Composite GHA for running terraform
This composite GHA requires a calling GHA similar to the following:
name: terraform
permissions:
id-token: write
contents: read
on:
workflow_dispatch:
jobs:
terraform:
name: terraform
runs-on: ubuntu-latest
steps:
- name: Run terraform
uses: scott-doyland-burrows/gha-composite-terraform-iamlive@v1
with:
GhAppId: ${{ secrets.GHA_APP_ID }} # used to generate token to pull in terraform modules
GhAppKey: ${{ secrets.GHA_APP_KEY }} # used to generate token to pull in terraform modules
AwsRole: ${{ secrets.GHA_AWS_ROLE }} # AWS OIDC role that can access the statefile S3 bucket
TerraformStateFile: ${{ github.workflow }} # statefile name
TerraformStateFileBucket: my-s3-bucket # bucket to store statefiles in
TerraformTfVars: ${{ github.workflow }} # .tfvars file
TerraformAction: apply # terraform action
IamLive: true # run iamlive
Inputs
CodeCheckout
set to true
or false
. Default is true
. This determines whether to checkout the repo code. Normally a checkout will be desired, however you may want to checkout the repo code in an earlier step and make on the fly changes to the code before terraform runs.
GhAppId
the name of the GitHub secret that holds the GitHub App ID - the GitHub app must be able to checkout private repos that hold terraform modules.
GhAppKey
the name of the GitHub secret that holds the GitHub App key - the GitHub app must be able to checkout private repos that hold terraform modules.
GhAppOrg
the name of the GitHub Org that the GitHub App is in.
IamLive
whether to run iamlive https://github.com/iann0036/iamlive - set to true
or false
. Running iamlive will display the AWS IAM permissions used to run the workflow (or at least the terraform part of the workflow if we are also combining the terraforming with other AWS work). This allows us to allocate overly permissive permissions to the AWS role and then see what permissions are actually used by terraform. We can then alter the role to use just the required permissions.
TerraformVersion
the terraform version to use. Defaults to latest
.
TerraformDir
the directory within the repo that contains the terraform files. Defaults to .
.
TerraformAction
plan
apply
plan-destroy
destroy
validate
TerraformStateFile
the name of the statefile. This should be named after the workflow name with any suffixes required to make it unique such as ${{ github.workflow }}-${{ github.event.inputs.environment }}
. The name chosen will be saved in the S3 bucket in the format terraform\${{ github.repository }}\$TerraformStateFile.tfstate
.
TerraformStateFileBucket
the name of the S3 bucket to store the statefile without the s3://
prefix.
TerraformStateFileRegion
the region that the S3 statefile bucket resides in, allow the default to be used of eu-west-2
.
TerraformTfVars
the .tfvars
file that resides in the TerraformDir
without the .tfvars
suffix.
TerraformProviderVersion
the terraform provider version to use when running a validate
against a module.
TerraformProvider
the terraform provider to use when running a validate
against a module.
AwsRole
is a special case)
Use for AWS infrastructure - omit if defining Azure (AwsRole
the AWS OIDC role that terraform will use. This role needs access to create the AWS resources and access to the S3 bucket that the statefiles reside in.
AwsDefaultRegion
the AWS region that terraform will use for resources, defaults to eu-west-2
.
AwsRole
is a special case)
Use for Azure infrastructure - omit if defining AWS (AwsRole
the AWS OIDC role that terraform will use to access the statefile S3 bucket which holds all providers statefiles.
AzureClientId
the Azure service principal client ID that terraform will use.
AzureClientSecret
the Azure service principal secret that terraform will use.
AzureSubscriptionId
the Azure subscription that terraform will use.
AzureTenantId
the Azure tenant that terraform will use.
Terraform module validation
The action can be used inside a terraform module to validate
that module.