[DTOSS-12175] - feat: enhance terraform module quality with automated tests and improved local/CI workflows

.github/workflows/cicd-1-pull-request.yaml

@@ -22,6 +22,7 @@ jobs:
       nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
       python_version: ${{ steps.variables.outputs.python_version }}
       terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      golang_version: ${{ steps.variables.outputs.golang_version }}
       version: ${{ steps.variables.outputs.version }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       docker_file_exists: ${{ steps.check_compose.outputs.docker_file_exists }}
@@ -37,9 +38,10 @@ jobs:
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ' || echo 20.11.0)" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python" .tool-versions | cut -f2 -d' ' || echo 3.12.1)" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ' || echo 1.13.0)" >> $GITHUB_OUTPUT
+          echo "golang_version=$(grep "^golang" .tool-versions | cut -f2 -d' ' || echo 1.22.5)" >> $GITHUB_OUTPUT
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
       - name: "Check if pull request exists for this branch"
         id: pr_exists
@@ -87,6 +89,7 @@ jobs:
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      golang_version: "${{ needs.metadata.outputs.golang_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
   test-stage: # Recommended maximum execution time is 5 minutes
@@ -100,6 +103,7 @@ jobs:
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      golang_version: "${{ needs.metadata.outputs.golang_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
   build-stage: # Recommended maximum execution time is 3 minutes
@@ -126,5 +130,6 @@ jobs:
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      golang_version: "${{ needs.metadata.outputs.golang_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit

.github/workflows/stage-1-commit.yaml

@@ -27,6 +27,10 @@ on:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      golang_version:
+        description: "Go version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
       version:
         description: "Version of the software, set by the CI/CD pipeline workflow"
         required: true

.github/workflows/stage-2-test.yaml

@@ -27,71 +27,136 @@ on:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      golang_version:
+        description: "Go version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
       version:
         description: "Version of the software, set by the CI/CD pipeline workflow"
         required: true
         type: string
 
 jobs:
-  test-unit:
-    name: "Unit tests"
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Run unit test suite"
-        run: |
-          make test-unit
-      - name: "Save the result of fast test suite"
-        run: |
-          echo "Nothing to save"
-  test-lint:
-    name: "Linting"
+  terraform-lint:
+    name: "Terraform lint (tflint)"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-      - name: "Run linting"
-        run: |
-          make test-lint
-      - name: "Save the linting result"
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: latest
+      - name: "Run TFLint on modules"
+        id: tflint
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          echo "Nothing to save"
-  test-coverage:
-    name: "Test coverage"
-    needs: [test-unit]
+          echo "## TFLint Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          total_issues=0
+          for module_dir in $(find infrastructure/modules -mindepth 1 -maxdepth 1 -type d); do
+            module_name=$(basename "$module_dir")
+            # Only lint directories containing .tf files
+            if ls "$module_dir"/*.tf > /dev/null 2>&1; then
+              echo "=== Linting $module_dir ==="
+              # Init tflint for the module (downloads plugins if needed)
+              tflint --init --chdir="$module_dir" > /dev/null 2>&1 || true
+
+              # Capture output and count issues
+              output=$(tflint --chdir="$module_dir" --format=compact 2>&1 || true)
+              issue_count=$(echo "$output" | grep -c ":" || echo "0")
+
+              if [ "$issue_count" -gt 0 ] && [ -n "$output" ]; then
+                total_issues=$((total_issues + issue_count))
+                echo "### ⚠️ $module_name ($issue_count issues)" >> $GITHUB_STEP_SUMMARY
+                echo '```' >> $GITHUB_STEP_SUMMARY
+                echo "$output" >> $GITHUB_STEP_SUMMARY
+                echo '```' >> $GITHUB_STEP_SUMMARY
+              else
+                echo "### ✅ $module_name" >> $GITHUB_STEP_SUMMARY
+              fi
+              echo "" >> $GITHUB_STEP_SUMMARY
+            fi
+          done
+          echo "---" >> $GITHUB_STEP_SUMMARY
+          echo "**Total issues: $total_issues**" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ $total_issues -gt 0 ]; then
+            echo "> **Note:** TFLint issues are advisory only. Please address these issues to improve code quality." >> $GITHUB_STEP_SUMMARY
+          fi
+          # Always exit 0 - this job is advisory only
+          exit 0
+  terraform-security:
+    name: "Terraform security scan"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
-      - name: "Run test coverage check"
+      - name: "Run tfsec with SARIF output"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          make test-coverage
-      - name: "Save the coverage check result"
+          # Install tfsec
+          curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
+          # Run tfsec and output SARIF format
+          tfsec infrastructure/ --format sarif --out tfsec-results.sarif --soft-fail
+      - name: "Upload SARIF to GitHub Code Scanning"
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: tfsec-results.sarif
+          category: terraform-security
+      - name: "Generate summary"
+        if: always()
         run: |
-          echo "Nothing to save"
+          echo "## Terraform Security Scan" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Security findings are uploaded to the **Security** tab → **Code scanning alerts**." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "> **Note:** Findings are informational and do not block merges." >> $GITHUB_STEP_SUMMARY
+          echo "> To make blocking, enable 'Require code scanning results' in branch protection rules." >> $GITHUB_STEP_SUMMARY
   unit-test-terraform-modules:
     name: "Unit test terraform modules"
-    needs: [test-unit]
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: Install Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: 1.12.2
-      - name: "run the tests"
+          terraform_version: ${{ inputs.terraform_version }}
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.golang_version }}
+          cache: false  # Disable cache to avoid tar restore errors
+      - name: "Run module tests"
         run: |
-          cd tests/modules
-          go test -v
+          # Find all module test directories and run tests
+          failed=0
+          for test_dir in $(find infrastructure/modules -type d -name "tests"); do
+            if ls "$test_dir"/*_test.go 1> /dev/null 2>&1; then
+              echo "=== Running tests in $test_dir ==="
+              cd "$test_dir"
+              go mod tidy
+              if ! go test -v ./...; then
+                failed=1
+              fi
+              cd - > /dev/null
+            fi
+          done
+          if [ $failed -eq 1 ]; then
+            exit 1
+          fi
   perform-static-analysis:
     name: "Perform static analysis"
-    needs: [test-unit]
     runs-on: ubuntu-latest
     permissions:
       id-token: write

.github/workflows/stage-4-acceptance.yaml

@@ -27,6 +27,10 @@ on:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      golang_version:
+        description: "Go version, set by the CI/CD pipeline workflow"
+        required: true
+        type: string
       version:
         description: "Version of the software, set by the CI/CD pipeline workflow"
         required: true

.tool-versions

@@ -1,7 +1,10 @@
 # This file is for you! Please, updated to the versions agreed by your team.
 
-terraform 1.9.2
-pre-commit 3.6.0
+terraform 1.13.0
+pre-commit 4.5.1
+tflint 0.60.0
+tfsec 1.28.13
+golang 1.22.5
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.