wenqiglantz · November 12, 2022 18:36
diff --git a/terraform-infracost-pr.yml b/terraform-infracost-pr.yml
 name: "Infracost Analysis for PRs"

 on:
  workflow_call:
    inputs:
      # working-directory is added to specify "terraform" directory in project source code as that's where the terraform files live.
      working-directory:
        required: false
        type: string
        default: 'terraform'
      # tfvars file path
      terraform-var-file:
        required: false
        type: string
        default: ''
      # infracost usage file path
      usage-file:
        required: false
        type: string
        default: './.env/dev/infracost-usage.yml'

 jobs:
  infracost:
    name: Infracost Analysis

    runs-on: ubuntu-latest

    env:
      TF_ROOT: ${{ inputs.working-directory }}

    steps:
      # Harden Runner is a security action to protect our workflow from supply chain attacks
      - name: Harden Runner
        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      # this step calls infracost/actions/setup@v2, which installs the latest patch version of the Infracost CLI v0.10.x and
      # gets the backward-compatible bug fixes and new resources. Replacing the version number with git SHA is a security hardening measure.
      - name: Setup Infracost
        uses: infracost/actions/setup@6bdd3cb01a306596e8a614e62af7a9c0a133bc5c
        # See https://github.com/infracost/actions/tree/master/setup for other inputs
        with:
          api-key: ${{ secrets.INFRACOST_API_KEY }}

      # Checkout the base branch of the pull request (e.g. main).
      - name: Checkout base branch
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
        with:
          ref: '${{ github.event.pull_request.base.ref }}'

      - name: Print debug info
        run: |
          echo github base branch is ${{github.event.pull_request.base.ref}}
          echo github.event.pull_request.number is ${{github.event.pull_request.number}}

      # Generate Infracost JSON file as the baseline.
      - name: Generate Infracost cost estimate baseline
        run: |
          export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
          cd ${TF_ROOT}
          infracost breakdown --path=. \
                              --terraform-var-file=${{ inputs.terraform-var-file }} \
                              --usage-file ${{ inputs.usage-file }} \
                              --format=json \
                              --out-file=/tmp/infracost-base.json

      # Checkout the current PR branch so we can create a diff.
      - name: Checkout PR branch
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8

      # Generate an Infracost diff and save it to a JSON file.
      - name: Generate Infracost diff
        run: |
          export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
          cd ${TF_ROOT}
          infracost diff --path=. \
                          --format=json \
                          --show-skipped \
                          --terraform-var-file=${{ inputs.terraform-var-file }} \
                          --usage-file ${{ inputs.usage-file }} \
                          --compare-to=/tmp/infracost-base.json \
                          --out-file=/tmp/infracost.json

      # generate the html report based on the JSON output from last step
      - name: Generate Infracost Report
        run: |
          export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
          cd ${TF_ROOT}
          infracost output --path /tmp/infracost.json --show-skipped --format html --out-file report.html

      # upload the report to artifact so subsequent workflow can download the report and email it as attachment
      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
        with:
          name: report.html
          path: ${{ inputs.working-directory }}/report.html

      # Posts a comment to the PR using the 'update' behavior.
      # This creates a single comment and updates it. The "quietest" option.
      # The other valid behaviors are:
      #   delete-and-new - Delete previous comments and create a new one.
      #   hide-and-new - Minimize previous comments and create a new one.
      #   new - Create a new cost estimate comment on every push.
      #   update - Update a cost estimate comment when there is a change in the cost estimate.
      # See https://www.infracost.io/docs/features/cli_commands/#comment-on-pull-requests for other options.
      - name: Post Infracost comment
        run: |
          export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
          infracost comment github --path=/tmp/infracost.json \
                                   --repo=$GITHUB_REPOSITORY \
                                   --github-token=${{github.token}} \
                                   --pull-request=${{github.event.pull_request.number}} \
                                   --behavior=update \
                                   --policy-path=${TF_ROOT}/infracost-policy.rego
	name: "Infracost Analysis for PRs"

