feat: add terraform-validate action

README.md

@@ -12,6 +12,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [checkout](checkout) | Action for checking out a repository |
 | [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
+| [terraform-validate](terraform-validate) | Validate Terraform configuration files using the official Terraform CLI |
 
 
 ## Security

terraform-validate/README.md

@@ -0,0 +1,27 @@
+# terraform-validate
+
+Validate Terraform configuration files using the official Terraform CLI.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `terraform-dir` | No | `terraform` | Directory containing `.tf` files |
+| `terraform-version` | No | `~1.15` | Terraform version to use |
+| `terraform-workspace` | No | `""` | Terraform workspace to use |
+| `jfrog-token` | No | `""` | JFrog Artifactory token for the Terraform provider registry (`TF_TOKEN_schmalz_jfrog_io`) |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/terraform-validate@terraform-validate-v1
+  with:
+    terraform-workspace: stage
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Runs `terraform init -backend=false`, `terraform fmt -check -recursive`, and `terraform validate`.
+- Sets `TF_WORKSPACE` during validate if `terraform-workspace` is provided.
+- Sets `TF_TOKEN_schmalz_jfrog_io` on both `init` and `validate` steps if `jfrog-token` is provided.

terraform-validate/action.yml

@@ -0,0 +1,52 @@
+name: Terraform Validate
+description: >
+  Validate Terraform configuration files using the official Terraform CLI.
+
+inputs:
+  terraform-dir:
+    description: Directory containing .tf files
+    required: false
+    default: terraform
+  terraform-version:
+    description: Terraform version to use
+    required: false
+    default: "~1.15"
+  workspace:
+    description: Terraform workspace to use
+    required: false
+    default: ""
+  jfrog-token:
+    description: JFrog Artifactory token used for Terraform provider registry (sets TF_TOKEN_schmalz_jfrog_io)
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # hashicorp/setup-terraform v4.0.0 — https://github.com/hashicorp/setup-terraform/commits/v4.0.0/
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+      with:
+        terraform_version: ${{ inputs.terraform-version }}
+
+    - name: Terraform Init
+      shell: bash
+      env:
+        TF_DIR: ${{ inputs.terraform-dir }}
+        TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }}
+      run: terraform -chdir=${{ env.TF_DIR }} init -backend=false -no-color
+
+    - name: Terraform Format Check
+      shell: bash
+      env:
+        TF_DIR: ${{ inputs.terraform-dir }}
+      run: terraform -chdir=${{ env.TF_DIR }} fmt -check -recursive
+
+    - name: Terraform Validate
+      shell: bash
+      env:
+        TF_DIR: ${{ inputs.terraform-dir }}
+        TF_WORKSPACE: ${{ inputs.workspace }}
+        TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }}
+      run: terraform -chdir=${{ env.TF_DIR }} validate