• Stars
    star
    774
  • Rank 58,703 (Top 2 %)
  • Language
    Python
  • Created over 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub actions for terraform

Terraform GitHub Actions releasejob runs

This is a suite of terraform related GitHub Actions that can be used together to build effective Infrastructure as Code workflows.

GitHub Actions are a way to make automated workflows that trigger when events occur on your GitHub repository, using a YAML file that lives in your repo. These actions can be used to easily perform Terraform tasks as part of your workflow.

Actions

See the documentation for the available actions:

Example Usage

These terraform actions can be added as steps to your own workflow files. GitHub reads workflow files from .github/workflows/ within your repository. See the Workflow documentation for details on writing workflows.

Here are some examples of how the terraform actions can be used together in workflows.

Terraform plan PR approval

Terraform plans typically need to be reviewed by a human before being applied. Fortunately, GitHub has a well established method for requiring human reviews of changes - a Pull Request.

We can use PRs to safely plan and apply infrastructure changes.

You can make GitHub enforce this using branch protection, see the dflook/terraform-apply action for details.

In this example we use two workflows:

plan.yaml

This workflow runs on changes to a PR branch. It generates a terraform plan and attaches it to the PR as a comment.

name: Create terraform plan

on: [pull_request]

permissions:
  contents: read
  pull-requests: write

jobs:
  plan:
    runs-on: ubuntu-latest
    name: Create a plan for an example terraform configuration
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform plan
        uses: dflook/terraform-plan@v1
        with:
          path: my-terraform-config

apply.yaml

This workflow runs when the PR is merged into the main branch, and applies the planned changes.

name: Apply terraform plan

on:
  push:
    branches:
      - main

permissions:
  contents: read
  pull-requests: write

jobs:
  apply:
    runs-on: ubuntu-latest
    name: Apply terraform plan
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: my-terraform-config

Linting

This workflow runs on every push to non-main branches and checks the terraform configuration is valid. For extra strictness, we check the files are in the canonical format.

This can be used to check for correctness before merging.

lint.yaml

name: Lint

on:
  push:
    branches:
      - '!main'

jobs:
  validate:
    runs-on: ubuntu-latest
    name: Validate terraform configuration
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform validate
        uses: dflook/terraform-validate@v1
        with:
          path: my-terraform-config

  fmt-check:
    runs-on: ubuntu-latest
    name: Check formatting of terraform files
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform fmt
        uses: dflook/terraform-fmt-check@v1
        with:
          path: my-terraform-config

Checking for drift

This workflow runs every morning and checks that the state of your infrastructure matches the configuration.

This can be used to detect manual or misapplied changes before they become a problem. If there are any unexpected changes, the workflow will fail.

drift.yaml

name: Check for infrastructure drift

on:
  schedule:
    - cron:  "0 8 * * *"

jobs:
  check_drift:
    runs-on: ubuntu-latest
    name: Check for drift of example terraform configuration
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Check for drift
        uses: dflook/terraform-check@v1
        with:
          path: my-terraform-config

Scheduled infrastructure updates

There may be times when you expect terraform to plan updates without any changes to your terraform configuration files. Your configuration could be consuming secrets from elsewhere, or renewing certificates every few months.

This example workflow runs every morning and applies any outstanding changes to those specific resources.

rotate-certs.yaml

name: Rotate TLS certificates

on:
  schedule:
    - cron:  "0 8 * * *"

jobs:
  rotate_certs:
    runs-on: ubuntu-latest
    name: Rotate TLS certificates in example terraform configuration
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Rotate certs
        uses: dflook/terraform-apply@v1
        with:
          path: my-terraform-config
          auto_approve: true
          target: |
            acme_certificate.certificate
            kubernetes_secret.certificate

Automatically fixing formatting

Perhaps you don't want to spend engineer time making formatting changes. This workflow will automatically create or update a PR that fixes any terraform formatting issues.

