fix: add missing tf deploy pipeline

[mrickettsk]

Adding missing terraform deployment pipeline from mirror repository.

🤖AEP PR SUMMARY🤖

• A new file .github/workflows/deploy-terraform.yml was added.
• This file contains a workflow to deploy to Azure triggered by pushes to the main branch, pull requests to the main branch, and manual dispatches.
• The job "terraform" is defined to run on Ubuntu latest, with several environment variables and default settings specified.
• Steps include code checkout, setting up Terraform, lint check, auto commit changes, Terraform initialization, and Terraform plan and apply.

[github-actions]

The provided Git diff for a GitHub Actions workflow that deploys to Azure using Terraform highlights a robust initial setup. However, there are several improvements and best practices that could enhance code quality, security, execution costs, and carbon usage. Below, I list specific recommendations:

Code Quality and Best Practices

1. Specifying the runs-on Version:

   • Instead of using runs-on: ubuntu-latest, specify an exact version of Ubuntu. Using the latest version might introduce unexpected changes if the GitHub Actions virtual environments get updated.
     yaml
     runs-on: ubuntu-20.04

2. Terraform Version:

   • Ensure the Terraform version (TF_VERSION: 1.3.6) is the most stable and compatible version with your infrastructure as code. It's a good practice to recurrently review and update this to leverage new features and performance improvements.

3. Environment Files:

   • Instead of creating a blank .env file, consider using GitHub secrets more extensively or environment variables defined in the workflow if possible. If a .env file is essential for local development, provide clear documentation on its necessity and handling within CI/CD pipelines.

4. Verbose Terraform Outputs:

   • For both Terraform Plan and Terraform Apply, consider adding verbosity or logging for clearer understanding and debugging. This could help in diagnosing issues faster.

   run: |
     make tf-plan TF_LOG=TRACE

Security

1. Least Privilege Principle:

   • Review the permissions granted to the ARM_CLIENT_ID and ARM_CLIENT_SECRET. Ensure they adhere to the principle of least privilege, reducing the potential impact of credentials leakage.

2. Automatic Commit of Terraform Files:

   • The automatic commit of formatted Terraform files (*.tf) after linting carries the risk of unintentionally exposing sensitive data if not properly managed. It's crucial to have a robust review process for changes committed by automation.

Cost and Carbon Usage

1. Optimizing Workflow Triggers:

   • The current setup triggers on every push to the main branch and pull requests targeting the main branch. Depending on your workflow, this might lead to unnecessary runs, increasing both costs and carbon footprint. Consider narrowing down the trigger conditions or employing branch protection rules to require passing checks before merging into the main branch.

   on:
     push:
       branches:
         - main
     pull_request_review:
       types: [submitted, edited, dismissed]
       branches:
         - main

2. Terraform Cloud:

   • If not already using, consider integrating with Terraform Cloud or a similar service that offers remote state management. This allows for more efficient state locking, history, and potentially reduces the execution time and associated costs of Terraform commands.

General

• End-of-File Newline:
  • There’s a remark about no newline at the end of the file. It's a good practice to always end files with a newline to avoid issues with POSIX systems.

These recommendations aim at making the workflow more efficient, secure, and cost-effective, while adhering to best practices.