	on:
	workflow_call:
	inputs:
	# working-directory is added to specify "terraform" directory in project source code as that's where the terraform files live.
	working-directory:
	required: false
	type: string
	default: 'terraform'
	# tfvars file path
	terraform-var-file:
	required: false
	type: string
	default: ''
	# infracost usage file path
	usage-file:
	required: false
	type: string
	default: './.env/dev/infracost-usage.yml'

	jobs:
	infracost:
	name: Infracost Analysis

	runs-on: ubuntu-latest

	env:
	TF_ROOT: ${{ inputs.working-directory }}

	steps:
	# Harden Runner is a security action to protect our workflow from supply chain attacks
	- name: Harden Runner
	uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	# this step calls infracost/actions/setup@v2, which installs the latest patch version of the Infracost CLI v0.10.x and
	# gets the backward-compatible bug fixes and new resources. Replacing the version number with git SHA is a security hardening measure.
	- name: Setup Infracost
	uses: infracost/actions/setup@6bdd3cb01a306596e8a614e62af7a9c0a133bc5c
	# See https://github.com/infracost/actions/tree/master/setup for other inputs
	with:
	api-key: ${{ secrets.INFRACOST_API_KEY }}

	# Checkout the base branch of the pull request (e.g. main).
	- name: Checkout base branch
	uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
	with:
	ref: '${{ github.event.pull_request.base.ref }}'

	- name: Print debug info
	run: \|
	echo github base branch is ${{github.event.pull_request.base.ref}}
	echo github.event.pull_request.number is ${{github.event.pull_request.number}}

	# Generate Infracost JSON file as the baseline.
	- name: Generate Infracost cost estimate baseline
	run: \|
	export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
	cd ${TF_ROOT}
	infracost breakdown --path=. \
	--terraform-var-file=${{ inputs.terraform-var-file }} \
	--usage-file ${{ inputs.usage-file }} \
	--format=json \
	--out-file=/tmp/infracost-base.json

	# Checkout the current PR branch so we can create a diff.
	- name: Checkout PR branch
	uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8

	# Generate an Infracost diff and save it to a JSON file.
	- name: Generate Infracost diff
	run: \|
	export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
	cd ${TF_ROOT}
	infracost diff --path=. \
	--format=json \
	--show-skipped \
	--terraform-var-file=${{ inputs.terraform-var-file }} \
	--usage-file ${{ inputs.usage-file }} \
	--compare-to=/tmp/infracost-base.json \
	--out-file=/tmp/infracost.json

	# generate the html report based on the JSON output from last step
	- name: Generate Infracost Report
	run: \|
	export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
	cd ${TF_ROOT}
	infracost output --path /tmp/infracost.json --show-skipped --format html --out-file report.html

	# upload the report to artifact so subsequent workflow can download the report and email it as attachment
	- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
	with:
	name: report.html
	path: ${{ inputs.working-directory }}/report.html

	# Posts a comment to the PR using the 'update' behavior.
	# This creates a single comment and updates it. The "quietest" option.
	# The other valid behaviors are:
	# delete-and-new - Delete previous comments and create a new one.
	# hide-and-new - Minimize previous comments and create a new one.
	# new - Create a new cost estimate comment on every push.
	# update - Update a cost estimate comment when there is a change in the cost estimate.
	# See https://www.infracost.io/docs/features/cli_commands/#comment-on-pull-requests for other options.
	- name: Post Infracost comment
	run: \|
	export INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}
	infracost comment github --path=/tmp/infracost.json \
	--repo=$GITHUB_REPOSITORY \
	--github-token=${{github.token}} \
	--pull-request=${{github.event.pull_request.number}} \
	--behavior=update \
	--policy-path=${TF_ROOT}/infracost-policy.rego
No results found