Integrate gitStream with Terraform
Terraform Examples:
Review Terraform Changes
title: Automation - Automatically assign infrastructure team for Terraform changes description: Require specific reviewers for Terraform module changes category: [quality, terraform] quickstart: false
Require Reviewers for Terraform changes
Automatically assign org/infrastructure team for reviewing changes when PR contains Terraform file changes.
Configuration Description
Conditions (all must be true):
- The PR contains changes to one or more Terraform configuration files.
Automation Actions:
- Require a review from the org/infrastructure team.
Review Terraform Changes
# -*- mode: yaml -*-
manifest:
version: 1.0
automations:
review_terraform:
# Triggered for any changes to Terraform files
if:
- {{ files | match(regex=r/.*\.tf.*/) | some }}
# Assign infrastructure team as reviewer for change in Terraform files
run:
- action: require-reviewers@v1
args:
reviewers: [org/infrastructure]
- action: add-comment@v1
args:
comment: |
This PR affects Terraform configurations and requires a review from the Infra team.
Enforce Requirements for New Terraform Modules
title: Automation - Review Terraform Module Directory description: Enforce directory structure conventions for new Terraform module category: [quality, terraform] quickstart: false
Review New Terraform Modules
Request changes if a PR that creates a new Terraform module which do not conform to the required directory structure.
Configuration Description
Conditions (all must be true):
- The PR creates a new Terraform module
- A new sub-directory is created inside the
/modulesdirectory.
- A new sub-directory is created inside the
- The PR lacks one or more required components from the list in the terraform custom expression.
Automation Actions:
- Request changes and post a comment explaining the missing parts of the module.
- Apply Label :
⚠️ Missing Terraform Components
Review New Module
# -*- mode: yaml -*-
manifest:
version: 1.0
{% set misslist = [] %}
{% for pattern in terraform %}
{% if (newfilesinpr | match(term=pattern) | nope) %}
{% set misslist = misslist + [pattern+' '] %}
{% endif %}
{% endfor %}
automations:
review_new_terraform_module:
if:
- {{misslist | match(regex=r/.*/) | some}}
- {{is.mainfile and is.mainfilenotinroot }}
run:
- action: add-comment@v1
args:
comment: |
New terraform modules must contain all required components before merging. Please update your PR with the required components and gitStream will automatically remove this comment once completed.
Here are the required components, {{misslist}} should be customized appropriately:
my_module/
├── main.tf
├── outputs.tf
├── providers.tf
- action: add-label@v1
args:
label: '⚠️ Missing Terraform Components'
color: '#FFA500'
resources:
module_directory: 'modules'
terraform:
- main.tf
- outputs.tf
- providers.tf
is:
mainfile: {{newfilesinpr | match(term = "main.tf") | some}}
mainfilenotinroot: {{source.diff.files | map(attr='original_file') | match(term = "main.tf") | nope }}
newfilesinpr:
{{ branch.diff.files_metadata | map(attr='new_file')}}
Ensure Terraform Source URLs have version numbers
title: Automation - Review Terraform Module Imports description: Enforce Terraform modules use version when importing via URL source category: [quality, terraform] quickstart: false
Review Terraform Source Version
Ensure that all Terraform modules imported via a source URL specify a version.
Configuration Description
Conditions (all must be true):
- The PR contains a Terraform source declaration via URL that lacks a version reference.
- The source is not included in a whitelist custom expression that defines one or more whitelisted source locations.
Automation Actions:
- Request review changes on the PR with a comment explaining version number requirement.
Review Terraform Changes
# -*- mode: yaml -*-
manifest:
version: 1.0
automations:
review_terraform_source_version:
# Check if New Content contains a source URL, the URL is not part of allow list and lacks version reference
if:
- {{ source.diff.files | match(attr='new_content', regex=r/source.*?=.*\".*(http|https).*\"/) | some }}
- {{ source.diff.files | match(attr='new_content', list=allowlist) | nope }}
- {{ source.diff.files | match(attr='new_content', regex=r/source.*?=.*\?ref=v.*/) | nope }}
run:
- action: request-changes@v1
args:
comment: |
You must reference a specific version when accessing Terraform module sources via URL, e.g. `?ref=v1.0.0`. Please update your Terraform files to follow this practice.
allowlist:
- 'https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git'
- 'https://github.com/terraform-aws-modules/terraform-aws-vpc.git'
- 'https://github.com/terraform-aws-modules/terraform-aws-eks.git'
Ensure New Terraform Modules conform to a Naming Pattern
title: Automation - Review Terraform Module Name description: Enforce naming conventions in Terraform module changes category: [quality, terraform] quickstart: false
Review Terraform Module Name
Request changes if a PR creates a new Terraform module that is missing a required prefix or keyword in the name.
Configuration Description
Conditions (all must be true):
- The PR creates a new Terraform module.
- The module name lacks a required name prefix, or one or more keywords.
Automation Actions:
- Request review changes on the PR with a comment explaining the structure of module name.
Review Terraform Module Name
# -*- mode: yaml -*-
manifest:
version: 1.0
# Prefix Check Logic
{% set prefixcheck = [] %}
{% for pattern in terraform.prefixes %}
{% if(newfilesinpr | match(term=module_location + pattern) | some) %}
{% set prefixcheck = prefixcheck + [true]%}
{% else %}
{% set prefixcheck = prefixcheck + [false] %}
{% endif %}
{% endfor %}
automations:
review_terraform_module_name:
if:
- {{is.mainfile and is.mainfilenotinroot}}
- {{module_name_checks.prefix or module_name_checks.keyword}}
run:
- action: request-changes@v1
args:
comment: |
Terraform module names must contain a required prefix and keyword:
* Prefixes: {{ terraform.prefixes }}
* Keywords: {{ terraform.keywords }}
module_name_checks:
prefix: {{prefixcheck | match(term='true') | nope}}
keyword: {{newfilesinpr | match(list=terraform.keywords) | nope}}
module_location: infrastructure/modules/
terraform:
prefixes: ['aws', 'gcp', 'azure']
keywords: ['db', 'networking', 'security']
is:
mainfile: {{newfilesinpr | match(term = "main.tf") | some}}
mainfilenotinroot: {{source.diff.files | map(attr='original_file') | match(term = "main.tf") | nope }}
newfilesinpr:
{{ branch.diff.files_metadata | map(attr='new_file')}}