DEV Community

Guide to Create Github Actions Workflow for Terraform and AWS

Terraform and AWS GitHub Action Workflow

Table of Contents


Infra as code using Terraform on AWS Cloud provider is most common use case. So as part of this blog, we will discuss how to create Github Actions workflow for Terraform AWS resource code validation checks.

This workflow (or pipeline) can be configured for testing the terraform code pushed by DevOps engineers/SREs/Developers, and can be triggered whenever there is new tf code is pushed into a specific branch for AWS resource creation

Please refer the screenshot below, this is how the workflow can be triggered from GitHub Actions:

TF workflow

There are multiple ways to create the automation flow for AWS and Terraform resource creation. You can consider this guide as one of the many ways that are available.

GitHub Actions Brief Introduction

  • GitHub Actions workflow can be used to automate the CICD for software deployments and running various stages for software development life cycle.
  • As per the documentation

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository, or deploy merged pull requests to production.

GitHub Actions goes beyond just DevOps and lets you run workflows when other events happen in your repository. For example, you can run a workflow to automatically add the appropriate labels whenever someone creates a new issue in your repository.
GitHub provides Linux, Windows, and macOS virtual machines to run your workflows, or you can host your own self-hosted runners in your own data center or cloud infrastructure.

Introduction to Workflow Yaml Blocks

  • GitHub action workflow consists of various component blocks,
  • on block - In this block we'll mention what is the triggering event for the workflow. It controls when the action will run. Workflow runs when manually triggered using the UI
  • workflow_displatch - It is the sub block inside the on event triggering block, in which we can specify what are the inputs needed to trigger the workflow.
  • jobs block - In this block we'll define the workflow actions like code building, testing and deployment to environments. A workflow run is made up of one or more jobs that can run sequentially or in parallel
  • steps block - This is a sub block inside jobs, where each stages of job will be defined

  • After adding a new workflow file in the $REPO_HOME_PATH/.github/workflows directory, it will be showing up in the repo actions tab. (As shown below)

TF workflow trigger

Workflow Yaml for Terraform AWS Pipeline

  • In the on event block workflow_dispatch section, we will be adding the inputs directory path, on which we are going to run our Terraform code validation
  • It is defaulted to 'aws_samples/create_ec2', but it can be changed while executing the workflow at the time of code verification.
name: Terraform AWS Workflow

    # Inputs the workflow expects.
        description: 'TF File Path'     
        required: false
        default: 'aws_samples/create_ec2'
Enter fullscreen mode Exit fullscreen mode
  • In the jobs block, we need to specify the workflow runner OS and code checkout action.
  • Under the steps, we are performing below tasks,
    • Installing AWS CLI and configuring in runner. We need to set the AWS_SECRET_KEY and AWS_ACCESS_KEY as Github repo secret in repo settings.
    • Setting up terraform CLI
    • Running Terraform CLI commands, init, plan, apply and destroy (apply and destroy are commented since it's demo workflow)
    name: Terraform Validation and Build
    runs-on: ubuntu-latest

    if:  ${{ inputs.tfpath }} 
    - uses: actions/checkout@v2.5.0

    - name: Configure AWS Credentials Action For GitHub Actions
      uses: aws-actions/configure-aws-credentials@v1
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2 
    - name: Setup Terraform CLI
      uses: hashicorp/setup-terraform@v2.0.2

    - name: Terraform init, plan and apply
      run: |
        echo `pwd`
        echo "tfpath ${{ github.event.inputs.tfpath }}"
        echo "** Running Terraform Init**"
        terraform init

        echo "** Running Terraform Validate**"
        terraform validate

        echo "** Running Terraform Plan**"
        terraform plan

#        echo "** Running Terraform Apply**"
#        terraform apply -auto-approve
      working-directory: ${{ github.event.inputs.tfpath }}
    - name: Terraform Destroy
      run: |
        echo "** Running Terraform Destroy**"
        terraform plan -destroy
#        terraform destroy -auto-approve
      working-directory: ${{ github.event.inputs.tfpath }}
Enter fullscreen mode Exit fullscreen mode

Demo Video

Please see the demo video of running the workflow here


  • Automating Terraform workflows for AWS is simple and effective
  • When we create a gh workflow with workflow_dispatch, it has to be pushed into main branch. If we try to add it on another branch, the option run workflow to manually triggering the workflow won't be visible. Refer the community discussion here


Follow me on,

Top comments (2)

nodejsdeveloperskh profile image

Thanks for the useful info. Just one question, I am almost 100% sure that there was a reason you decided to execute terraform init, terraform validate, and terraform plan in one step. Would you please explain it? Also I am not sure why should not I do it in separate steps, something like this:

- name: Setup Terraform CLI
  uses: hashicorp/setup-terraform@v2

- name: Terraform init
  id: init
  # TODO: terraform init -upgrade?
  run: |
    terraform fmt
    terraform init

- name: Terraform validate
  id: validate
  run: |
    terraform validate
Enter fullscreen mode Exit fullscreen mode

The last question is how I can save the tfstate file in AWS to not override my previous deploys? I mean as we know terraform saves what it did in a tfstate but now we are doing the terraform in GitHub Actions and IDK how I can save that terraform state file, obviously we do not wanna save it on out local system but rather in AWS or somewhere else.

I really appreciate your helps ❤️

nodejsdeveloperskh profile image

I found out that I can save terraform tfstate in Amazon S3 buckets. I'll comeback with another update later if I found something. But I really appreciate your blog post series, So I encourage you to write another post as the fifth one on how to save terraform tfstate in AWS S3 buckets and how to separate apply from plan :)