dflook/terraform-github-actionsPublic

NotificationsYou must be signed in to change notification settings
Fork167
Star917

GitHub actions for Terraform and OpenTofu

917 stars 167 forks Branches Tags Activity

You must be signed in to change notification settings

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 744 Commits
.config		.config
.github		.github
docs-gen		docs-gen
docs		docs
example_workflows		example_workflows
image		image
terraform-apply		terraform-apply
terraform-check		terraform-check
terraform-destroy-workspace		terraform-destroy-workspace
terraform-destroy		terraform-destroy
terraform-fmt-check		terraform-fmt-check
terraform-fmt		terraform-fmt
terraform-new-workspace		terraform-new-workspace
terraform-output		terraform-output
terraform-plan		terraform-plan
terraform-refresh		terraform-refresh
terraform-remote-state		terraform-remote-state
terraform-test		terraform-test
terraform-unlock-state		terraform-unlock-state
terraform-validate		terraform-validate
terraform-version		terraform-version
tests		tests
tofu-apply		tofu-apply
tofu-check		tofu-check
tofu-destroy-workspace		tofu-destroy-workspace
tofu-destroy		tofu-destroy
tofu-fmt-check		tofu-fmt-check
tofu-fmt		tofu-fmt
tofu-new-workspace		tofu-new-workspace
tofu-output		tofu-output
tofu-plan		tofu-plan
tofu-refresh		tofu-refresh
tofu-remote-state		tofu-remote-state
tofu-test		tofu-test
tofu-unlock-state		tofu-unlock-state
tofu-validate		tofu-validate
tofu-version		tofu-version
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
README.md		README.md

Repository files navigation

Terraform and OpenTofu GitHub Actions

This is a suite of Terraform and OpenTofu related GitHub Actions that can be used together to build effective Infrastructure as Code workflows.

GitHub Actions are a way to make automated workflows that trigger when events occur on your GitHub repository, using a YAML file that lives in your repo.These actions can be used to easily performTerraform orOpenTofu tasks as part of your workflow.

Actions

See the documentation for the available actions:

Terraform	OpenTofu
dflook/terraform-plan	dflook/tofu-plan
dflook/terraform-apply	dflook/tofu-apply
dflook/terraform-output	dflook/tofu-output
dflook/terraform-remote-state	dflook/tofu-remote-state
dflook/terraform-validate	dflook/tofu-validate
dflook/terraform-fmt-check	dflook/tofu-fmt-check
dflook/terraform-fmt	dflook/tofu-fmt
dflook/terraform-check	dflook/tofu-check
dflook/terraform-new-workspace	dflook/tofu-new-workspace
dflook/terraform-destroy-workspace	dflook/tofu-destroy-workspace
dflook/terraform-destroy	dflook/tofu-destroy
dflook/terraform-version	dflook/tofu-version
dflook/terraform-unlock-state	dflook/tofu-unlock-state
dflook/terraform-test	dflook/tofu-test
dflook/terraform-refresh	dflook/tofu-refresh

Example Usage

These actions can be added as steps to your own workflow files.GitHub reads workflow files from.github/workflows/ within your repository.See theWorkflow documentation for details on writing workflows.

Here are some examples of how the actions can be used together in workflows.

Terraform plan PR approval

Terraform plans typically need to be reviewed by a human before being applied.Fortunately, GitHub has a well established method for requiring human reviews of changes - a Pull Request.

We can use PRs to safely plan and apply infrastructure changes.

You can make GitHub enforce this using branch protection, see thedflook/terraform-apply action for details.

In this example we use two workflows:

plan.yaml

This workflow runs on changes to a PR branch. It generates a Terraform plan and attaches it to the PR as a comment.

name:Create terraform planon:[pull_request]permissions:contents:readpull-requests:writejobs:plan:runs-on:ubuntu-latestname:Create a plan for an example terraform configurationenv:GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}steps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform planuses:dflook/terraform-plan@v2with:path:my-terraform-config

apply.yaml

This workflow runs when the PR is merged into the main branch, and applies the planned changes.

name:Apply terraform planon:push:branches:      -mainpermissions:contents:readpull-requests:writejobs:apply:runs-on:ubuntu-latestname:Apply terraform planenv:GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}steps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform applyuses:dflook/terraform-apply@v2with:path:my-terraform-config

Linting

This workflow runs on every push to non-main branches and checks the terraform configuration is valid.For extra strictness, we check the files are in the canonical format.

