Merge pull request #140 from dflook/workspace-eval

Add workspace validation test

Author: dflook

.github/workflows/test-validate.yaml

@@ -48,3 +48,41 @@ jobs:
             echo "::error:: failure-reason not set correctly"
             exit 1
           fi
+
+  validate_workspace:
+    runs-on: ubuntu-latest
+    name: Invalid terraform configuration
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: validate prod
+        uses: ./terraform-validate
+        with:
+          path: tests/validate/workspace_eval
+          workspace: prod
+
+      - name: validate dev
+        uses: ./terraform-validate
+        with:
+          path: tests/validate/workspace_eval
+          workspace: dev
+
+      - name: validate nonexistant workspace
+        uses: ./terraform-validate
+        id: validate
+        continue-on-error: true
+        with:
+          path: tests/validate/workspace_eval
+
+      - name: Check invalid
+        run: |
+          if [[ "${{ steps.validate.outcome }}" != "failure" ]]; then
+            echo "Validate did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.validate.outputs.failure-reason }}" != "validate-failed" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi

image/entrypoints/validate.sh

@@ -10,10 +10,13 @@ setup
 # You can't initialize without having valid terraform.
 # How do you get a full validation report? You can't.
 
+# terraform.workspace will be evaluated during a validate, but it is not initialized properly.
+# Pass through the workspace input, even if it doesn't make sense for some backends.
+
 init || true
 
-if ! (cd "$INPUT_PATH" && terraform validate -json | convert_validate_report "$INPUT_PATH"); then
-    (cd "$INPUT_PATH" && terraform validate)
+if ! (cd "$INPUT_PATH" && TF_WORKSPACE="$INPUT_WORKSPACE" terraform validate -json | convert_validate_report "$INPUT_PATH"); then
+    (cd "$INPUT_PATH" && TF_WORKSPACE="$INPUT_WORKSPACE" terraform validate)
 else
     echo -e "\033[1;32mSuccess!\033[0m The configuration is valid"
 fi

terraform-validate/README.md

@@ -23,6 +23,14 @@ If the terraform configuration is not valid, the build is failed.
   - Optional
   - Default: The action workspace
 
+* `workspace`
+
+  Terraform workspace to use for the `terraform.workspace` value while validating.
+
+  - Type: string
+  - Optional
+  - Default: `default`
+
 ## Outputs
 
 * `failure-reason`

terraform-validate/action.yaml

@@ -7,6 +7,10 @@ inputs:
     description: Path to the terraform configuration
     required: false
     default: .
+  workspace:
+    description: Name of the workspace to use for the `terraform.workspace` value while validating.
+    required: false
+    default: default
 
 runs:
   using: docker

tests/validate/workspace_eval/main.tf

@@ -0,0 +1,36 @@
+locals {
+  aws_provider_config = {
+    prod = {
+      region     = "..."
+      account_id = "..."
+      profile    = "..."
+    }
+    dev = {
+      region     = "..."
+      account_id = "..."
+      profile    = "..."
+    }
+  }
+}
+
+provider "aws" {
+  region              = local.aws_provider_config[terraform.workspace].region
+  profile             = local.aws_provider_config[terraform.workspace].profile
+  allowed_account_ids = [local.aws_provider_config[terraform.workspace].account_id]
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "hello"
+}
+
+terraform {
+  backend "remote" {
+    hostname = "app.terraform.io"
+    organization = "flooktech"
+
+    workspaces {
+        name = "banana"
+    }
+  }
+}
+