What I Built
For #GitHubHack23, I'm happy to share a reusable workflow that enables you to plan and apply changes to Terraform with PR comments: for a CLI-like experience on the web.
It's powered by GitHub Actions to maximize compatibility and minimize maintenance for DIY deployments of infrastructure as code (IaC). Includes tailored support for Codespaces to simplify remote development access.
Best suited for DevOps and Platform engineers who want to empower their teams to self-service Terraform without the overhead of self-hosting runners, containers or VMs.
Category Submission
DIY Deployments: This reusable workflow leverages a combination of GitHub Actions and custom scripts. It automates continuous integration and continuous deployment (CI/CD) pipelines to promote collaboration over Terraform configuration changes in a remote environment.
App Link
*Terraform with Comments — Reusable Workflow.
To use this workflow, copy the following snippet into ".github/workflows/terraform.yml" file in your repository. Replace the contents of env_vars
with environment variables required by your Terraform configuration (e.g., AWS
credentials or TF_VAR
variables).
on:
issue_comment:
types: [created, edited]
pull_request:
types: [synchronize]
jobs:
terraform:
uses: devsectop/tf-via-pr/.github/workflows/tf.yml@main
secrets:
env_vars: |
AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
- The
@main
suffix can be replaced with a specific release tag/SHA to pin your workflow to that version: hardening your CI/CD pipeline security. - The optional
env_vars
input lets you pass in environment variables as key-value pairs while masking sensitive values from logs.
Screenshots
Description
The following example demonstrates the PR comments required to provision resources in multiple workspaces with different input variables, followed by targeted destruction.
#1 PR Comment: Plan configuration in a workspace with input variable file.
-terraform=plan -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#2 PR Comment: Apply configuration in a workspace with input variable file.
-terraform=apply -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#3 PR Comment: Plan destruction of a targeted resource in a workspace with input variable file.
-terraform=plan -destroy -target=aws_instance.sample -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
#4 PR Comment: Apply destruction of a targeted resource in a workspace with input variable file.
-terraform=apply -destroy -target=aws_instance.sample -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars
The following CLI arguments are supported simultaneously, supplied in any order:
-
auto-approve
: Flag to skip confirmation before applying the plan. -
backend-config
: Path to backend configuration file(s). -
chdir
: Path to a directory containing Terraform configuration files. -
destroy
: Flag to destroy resources managed by Terraform. -
parallelism
: Number of concurrent operations to run. -
replace
: List of resource addresses to replace. -
target
: List of resource addresses to target. -
var-file
: Path to variable file(s). -
workspace
: Name of Terraform workspace to select.
Link to Source Code
devsectop / tf-via-pr
Reusable workflow CI/CD to interface Terraform CLI with multiple AWS accounts via GitHub PR comments.
Terraform (Multiple AWS) Via PR Comments — Reusable Workflow
Overview · Usage [Workflow · Terraform · AWS · Examples] · Security · Roadmap · Contributions · License
TL;DR
This reusable workflow enables you to plan and apply changes to Terraform configurations with pull request (PR) comments: for a CLI-like experience on the web. It's powered by GitHub Actions to maximize compatibility and minimize maintenance for DIY deployments. It's catered for AWS accounts as a functional example, but can be easily extended to support other cloud providers.
Overview
-
Terraform is a platform-agnostic tool for managing cloud and on-prem resources by provisioning infrastructure as code (IaC)
- It enables you to define resources in human-readable configuration files that can be version controlled and shared for consistent state management.
-
GitHub Actions is a continuous integration and continuous deployment (CI/CD) platform that enables you to automate your project's pipelines with custom workflows
- This…
Permissive License
Background
While designing AWS architecture solutions, I needed a way to automate Terraform provisioning across multiple environments with GitOps. This would promote team-wide collaboration over infrastructure changes, which is located in the same place where code lives: GitHub. In the same vein, dev container implementation offers a tailored development environment in a virtual codespace, complete with: tools, extensions and runtimes.
I was inspired by Atlantis's approach to Terraform PR automation. However, I wanted to avoid the overhead of self-hosting and securing a VM for each project. Instead, I preferred to re-use GitHub's CI/CD platform as it is scalable and compatible with various repositories, lowering the barrier to entry.
How I Built It
I learned about the differences between reusable workflows and composite actions. Thus, I opted for a reusable workflow as it allows more granular control over workflow execution: from managing
concurrency
of queued workflows to running jobs in parallel withstrategy.matrix
.I wrote a custom script to parse PR comments as input commands to interface with Terraform CLI, returning the output as bot comments. Each step of the workflow relies on GitHub Actions, including actions/github-script to interact with GitHub's API (while brushing up on my JavaScript!).
I discovered a novel method to pass any number of environment variables to the reusable workflow as secrets. This prevents sensitive values from being exposed in the logs, while enabling you to customize the workflow to your Terraform configuration.
Additional Resources/Info
When working with GitHub Actions, I'm often reminded of this quotation:
"If I have seen further, it is by standing upon the shoulders of giants."
— Sir Isaac Newton
This rings true for my experience with the open-source community that has enabled me to build this reusable workflow. I hope it will help you to build your own solutions, too!
All forms of contribution are very welcome and deeply appreciated for fostering open-source software.
- Please create a PR to contribute changes you'd like to see.
- Please raise an issue to discuss proposed changes or report unexpected behavior.
- Please open a discussion to share ideas about where you'd like to see this project go.
- Please consider becoming a stargazer if you find this project useful.
Top comments (0)