GitHub Action
Terraform/OpenTofu via Pull Request
Important
Plan and apply changes to Terraform or OpenTofu (TF) configurations via pull request (PR) comments: for a CLI-like experience on the web. Powered by GitHub Actions to maximize compatibility and minimize maintenance for DIY deployments.
Overview · Usage [Workflow · Examples · Parameters] · Security · License
View PR in situ: Screenshot of the author's TF command in a PR comment followed by github-action bot's TF output response in the next comment.
Terraform and OpenTofu are platform-agnostic tools for managing cloud and on-prem resources by provisioning infrastructure as code (IaC).
- Enables you to define resources in human-readable configuration files that can be version controlled and shared for consistent state management.
- Both Hashicorp
terraform
and OpenTofutofu
CLIs are supported, with the latter offering an open-source and backwards-compatible drop-in replacement for the former.
Best suited for DevOps and Platform engineers who want to empower their teams to self-service TF without the overhead of self-hosting runners, containers or VMs like Atlantis.
- Environment deployment protection rules mitigate the risk of erroneous changes along with standardized approval requirements.
- Each PR and associated workflow run holds a complete log of infrastructure changes for ease of collaborative debugging as well as audit compliance.
GitHub Actions (GHA) is a continuous integration and continuous deployment (CI/CD) platform that enables you to automate your project's pipelines with custom workflows.
- This repository hosts a composite action that parses PR comments for TF commands and runs them on GitHub's ephemeral runners.
- Also supports GitHub Codespaces dev container, which offers a tailored TF development environment, complete with tools and runtimes to lower the barrier to entry for contributors.
- A functional workflow is provided in ".github/workflows/tf.yml", including recommended permissions and event triggers.
- Here is a simplified snippet to get started, with the full list of inputs documented below.
on:
issue_comment:
types: [created, edited]
pull_request:
types: [synchronize]
paths: ["**/*.tf*"]
...
steps:
- name: Provision TF
uses: devsectop/tf-via-pr-comments@v9
with:
cli_uses: "terraform"
cli_version: "~1.6"
Note
- Pin your workflow version to a specific release tag or SHA to harden your CI/CD pipeline security against supply chain attacks.
- Environment variables are automatically assumed, enabling cloud provider authentication (e.g., preceding aws-actions/configure-aws-credentials action can be used to pass short-lived credentials).
Use-case scenario: Provision resources in a workspace with a variable file, followed by targeted destruction. View PR in situ.
#1 PR Comment: Plan configuration in a workspace with a variable file.
-tf=plan -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#2 PR Comment: Apply configuration in a workspace with a variable file.
-tf=apply -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#3 PR Comment: Plan destruction of targeted resources in a workspace with a variable file.
-tf=plan -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#4 PR Comment: Apply destruction of targeted resources in a workspace with a variable file.
-tf=apply -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
Use-case scenario: Provision resources with a backend, followed by destruction without confirmation, simultaneously. View PR in situ.
#1 PR Comment: Plan configuration with a backend file.
-tf=plan -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend
#2 PR Comment: Apply configuration with a backend file.
-tf=apply -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend
#3 PR Comment: Destroy configuration with a backend file without confirmation.
-tf=apply -destroy -auto-approve -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend
Name | Description |
---|---|
apply_require_approval Default: false |
Boolean flag to require PR review approval for TF apply commands or consider deployment protection rules. |
backend_config_from_workspace Default: false |
Boolean flag to re-use TF -workspace as -backend-config argument, if supplied. |
backend_config_prefix Example: ../backend/ |
String prefix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace ) is supplied. |
backend_config_suffix Example: .tfbackend |
String suffix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace ) is supplied. |
chdir_prefix Example: stacks/ |
String prefix for TF -chdir argument. This is a global option that switches to a different directory. |
cli_hostname Example: app.terraform.io |
Hostname of TF cloud/enterprise instance to place within the credentials block of TF CLI configuration. |
cli_token Example: xyz… |
API token for TF cloud/enterprise instance to place within the credentials block of TF CLI configuration. |
cli_uses Default: terraform |
String to choose TF CLI, from: terraform and tofu . |
cli_version Default: latest |
Version of TF CLI to install, supporting semver ranges. |
fmt_enable Default: true |
Boolean flag to enable TF fmt command and display diff of changes. |
validate_enable Default: true |
Boolean flag to enable TF validate command check. |
var_file_from_workspace Default: false |
Boolean flag to re-use TF -workspace as -var-file argument, if supplied. |
var_file_prefix Example: ../env/ |
String prefix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace ) is supplied. |
var_file_suffix Example: .tfvars |
String suffix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace ) is supplied. |
Name | Description |
---|---|
command Example: {tf:plan,chdir:stacks/sample_bucket} |
JSON object of the parsed command. |
plan_id Example: stacks-sample-bucket-tfplan |
String ID of the TF plan file artifact's unique identifier. |
tf_fmt |
String output of the truncated TF fmt command. |
tf_output |
String output of the truncated last TF command. |
Integrating security in your CI/CD pipeline is critical to practicing DevSecOps. This GHA aims to be secure by default, and it should be complemented with your own review to ensure it meets your (organization's) security requirements.
- All associated GHAs used in this workflow are pinned to a specific SHA to prevent supply chain attacks from third-party upstream dependencies.
- Restrict changes to certain environments with deployment protection rules or
apply_require_approval
so that approval is required from authorized users/teams before changes to the infrastructure can be applied. - Ease of integration with OpenID Connect by passing short-lived credentials as environment variables to the workflow.
- All notable changes to this project will be documented in human-friendly releases.
- The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Note
All forms of contribution are very welcome and deeply appreciated for fostering open-source projects.
- Please create a PR to contribute changes you'd like to see.
- Please raise an issue to discuss proposed changes or report unexpected behavior.
- Please open a discussion to share ideas about where you'd like to see this project go.
- Please consider becoming a stargazer if you find this project useful.
- This project is licensed under the permissive Apache License 2.0.
- All works herein are my own and shared of my own volition.
- Copyright 2023 Rishav Dhar — All wrongs reserved.