Skip to content
Evaluate Open Policy Agent for Terraform

Evaluate Open Policy Agent for Terraform #4

Sign in to view logs

Evaluate Open Policy Agent for Terraform

Evaluate Open Policy Agent for Terraform #4

Workflow file for this run

.github/workflows/evaluate_policy.yml at 0be9935
name: Evaluate Open Policy Agent for Terraform
on:
workflow_dispatch:
inputs:
PROJECT_NAME:
description: "Name of the project"
required: true
default: "sample-proj-opa"
REGION:
description: "Region for the sub account"
required: true
default: "eu10"
COST_CENTER:
description: "Cost center for the project"
required: true
default: "1234567890"
STAGE:
description: "Stage for the project"
required: true
default: "DEV"
ORGANIZATION:
description: "Organization for the project"
required: true
default: "B2B"
env:
PATH_TO_TFSCRIPT: 'infra'
jobs:
execute_base_setuup:
name: BTP Subaccount Setup
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
id: checkout_repo
uses: actions/checkout@v4
- name: Setup Terraform
id : setup_terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
terraform_version: latest
- name: Setup Open Policy Agent
id: setup_opa
uses: open-policy-agent/setup-opa@v2
with:
version: latest
- name: Terraform Init
id: terraform_init
shell: bash
run: |
terraform -chdir=${{ env.PATH_TO_TFSCRIPT }} init -no-color
- name: Terraform plan
id: terraform_plan
shell: bash
run: |
export BTP_USERNAME=${{ secrets.BTP_USERNAME }}
export BTP_PASSWORD=${{ secrets.BTP_PASSWORD }}
terraform -chdir=${{ env.PATH_TO_TFSCRIPT }} plan -var globalaccount=${{ secrets.GLOBALACCOUNT }} -var region=${{ github.event.inputs.REGION }} -var project_name=${{ github.event.inputs.PROJECT_NAME }} -var stage=${{ github.event.inputs.STAGE }} -var costcenter=${{ github.event.inputs.COST_CENTER }} -var org_name=${{ github.event.inputs.ORGANIZATION }} -no-color --out tfplan.binary
terraform -chdir=${{ env.PATH_TO_TFSCRIPT }} show -json tfplan.binary > tfplan.json
- name: Execute OPA policy
id: execute_opa
shell: bash
run: |
autoexec=$(opa exec --decision terraform/analysis/autoexec --bundle policy/ tfplan.json | jq '.result[].result')
score=$(opa exec --decision terraform/analysis/score --bundle policy/ tfplan.json | jq '.result[].result')
echo "Automatic execution possible (true/false): ${autoexec}"
echo "Score of change: ${score}"