I Built a GitHub Action for Terraform 0.11 and Added tflint Too
Overview
HashiCorp provides the following repository as a GitHub Action for Terraform.
hashicorp/terraform-github-actions
However, the repository above only applies to the latest version of Terraform (0.12.9 as of 2019-09-30).
Since there was nothing for the 0.11 series, I forked hashicorp/terraform-github-actions and created terraform-github-actions for the 0.11 series in the following repository.
kenzo0107/terraform-github-actions
Support for older versions of Terraform is documented officially by Terraform at the following link.
Terraform Versions - Terraform GitHub Actions - Terraform by HashiCorp
It says that for older versions you should fork it and build it yourself.
While I Was At It
I also added the following.
- Added tflint
- Display the directory being executed
How to Use
Suppose you have a Terraform project like the following.
1 | ├── envs |
How to Configure GitHub Actions
Place the following 2 files in the root directory.
- .github/workflows/main.yml
- .github/workflows/fmt.yml
1 | ├── .github |
.github/workflows/main.yml
1 | name: Terraform |
A Quick Explanation
It runs triggered by Pull Requests.
1 | on: [pull_request] |
Check out the repository
1 | - name: Checkout Repo |
Run stg and prd in parallel using matrix.
1 | strategy: |
terraform init, validate, lint, plan
1 | - name: ${{ matrix.env }} Terraform Init |
Needless to say, it runs the following.
- terraform init
- terraform validate
- terraform lint
- terraform plan
kenzo0107/terraform-github-actions/init@v0.6.0 supports terraform v0.11.14.
For init, validate, and lint, if there are any issues to point out, it comments on the Pull Request.
terraform plan always pastes the execution result.
This is a feature that reviewers will appreciate.
That is because whether the code changes and the terraform plan output are consistent is an important point of review.
Specifying the execution path
When you want to change into a directory before running terraform plan and so on, specify it in the following environment variable.
1 | TF_ACTION_WORKING_DIR: './envs/${{ matrix.env }}' |
In kenzo0107/terraform-github-actions/plan@v0.6.0, I made it display the TF_ACTION_WORKING_DIR you configured above together with the terraform plan output. ((In hashicorp/terraform-github-actions, the executed directory path is not included in the Pull Request comment.))
This is because, from the terraform plan output alone, it is hard to tell whether it was run against stg or prd, which can confuse reviewers.
Configuring secrets
1 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
For secrets.GITHUB_TOKEN, you do not need to set a token in secrets.
I personally think this is a confidential management method that is only possible precisely because it is CI/CD run by GitHub, and it is one of the big advantages of Actions.
For everything else, set it under settings > secrets.
.github/workflows/fmt.yml
Since terraform fmt is run at the root directory of the repository regardless of stg, prd, and so on, I separated it from .github/workflows/main.yml.
This one is also run triggered by Pull Requests.
1 | name: Terraform |
Final Thoughts
As a subject for getting my feet wet with GitHub Actions, it was very simple and easy to approach.
And above all, despite the effort I put in, it might have been faster to just support the 0.12 series…
Unless you have some unavoidable reason to stay on 0.11, it is better to keep up with the latest version.
That’s all.
I hope this is helpful.
I Built a GitHub Action for Terraform 0.11 and Added tflint Too
https://kenzo0107.github.io/en/2019/10/01/terraform-0-11-github-actions-tflint/