docker](https://www.docker.com/get-started) (for tflint and trivy)
+
+## Usage
+
+```bash
+make format    # Format all Terraform files
+make test      # Run all tests (format-check, validate, lint, scan)
+make clean     # Clean up temp files
+```
+
+Tools run in Docker containers - no local installation needed.

Makefile

@@ -0,0 +1,47 @@
+.PHONY: help format lint clean
+.DEFAULT_GOAL := help
+
+## TODO: include MEDIUM severity in security scanning.
+TRIVY_SEVERITY := HIGH,CRITICAL
+
+help: ## Show available commands
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  %-10s %s\n", $$1, $$2}'
+
+trivy-severity: ## Output the Trivy severity levels for use in scripts
+	@echo $(TRIVY_SEVERITY)
+
+format: ## Format all Terraform files
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | xargs -I {} terraform fmt {}
+
+format-check: ## Check formatting of all Terraform files
+	@echo "Checking format..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		terraform fmt -check=true -diff=true "$$dir" || exit 1; \
+	done
+
+validate: ## Validate all Terraform files
+	@echo "Validating..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		echo "  $$dir"; \
+		cd "$$dir" && terraform init -backend=false -get=true -upgrade=false >/dev/null && terraform validate && cd - >/dev/null || exit 1; \
+	done
+
+lint: ## Lint using tflint
+	@echo "Running tflint..."
+	@find . -name "*.tf" -type f | xargs dirname | sort -u | while read dir; do \
+		echo "  $$dir"; \
+		docker run --rm -v "$$(pwd)/$$dir:/data" -t ghcr.io/terraform-linters/tflint --format=compact --minimum-failure-severity=error; \
+	done
+
+scan: ## Run security scan using Trivy
+	@echo "Running security scan..."
+	@docker run --rm -v "$$(pwd):/work" -w /work ghcr.io/aquasecurity/trivy:latest config . --format=table --quiet --exit-code 1 --severity $(TRIVY_SEVERITY)
+
+test: format-check validate lint scan ## Run all tests: format-check, validate, lint, and scan
+	@echo "All tests passed!"
+
+clean: ## Clean up .terraform directories and temp files
+	@find . -type d -name ".terraform" -exec rm -rf {} + 2>/dev/null || true
+	@find . -name "*.tfplan" -delete 2>/dev/null || true
+	@find . -name "*.tfstate*" -delete 2>/dev/null || true
+	@find . -name ".terraform.lock.hcl" -delete 2>/dev/null || true