ci(build): run terraform init to check if tf code works (#390)

* ci(build): run terraform init to check if tf code works

Signed-off-by: slonka <[email protected]>

* update aws-action

* fix: add OIDC permissions for AWS auth

* fix init step

* add more terraform validation

* fix validation

* fix ci

Signed-off-by: Marcin Skalski <[email protected]>

* fix missing variable

Signed-off-by: Marcin Skalski <[email protected]>

---------

Signed-off-by: slonka <[email protected]>
Signed-off-by: Marcin Skalski <[email protected]>
Co-authored-by: Marcin Skalski <[email protected]>

Author: slonka

.github/workflows/build.yaml

@@ -8,18 +8,35 @@ on:
     branches:
       - main
 
+# Required for aws-actions/configure-aws-credentials to use OIDC authentication
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     name: Build, check and test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/mesh-perf-ci
+          role-duration-seconds: 7200
+          aws-region: us-west-1
       - uses: jdx/mise-action@be3be2260bc02bc3fbf94c5e2fed8b7964baf074 # v3.4.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: make check
         run: make check
+      - name: make terraform/init
+        run: make terraform/init
+      - name: make terraform/validate
+        run: make terraform/validate
+      - name: make terraform/plan
+        run: make terraform/plan
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:

infrastructure/eks/terraform.tf

@@ -30,10 +30,10 @@ provider "aws" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = module.eks.cluster_endpoint
     cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-    exec {
+    exec = {
       api_version = "client.authentication.k8s.io/v1beta1"
       args        = ["eks", "get-token", "--cluster-name", var.cluster_name]
       command     = "aws"

infrastructure/eks/variables.tf

@@ -25,6 +25,7 @@ variable "cluster_version" {
 variable "nodes_number" {
   description = "Number of worker nodes in the cluster"
   type        = number
+  default     = 1
 }
 
 variable "nodes_type" {

mk/infrastructure.mk

@@ -30,8 +30,8 @@ endif
 define MAKE_INFRA_TARGETS
 $(1)_DIR := infrastructure/$(1)
 
-# Apply/destroy targets use $(1)_TF_VARS if defined.
-terraform/apply/$$($(1)_DIR) terraform/destroy/$$($(1)_DIR): VARS = $($(1)_TF_VARS)
+# Apply/destroy/plan/validate targets use $(1)_TF_VARS if defined.
+terraform/apply/$$($(1)_DIR) terraform/destroy/$$($(1)_DIR) terraform/plan/$$($(1)_DIR) terraform/validate/$$($(1)_DIR): VARS = $($(1)_TF_VARS)
 
 .PHONY: infra/create/$(1) infra/destroy/$(1)
 
@@ -76,6 +76,27 @@ terraform/init/%: CHDIR = $*
 terraform/init/%:
 	$(TF_CMD) init$(if $(UPGRADE), -upgrade,)$(if $(RECONFIGURE), -reconfigure,)
 
+.PHONY: terraform/init
+terraform/init: $(foreach component,$(notdir $(wildcard $(TOP)/infrastructure/*)),terraform/init/infrastructure/$(component))
+
+# Validate Terraform configuration in the specified directory.
+.PHONY: terraform/validate/%
+terraform/validate/%: CHDIR = $*
+terraform/validate/%:
+	$(TF_CMD) validate
+
+.PHONY: terraform/validate
+terraform/validate: $(foreach component,$(notdir $(wildcard $(TOP)/infrastructure/*)),terraform/validate/infrastructure/$(component))
+
+# Plan Terraform changes in the specified directory.
+.PHONY: terraform/plan/%
+terraform/plan/%: CHDIR = $*
+terraform/plan/%:
+	$(TF_CMD) plan $(if $(VARS),$(VARS))
+
+.PHONY: terraform/plan
+terraform/plan: $(foreach component,$(notdir $(wildcard $(TOP)/infrastructure/*)),terraform/plan/infrastructure/$(component))
+
 # Generic rule to apply or destroy Terraform configurations.
 # - Uses $* to dynamically extract the directory path from the target.
 # - Extracts "apply" or "destroy" from the target name via $(word 2,$(subst /,,$@)).