Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
package

GitHub Action

Terraform/OpenTofu via Pull Request

v9.0.0

Terraform/OpenTofu via Pull Request

package

Terraform/OpenTofu via Pull Request

Plan and apply Terraform/OpenTofu via PR automation, using best practices for secure and scalable IaC workflows

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Terraform/OpenTofu via Pull Request

uses: DevSecTop/[email protected]

Learn more about this action in DevSecTop/TF-via-PR

Choose a version

Terraform/OpenTofu Via Pull Request Comments

Important

Plan and apply changes to Terraform or OpenTofu (TF) configurations via pull request (PR) comments: for a CLI-like experience on the web. Powered by GitHub Actions to maximize compatibility and minimize maintenance for DIY deployments.

Overview · Usage [Workflow · Examples · Parameters] · Security · License

Screenshot of the author's TF command in a PR comment followed by github-action bot's TF output response in the next comment.
View PR in situ: Screenshot of the author's TF command in a PR comment followed by github-action bot's TF output response in the next comment.

Overview

Terraform and OpenTofu are platform-agnostic tools for managing cloud and on-prem resources by provisioning infrastructure as code (IaC).
  • Enables you to define resources in human-readable configuration files that can be version controlled and shared for consistent state management.
  • Both Hashicorp terraform and OpenTofu tofu CLIs are supported, with the latter offering an open-source and backwards-compatible drop-in replacement for the former.
Best suited for DevOps and Platform engineers who want to empower their teams to self-service TF without the overhead of self-hosting runners, containers or VMs like Atlantis.
  • Environment deployment protection rules mitigate the risk of erroneous changes along with standardized approval requirements.
  • Each PR and associated workflow run holds a complete log of infrastructure changes for ease of collaborative debugging as well as audit compliance.
GitHub Actions (GHA) is a continuous integration and continuous deployment (CI/CD) platform that enables you to automate your project's pipelines with custom workflows.
  • This repository hosts a composite action that parses PR comments for TF commands and runs them on GitHub's ephemeral runners.
  • Also supports GitHub Codespaces dev container, which offers a tailored TF development environment, complete with tools and runtimes to lower the barrier to entry for contributors.

Usage

Workflow

  • A functional workflow is provided in ".github/workflows/tf.yml", including recommended permissions and event triggers.
  • Here is a simplified snippet to get started, with the full list of inputs documented below.
on:
  issue_comment:
    types: [created, edited]
  pull_request:
    types: [synchronize]
    paths: ["**/*.tf*"]
...
steps:
  - name: Provision TF
    uses: devsectop/tf-via-pr-comments@v9
    with:
      cli_uses: "terraform"
      cli_version: "~1.6"

Note

  • Pin your workflow version to a specific release tag or SHA to harden your CI/CD pipeline security against supply chain attacks.
  • Environment variables are automatically assumed, enabling cloud provider authentication (e.g., preceding aws-actions/configure-aws-credentials action can be used to pass short-lived credentials).

Examples

Use-case scenario: Provision resources in a workspace with a variable file, followed by targeted destruction. View PR in situ.

#1 PR Comment: Plan configuration in a workspace with a variable file.
-tf=plan -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#2 PR Comment: Apply configuration in a workspace with a variable file.
-tf=apply -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#3 PR Comment: Plan destruction of targeted resources in a workspace with a variable file.
-tf=plan -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#4 PR Comment: Apply destruction of targeted resources in a workspace with a variable file.
-tf=apply -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

Use-case scenario: Provision resources with a backend, followed by destruction without confirmation, simultaneously. View PR in situ.

#1 PR Comment: Plan configuration with a backend file.
-tf=plan -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

#2 PR Comment: Apply configuration with a backend file.
-tf=apply -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

#3 PR Comment: Destroy configuration with a backend file without confirmation.
-tf=apply -destroy -auto-approve -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

Parameters

Inputs

Name Description
apply_require_approval
Default: false
Boolean flag to require PR review approval for TF apply commands or consider deployment protection rules.
backend_config_from_workspace
Default: false
Boolean flag to re-use TF -workspace as -backend-config argument, if supplied.
backend_config_prefix
Example: ../backend/
String prefix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace) is supplied.
backend_config_suffix
Example: .tfbackend
String suffix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace) is supplied.
chdir_prefix
Example: stacks/
String prefix for TF -chdir argument. This is a global option that switches to a different directory.
cli_hostname
Example: app.terraform.io
Hostname of TF cloud/enterprise instance to place within the credentials block of TF CLI configuration.
cli_token
Example: xyz…
API token for TF cloud/enterprise instance to place within the credentials block of TF CLI configuration.
cli_uses
Default: terraform
String to choose TF CLI, from: terraform and tofu.
cli_version
Default: latest
Version of TF CLI to install, supporting semver ranges.
fmt_enable
Default: true
Boolean flag to enable TF fmt command and display diff of changes.
validate_enable
Default: true
Boolean flag to enable TF validate command check.
var_file_from_workspace
Default: false
Boolean flag to re-use TF -workspace as -var-file argument, if supplied.
var_file_prefix
Example: ../env/
String prefix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace) is supplied.
var_file_suffix
Example: .tfvars
String suffix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace) is supplied.

Outputs

Name Description
command
Example: {tf:plan,chdir:stacks/sample_bucket}
JSON object of the parsed command.
plan_id
Example: stacks-sample-bucket-tfplan
String ID of the TF plan file artifact's unique identifier.
tf_fmt String output of the truncated TF fmt command.
tf_output String output of the truncated last TF command.

Security

Integrating security in your CI/CD pipeline is critical to practicing DevSecOps. This GHA aims to be secure by default, and it should be complemented with your own review to ensure it meets your (organization's) security requirements.

  • All associated GHAs used in this workflow are pinned to a specific SHA to prevent supply chain attacks from third-party upstream dependencies.
  • Restrict changes to certain environments with deployment protection rules or apply_require_approval so that approval is required from authorized users/teams before changes to the infrastructure can be applied.
  • Ease of integration with OpenID Connect by passing short-lived credentials as environment variables to the workflow.

Changelog

Note

All forms of contribution are very welcome and deeply appreciated for fostering open-source projects.

License

  • This project is licensed under the permissive Apache License 2.0.
  • All works herein are my own and shared of my own volition.
  • Copyright 2023 Rishav Dhar — All wrongs reserved.