manjitkumar/tf-via-pr

Reusable workflow CI/CD to interface Terraform CLI with multiple AWS accounts via GitHub PR comments.

Terraform/OpenTofu via PR Comments

Important

Plan and apply changes to Terraform or OpenTofu (TF) configurations via pull request (PR) comments: for a CLI-like experience on the web. Powered by GitHub Actions to maximize compatibility and minimize maintenance for DIY deployments.

Overview · Usage [Workflow · Examples · Parameters] · Security · Changelog · License

View PR in situ: Screenshot of the author's TF command in a PR comment followed by github-action bot's TF output response in the next comment.

Overview

Terraform and OpenTofu are platform-agnostic tools for managing cloud and on-prem resources by provisioning infrastructure as code (IaC).

• Enables you to define resources in human-readable configuration files that can be version controlled and shared for consistent state management.
• Both Hashicorp terraform and OpenTofu tofu CLIs are supported, with the latter offering an open-source and backwards-compatible drop-in replacement for the former.

Best suited for DevOps and Platform engineers who want to empower their teams to self-service TF without the overhead of self-hosting runners, containers or VMs like Atlantis.

• Environment deployment protection rules mitigate the risk of erroneous changes along with standardized approval requirements.
• Each PR and associated workflow run holds a complete log of infrastructure changes for ease of collaborative debugging as well as audit compliance.

GitHub Actions (GHA) is a continuous integration and continuous deployment (CI/CD) platform that enables you to automate your project's pipelines with custom workflows.

• This repository hosts a composite action that parses PR comments for TF commands and runs them on GitHub's ephemeral runners.
• Also supports GitHub Codespaces dev container, which offers a tailored TF development environment, complete with tools and runtimes to lower the barrier to entry for contributors.

Usage

Workflow

• A functional workflow is provided in ".github/workflows/tf.yml", including recommended permissions and event triggers.
• Here is a simplified snippet to get started, with the full list of inputs documented below.

on:
  issue_comment:
    types: [created, edited]
  pull_request:
    types: [synchronize]
    paths: ["**/*.tf*"]
...
steps:
  - name: Provision TF
    uses: devsectop/tf-via-pr-comments@v9
    with:
      cli_uses: "terraform"
      cli_version: "~1.6"

Note

• Pin your workflow version to a specific release tag or SHA to harden your CI/CD pipeline security against supply chain attacks.
• Environment variables are automatically assumed, enabling cloud provider authentication (e.g., preceding aws-actions/configure-aws-credentials action can be used to pass short-lived credentials).

Examples

Use-case scenario: Provision resources in a workspace with a variable file, followed by targeted destruction. View PR in situ.

#1 PR Comment: Plan configuration in a workspace with a variable file.
-tf=plan -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#2 PR Comment: Apply configuration in a workspace with a variable file.
-tf=apply -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#3 PR Comment: Plan destruction of targeted resources in a workspace with a variable file.
-tf=plan -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

#4 PR Comment: Apply destruction of targeted resources in a workspace with a variable file.
-tf=apply -destroy -target=aws_instance.sample,data.aws_ami.ubuntu -chdir=stacks/sample_instance -workspace=dev -var-file=env/dev.tfvars

Use-case scenario: Provision resources with a backend, followed by destruction without confirmation, simultaneously. View PR in situ.

#1 PR Comment: Plan configuration with a backend file.
-tf=plan -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

#2 PR Comment: Apply configuration with a backend file.
-tf=apply -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

#3 PR Comment: Destroy configuration with a backend file without confirmation.
-tf=apply -destroy -auto-approve -chdir=stacks/sample_bucket -backend-config=backend/dev.tfbackend

Parameters

Inputs

Name	Description
apply_require_approval Default: false	Boolean flag to require PR review approval for TF apply commands or consider deployment protection rules.
backend_config_from_workspace Default: false	Boolean flag to re-use TF -workspace as -backend-config argument, if supplied.
backend_config_prefix Example: ../backend/	String prefix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace) is supplied.
backend_config_suffix Example: .tfbackend	String suffix for TF -backend-config argument, if -backend-config (or -workspace and backend_config_from_workspace) is supplied.
chdir_prefix Example: stacks/	String prefix for TF -chdir argument. This is a global option that switches to a different directory.
cli_hostname Example: app.terraform.io	Hostname of TF cloud/enterprise instance to place within the credentials block of TF CLI configuration.
cli_token Example: xyz…	API token for TF cloud/enterprise instance to place within the credentials block of TF CLI configuration.
cli_uses Default: terraform	String to choose TF CLI, from: terraform and tofu.
cli_version Default: latest	Version of TF CLI to install, supporting semver ranges.
fmt_enable Default: true	Boolean flag to enable TF fmt command and display diff of changes.
validate_enable Default: true	Boolean flag to enable TF validate command check.
var_file_from_workspace Default: false	Boolean flag to re-use TF -workspace as -var-file argument, if supplied.
var_file_prefix Example: ../env/	String prefix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace) is supplied.
var_file_suffix Example: .tfvars	String suffix for TF -var-file argument, if -var-file (or -workspace and var_file_from_workspace) is supplied.

Outputs

Name	Description
command Example: {tf:plan,chdir:stacks/sample_bucket}	JSON object of the parsed command.
plan_id Example: stacks-sample-bucket-tfplan	String ID of the TF plan file artifact's unique identifier.
tf_fmt	String output of the truncated TF fmt command.
tf_output	String output of the truncated last TF command.

Security

Integrating security in your CI/CD pipeline is critical to practicing DevSecOps. This GHA aims to be secure by default, and it should be complemented with your own review to ensure it meets your (organization's) security requirements.

• All associated GHAs used in this workflow are pinned to a specific SHA to prevent supply chain attacks from third-party upstream dependencies.
• Restrict changes to certain environments with deployment protection rules or apply_require_approval so that approval is required from authorized users/teams before changes to the infrastructure can be applied.
• Ease of integration with OpenID Connect by passing short-lived credentials as environment variables to the workflow.

Changelog

• All notable changes to this project will be documented in human-friendly releases.
• The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Note

All forms of contribution are very welcome and deeply appreciated for fostering open-source projects.

• Please create a PR to contribute changes you'd like to see.
• Please raise an issue to discuss proposed changes or report unexpected behavior.
• Please open a discussion to share ideas about where you'd like to see this project go.
• Please consider becoming a stargazer if you find this project useful.

License

• This project is licensed under the permissive Apache License 2.0.
• All works herein are my own and shared of my own volition.
• Copyright 2023 Rishav Dhar — All wrongs reserved.