feat(tf): Create a workflow for checking on terraform projects

* Setup terraform
* Check formatting
* Initialize the backend, caching providers
* Validate the configuration
* Generate a plan

Project linting will:
* Initialize tflint, caching plugins
* Run tflint

Terraform project is configured to serialize every run. As in-progress jobs may acquire a lock on the remote state while generating the plan, they are not cancelled.

fix plan

Author: benoit-garcia

.github/workflows/tf_project_plan.yaml

@@ -0,0 +1,76 @@
+---
+name: "Terraform Project: Generate Plan"
+
+"on":
+  workflow_call:
+    secrets:
+      GH_TOKEN:
+        description: "Github PAT. Used for managing Github ressources beyond the scope of short-live token (organization, other repositories, etc)"
+        required: false
+      TFE_TOKEN:
+        description: "Terraform Cloud Token. Used for backend's authentication and ressource management"
+        required: false
+jobs:
+  terraform:
+    name: "Terraform Project"
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.repository }}
+      cancel-in-progress: false
+    steps:
+      - id: repo_checkout
+        name: "Repository: Checkout"
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
+      - id: tf_version
+        name: "Terraform: Get version"
+        run: |
+          TF_VERSION=$(cat .terraform-version 2>/dev/null || echo latest)
+          echo "TF_VERSION=$TF_VERSION" >> $GITHUB_OUTPUT
+      - id: tf_setup
+        name: "Terraform: Setup"
+        uses: hashicorp/setup-terraform@97f030cf6dc0b4f5e0da352c7bca9cca34579800  # v3.1.0
+        with:
+          cli_config_credentials_token: ${{ secrets.TFE_TOKEN }}
+          terraform_version: ${{steps.tf_version.outputs.TF_VERSION}}
+      - id: tf_fmt
+        name: "Terraform: Check formatting"
+        run: terraform fmt -check -diff -recursive ./
+      - name: "Terraform: Cache providers directory"
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9  # v4.0.2
+        with:
+          path: ./.terraform/providers
+          key: tf-${{ steps.tf_version.outputs.TF_VERSION }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.terraform.lock.hcl') }}
+      - id: tf_init
+        name: "Terraform: Prepare working directory"
+        run: terraform init
+      - id: tf_validate
+        name: "Terraform: Check configuration is valid"
+        run: terraform validate
+      - id: tf_plan
+        name: "Terraform: Generate terraform plan"
+        run: terraform plan -input=false -no-color
+        env:
+          TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+  tflint:
+    name: "Project linting"
+    runs-on: ubuntu-latest
+    steps:
+      - id: repo_checkout
+        name: "Repository: Checkout"
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
+      - id: tflint_cache
+        name: "TFLint: Update cache"
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9  # v4.0.2
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - id: tflint_setup
+        name: "TFLint: Setup"
+        uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987  # v4.0.0
+      - id: tflint_init
+        name: "TFLint: Install plugins"
+        run: tflint --init
+      - id: tflint_inspect
+        name: "TFLint: Inspect code"
+        run: tflint -f compact --call-module-type=local

README.md

@@ -60,6 +60,26 @@ jobs:
 
 ```
 
+## tf_project_plan.yaml
+
+Run some checks on terraform code and generate a plan, usefull when creating pull request on a project:
+* Formatting check using `terraform fmt`.
+* Configuration validation using `terraform validate`.
+* Generate a plan using `terraform plan`.
+* Linting using [`tflint`](https://github.com/terraform-linters/tflint).
+
+The job is configured to avoid deadlocks on the remote state. As such only one job will run at a time, and running jobs are not cancelled.
+
+Include the following jobs in your existing workflows to use this workflow:
+```yaml
+[...]
+jobs:
+  merge_tf:
+    uses: scaleway-terraform-modules/wokflows/.github/workflows/tf_project_apply.yaml@main
+    secrets: inherit
+
+```
+
 ## yaml_check.yaml
 
 Run [`yamllint`](https://www.yamllint.com/).