diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml
new file mode 100644
index 0000000..682dfcf
--- /dev/null
+++ b/.github/workflows/gitops.yml
@@ -0,0 +1,146 @@
+name: GitOps Implementation
+on:
+ pull_request:
+ branches:
+ - master
+ push:
+ branches:
+ - master
+ workflow_dispatch:
+defaults:
+ run:
+ working-directory: ./tf-variables/
+env:
+ TERRAFORM_VER: 1.8.0
+ TERRAFORM_DIR: "./tf-variables/"
+ CLOUDSDK_VER: 480.0.0
+permissions:
+ pull-requests: write
+jobs:
+ infrastructure-deployment:
+ name: Infrastructure Deployment
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ id-token: write
+ pull-requests: write
+ steps:
+ # Checkout the repository code
+ - name: Code checkout
+ id: code_checkout
+ uses: actions/checkout@v2
+
+ # Scan the repo for any sensitive information like secrets etc
+ - name: Secret Scanning
+ uses: trufflesecurity/trufflehog@main
+ with:
+ path: ./ # Code repository path
+ base: main # Start scanning from here (usually main branch).
+ head: HEAD # Scan commits until here (usually dev branch).
+
+ # Static code analysis using aqua security's tfsec
+ - name: Run tfsec scan
+ id: static_code_analysis
+ uses: aquasecurity/tfsec-action@v1.0.3
+ with:
+ working_directory: ${{ env.TERRAFORM_DIR }}
+
+ # Install the latest version of Google Cloud SDK
+ - id: cloud_sdk_installation
+ name: Set up Cloud SDK
+ uses: google-github-actions/setup-gcloud@v0.3.0
+ with:
+ version: ${{ env.CLOUDSDK_VER }}
+
+ # Setup the authentication for the Google Cloud using WIF
+ - id: gcp_auth
+ name: Authenticate to GCP
+ uses: google-github-actions/auth@v0.3.1
+ with:
+ create_credentials_file: 'true'
+ workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER_ID }}
+ service_account: ${{ secrets.SERVICE_ACCOUNT }}
+
+ # Install the specified version of Terraform CLI
+ - id: tf_installation
+ name: Terraform Installation
+ uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TERRAFORM_VER }}
+
+ # Checks that Terraform configuration files adhere to a canonical format
+ - name: Terraform fmt
+ id: tf_fmt
+ run: terraform fmt -check
+ continue-on-error: true
+
+ # Initialize the Terraform working directory
+ - name: Terraform Init
+ id: tf_init
+ run: terraform init
+
+ # Validate the terraform configuration files
+ - name: Terraform Validate
+ id: tf_validate
+ run: terraform validate -no-color
+
+ # Generates an execution plan for Terraform
+ - name: Terraform Plan
+ id: tf_plan
+ run: terraform plan -no-color
+ continue-on-error: true
+
+ # Comments the terraform plan output on pull request
+ - id: comment_output
+ name: Comment Terraform Plan Output
+ uses: actions/github-script@v7
+ if: github.event_name == 'pull_request'
+ env:
+ PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+ with:
+ script: |
+ const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+ #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+ #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+ Validation Output
+
+ \`\`\`\n
+ ${{ steps.validate.outputs.stdout }}
+ \`\`\`
+
+ Show Plan
+
+ \`\`\`\n
+ ${process.env.PLAN}
+ \`\`\`
+
+