ci: add validation for terraform files

check terraform files using:
* tf fmt
* tfsec
* checkov

.drone.yml

@@ -0,0 +1,69 @@
+---
+kind: pipeline
+type: docker
+name: terraform validate
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: validate
+  pull: always
+  image: hashicorp/terraform:1.1.0-alpha20210616
+  commands:
+  - terraform -version
+  - cd vms
+  - terraform init -backend=false
+  - terraform validate
+  - terraform fmt --check
+
+- name: fmt
+  pull: always
+  image: hashicorp/terraform:1.1.0-alpha20210616
+  depends_on: [clone]
+  commands:
+  - terraform -version
+  - cd vms
+  - terraform init -backend=false
+  - terraform fmt -check -recursive -diff
+
+- name: "tfsec: project root"
+  pull: always
+  image: tfsec/tfsec-ci:v0.45.2
+  depends_on: [validate]
+  commands:
+  - tfsec --version
+  - tfsec
+
+- name: "tfsec: vms folder"
+  pull: always
+  image: tfsec/tfsec-ci:v0.45.2
+  depends_on: [validate]
+  commands:
+  - tfsec --version
+  - tfsec ./vms
+
+- name: "tfsec: terraform.tfvars"
+  pull: always
+  image: tfsec/tfsec-ci:v0.45.2
+  depends_on: [validate]
+  commands:
+  - tfsec --version
+  - tfsec --tfvars-file vms/terraform.tfvars
+
+- name: checkov libvirt.tf
+  pull: always
+  image: bridgecrew/checkov:2.0.259
+  depends_on: [validate]
+  commands:
+  - checkov --version
+  - checkov -f libvirt.tf
+
+- name: checkov main.tf
+  pull: always
+  image: bridgecrew/checkov:2.0.259
+  depends_on: [validate]
+  commands:
+  - checkov --version
+  - checkov -f vms/main.tf

vms/main.tf

@@ -65,6 +65,7 @@ variable "dhcp" {
 variable "mode" {
   type = list(string)
 }
+#tfsec:ignore:GEN001 - tf-ansible key is solely used for connections by ansible
 variable "ssh_private_key" {
   description = "the key to use for ansible stuff"
   default     = "~/.ssh/tf-ansible"