Composite GHA for running terraform
This composite GHA requires a calling GHA similar to the following:
name: terraform
permissions:
id-token: write
contents: read
on:
workflow_dispatch:
jobs:
terraform:
name: terraform
runs-on: ubuntu-latest
steps:
- name: Run terraform
uses: scott-doyland-burrows/gha-composite-terraform-iamlive@v1
with:
GhAppId: ${{ secrets.GHA_APP_ID }} # used to generate token to pull in terraform modules
GhAppKey: ${{ secrets.GHA_APP_KEY }} # used to generate token to pull in terraform modules
AwsRole: ${{ secrets.GHA_AWS_ROLE }} # AWS OIDC role that can access the statefile S3 bucket
TerraformStateFile: ${{ github.workflow }} # statefile name
TerraformStateFileBucket: my-s3-bucket # bucket to store statefiles in
TerraformTfVars: ${{ github.workflow }} # .tfvars file
TerraformAction: apply # terraform action
IamLive: true # run iamlive
Inputs
CodeCheckout set to true or false. Default is true. This determines whether to checkout the repo code. Normally a checkout will be desired, however you may want to checkout the repo code in an earlier step and make on the fly changes to the code before terraform runs.
GhAppId the name of the GitHub secret that holds the GitHub App ID - the GitHub app must be able to checkout private repos that hold terraform modules.
GhAppKey the name of the GitHub secret that holds the GitHub App key - the GitHub app must be able to checkout private repos that hold terraform modules.
GhAppOrg the name of the GitHub Org that the GitHub App is in.
IamLive whether to run iamlive https://github.com/iann0036/iamlive - set to true or false. Running iamlive will display the AWS IAM permissions used to run the workflow (or at least the terraform part of the workflow if we are also combining the terraforming with other AWS work). This allows us to allocate overly permissive permissions to the AWS role and then see what permissions are actually used by terraform. We can then alter the role to use just the required permissions.
TerraformVersion the terraform version to use. Defaults to latest.
TerraformDir the directory within the repo that contains the terraform files. Defaults to ..
TerraformAction
planapplyplan-destroydestroyvalidate
TerraformStateFile the name of the statefile. This should be named after the workflow name with any suffixes required to make it unique such as ${{ github.workflow }}-${{ github.event.inputs.environment }}. The name chosen will be saved in the S3 bucket in the format terraform\${{ github.repository }}\$TerraformStateFile.tfstate.
TerraformStateFileBucket the name of the S3 bucket to store the statefile without the s3:// prefix.
TerraformStateFileRegion the region that the S3 statefile bucket resides in, allow the default to be used of eu-west-2.
TerraformTfVars the .tfvars file that resides in the TerraformDir without the .tfvars suffix.
TerraformProviderVersion the terraform provider version to use when running a validate against a module.
TerraformProvider the terraform provider to use when running a validate against a module.
Use for AWS infrastructure - omit if defining Azure (AwsRole is a special case)
AwsRole the AWS OIDC role that terraform will use. This role needs access to create the AWS resources and access to the S3 bucket that the statefiles reside in.
AwsDefaultRegion the AWS region that terraform will use for resources, defaults to eu-west-2.
Use for Azure infrastructure - omit if defining AWS (AwsRole is a special case)
AwsRole the AWS OIDC role that terraform will use to access the statefile S3 bucket which holds all providers statefiles.
AzureClientId the Azure service principal client ID that terraform will use.
AzureClientSecret the Azure service principal secret that terraform will use.
AzureSubscriptionId the Azure subscription that terraform will use.
AzureTenantId the Azure tenant that terraform will use.
Terraform module validation
The action can be used inside a terraform module to validate that module.