This can be used to check for correctness before merging.

lint.yaml

name:Linton:push:branches-ignore:      -mainjobs:validate:runs-on:ubuntu-latestname:Validate terraform configurationsteps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform validateuses:dflook/terraform-validate@v2with:path:my-terraform-configfmt-check:runs-on:ubuntu-latestname:Check formatting of terraform filessteps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform fmtuses:dflook/terraform-fmt-check@v2with:path:my-terraform-config

Checking for drift

This workflow runs every morning and checks that the state of your infrastructure matches the configuration.

This can be used to detect manual or misapplied changes before they become a problem.If there are any unexpected changes, the workflow will fail.

drift.yaml

name:Check for infrastructure drifton:schedule:    -cron:"0 8 * * *"jobs:check_drift:runs-on:ubuntu-latestname:Check for drift of example terraform configurationsteps:      -name:Checkoutuses:actions/checkout@v4      -name:Check for driftuses:dflook/terraform-check@v2with:path:my-terraform-config

Scheduled infrastructure updates

There may be times when you expect Terraform to plan updates without any changes to your configuration files.Your configuration could be consuming secrets from elsewhere, or renewing certificates every few months.

This example workflow runs every morning and applies any outstanding changes to those specific resources.

rotate-certs.yaml

name:Rotate TLS certificateson:schedule:    -cron:"0 8 * * *"jobs:rotate_certs:runs-on:ubuntu-latestname:Rotate TLS certificates in example terraform configurationsteps:      -name:Checkoutuses:actions/checkout@v4      -name:Rotate certsuses:dflook/terraform-apply@v2with:path:my-terraform-configauto_approve:truetarget:|            acme_certificate.certificate            kubernetes_secret.certificate

Automatically fixing formatting

Perhaps you don't want to spend engineer time making formatting changes. This workflow will automatically create or update a PR that fixes any formatting issues.

fmt.yaml

name:Check terraform file formattingon:push:branches:       -mainjobs:format:runs-on:ubuntu-latestname:Check terraform file are formatted correctlysteps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform fmtuses:dflook/terraform-fmt@v2with:path:my-terraform-config                -name:Create Pull Requestuses:peter-evans/create-pull-request@v2with:commit-message:terraform fmttitle:Reformat terraform filesbody:Update terraform files to canonical format using `terraform fmt`branch:automated-terraform-fmt

Ephemeral test environments

Testing of software changes often requires some supporting infrastructure, like databases, DNS records, compute environments etc.We can use these actions to create dedicated resources for each PR which is used to run tests.

There are two workflows:

integration-test.yaml

This workflow runs with every change to a PR.

It deploys the testing infrastructure using a Terraform workspace dedicated to this branch, then runs integration tests against the new infrastructure.

name:Run integration testson:[pull_request]jobs:run_tests:runs-on:ubuntu-latestname:Run integration testssteps:      -name:Checkoutuses:actions/checkout@v4      -name:Use branch workspaceuses:dflook/terraform-new-workspace@v2with:path:my-terraform-configworkspace:${{ github.head_ref }}                -name:Deploy test infrastrucutreuses:dflook/terraform-apply@v2id:test-infrawith:path:my-terraform-configworkspace:${{ github.head_ref }}auto_approve:true      -name:Run testsrun:|          ./run-tests.sh --endpoint "${{ steps.test-infra.outputs.url }}"

integration-test-cleanup.yaml

This workflow runs when a PR is closed and destroys any testing infrastructure that is no longer needed.

name:Destroy testing workspaceon:pull_request:types:[closed]jobs:cleanup_tests:runs-on:ubuntu-latestname:Cleanup after integration testssteps:      -name:Checkoutuses:actions/checkout@v4      -name:terraform destroyuses:dflook/terraform-destroy-workspace@v2with:path:my-terraform-configworkspace:${{ github.head_ref }}