fmt.yaml

name: Check terraform file formatting

on:
  push:
    branches: 
      - main 

jobs:
  format:
    runs-on: ubuntu-latest
    name: Check terraform file are formatted correctly
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform fmt
        uses: dflook/terraform-fmt@v1
        with:
          path: my-terraform-config
          
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v2
        with:
          commit-message: terraform fmt
          title: Reformat terraform files
          body: Update terraform files to canonical format using `terraform fmt`
          branch: automated-terraform-fmt

Ephemeral test environments

Testing of software changes often requires some supporting infrastructure, like databases, DNS records, compute environments etc. We can use these actions to create dedicated resources for each PR which is used to run tests.

There are two workflows:

integration-test.yaml

This workflow runs with every change to a PR.

It deploys the testing infrastructure using a terraform workspace dedicated to this branch, then runs integration tests against the new infrastructure.

name: Run integration tests

on: [pull_request]

jobs:
  run_tests:
    runs-on: ubuntu-latest
    name: Run integration tests
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Use branch workspace
        uses: dflook/terraform-new-workspace@v1
        with:
          path: my-terraform-config
          workspace: ${{ github.head_ref }}
          
      - name: Deploy test infrastrucutre
        uses: dflook/terraform-apply@v1
        id: test-infra
        with:
          path: my-terraform-config
          workspace: ${{ github.head_ref }}
          auto_approve: true

      - name: Run tests
        run: |
          ./run-tests.sh --endpoint "${{ steps.test-infra.outputs.url }}"

integration-test-cleanup.yaml

This workflow runs when a PR is closed and destroys any testing infrastructure that is no longer needed.

name: Destroy testing workspace

on:
  pull_request:
    types: [closed] 

jobs:
  cleanup_tests:
    runs-on: ubuntu-latest
    name: Cleanup after integration tests
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform destroy
        uses: dflook/terraform-destroy-workspace@v1
        with:
          path: my-terraform-config
          workspace: ${{ github.head_ref }}

What if I don't use GitHub Actions?

If you use CircleCI, check out OVO Energy's ovotech/terraform CircleCI orb. If you use Jenkins, you have my sympathy.

More Repositories

1

python-minifier

Transform Python source code into its most compact representation
Python
577
star
2

cloudformation-dns-certificate

Cloudformation DNS Validated Certificate Resource
Python
48
star
3

terraform-apply

GitHub action to apply terraform plans
27
star
4

terraform-plan

GitHub action to generate a terraform plan
23
star
5

terraform-fmt

GitHub action to fix formatting of terraform files
17
star
6

terraform-validate

GitHub action to validate a terraform configuration
12
star
7

terraform-fmt-check

GitHub action to check the formatting of terraform files
7
star
8

terraform-version

GitHub action to determine terraform version for a configuration
6
star
9

terraform-output

GitHub action to get outputs from a terraform configuration
5
star
10

google-meet-auto-admit

JavaScript
5
star
11

terraform-remote-state

GitHub action to get outputs from a terraform remote state
4
star
12

terraform-check

GitHub action to check if there are terraform changes to apply
3
star
13

terraform-registry

A serverless terraform registry for AWS
Python
3
star
14

terraform-new-workspace

GitHub action to create a new terraform workspace
2
star
15

terraform-destroy-workspace

GitHub action to destroy all resources & delete a terraform workspace
2
star
16

terraform-destroy

GitHub action to destroy all resources in a terraform workspace
2
star
17

terraform-aws-acm-certificate

Terraform module for ACM DNS validated certificates
Python
2
star
18

configure-oidc-aws-credentials

Fetch temporary AWS session credentials using OIDC
JavaScript
2
star
19

tofu-apply

GitHub action to apply OpenTofu plans
1
star
20

terraform-aws-vpc-network

Composable modules for creating AWS VPCs
HCL
1
star
21

terraform-unlock-state

GitHub action to unlock previously locked Terraform state
1
star