Terraform and AWS GitHub Action Workflow
Table of Contents
- Introduction
- GitHub Actions Brief Intro
- Intro to Workflow Yaml Blocks
- Workflow Yaml for Terraform AWS Pipeline
- Demo Video
- Conclusion
- References
Introduction
Infra as code using Terraform on AWS Cloud provider is most common use case. So as part of this blog, we will discuss how to create Github Actions workflow for Terraform AWS resource code validation checks.
This workflow (or pipeline) can be configured for testing the terraform code pushed by DevOps engineers/SREs/Developers, and can be triggered whenever there is new tf code is pushed into a specific branch for AWS resource creation
Please refer the screenshot below, this is how the workflow can be triggered from GitHub Actions:
There are multiple ways to create the automation flow for AWS and Terraform resource creation. You can consider this guide as one of the many ways that are available.
GitHub Actions Brief Introduction
- GitHub Actions workflow can be used to automate the CICD for software deployments and running various stages for software development life cycle.
- As per the documentation
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository, or deploy merged pull requests to production.
GitHub Actions goes beyond just DevOps and lets you run workflows when other events happen in your repository. For example, you can run a workflow to automatically add the appropriate labels whenever someone creates a new issue in your repository.
GitHub provides Linux, Windows, and macOS virtual machines to run your workflows, or you can host your own self-hosted runners in your own data center or cloud infrastructure.
Introduction to Workflow Yaml Blocks
- GitHub action workflow consists of various component blocks,
- 
onblock - In this block we'll mention what is the triggering event for the workflow. It controls when the action will run. Workflow runs when manually triggered using the UI
- 
workflow_displatch- It is the sub block inside theonevent triggering block, in which we can specify what are the inputs needed to trigger the workflow.
- 
jobsblock - In this block we'll define the workflow actions like code building, testing and deployment to environments. A workflow run is made up of one or morejobsthat can run sequentially or in parallel
- stepsblock - This is a sub block inside- jobs, where each stages of job will be defined
- After adding a new workflow file in the - $REPO_HOME_PATH/.github/workflowsdirectory, it will be showing up in the repo- actionstab. (As shown below)
Workflow Yaml for Terraform AWS Pipeline
- In the onevent blockworkflow_dispatchsection, we will be adding the inputs directory path, on which we are going to run our Terraform code validation
- It is defaulted to 'aws_samples/create_ec2', but it can be changed while executing theworkflowat the time of code verification.
name: Terraform AWS Workflow
on:
  workflow_dispatch:
    # Inputs the workflow expects.
    inputs:
      tfpath:
        description: 'TF File Path'     
        required: false
        default: 'aws_samples/create_ec2'
- In the jobsblock, we need to specify the workflow runner OS and code checkout action.
- Under the steps, we are performing below tasks,
- Installing AWS CLI and configuring in runner. We need to set the AWS_SECRET_KEYandAWS_ACCESS_KEYas Github repo secret in repo settings.
- Setting up terraform CLI
- Running Terraform CLI commands, init, plan, apply and destroy (apply and destroy are commented since it's demo workflow)
 
- Installing AWS CLI and configuring in runner. We need to set the 
jobs:
  tf_code_check:
    name: Terraform Validation and Build
    runs-on: ubuntu-latest
    if:  ${{ inputs.tfpath }} 
    steps:
    - uses: actions/checkout@v2.5.0
    - name: Configure AWS Credentials Action For GitHub Actions
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2 
    - name: Setup Terraform CLI
      uses: hashicorp/setup-terraform@v2.0.2
    - name: Terraform init, plan and apply
      run: |
        echo `pwd`
        echo "tfpath ${{ github.event.inputs.tfpath }}"
        echo "** Running Terraform Init**"
        terraform init
        echo "** Running Terraform Validate**"
        terraform validate
        echo "** Running Terraform Plan**"
        terraform plan
#        echo "** Running Terraform Apply**"
#        terraform apply -auto-approve
      working-directory: ${{ github.event.inputs.tfpath }}
    - name: Terraform Destroy
      run: |
        echo "** Running Terraform Destroy**"
        terraform plan -destroy
#        terraform destroy -auto-approve
      working-directory: ${{ github.event.inputs.tfpath }}
- Workflow Yaml code is available in chefgs/terraform_repo
Demo Video
Please see the demo video of running the workflow here
Conclusion
- Automating Terraform workflows for AWS is simple and effective
-  When we create a gh workflow with workflow_dispatch, it has to be pushed into mainbranch. If we try to add it on another branch, the optionrun workflowto manually triggering the workflow won't be visible. Refer the community discussion here
References
- Workflow Dispatch Inputs
- Jobs
- Terraform Market place Action
- Terraform AWS Provider
- AWS Creds configure
- All AWS Github actions
 

 
                      

 
    
Top comments (2)
Thanks for the useful info. Just one question, I am almost 100% sure that there was a reason you decided to execute
terraform init,terraform validate, andterraform planin one step. Would you please explain it? Also I am not sure why should not I do it in separate steps, something like this:The last question is how I can save the
tfstatefile in AWS to not override my previous deploys? I mean as we know terraform saves what it did in a tfstate but now we are doing the terraform in GitHub Actions and IDK how I can save that terraform state file, obviously we do not wanna save it on out local system but rather in AWS or somewhere else.I really appreciate your helps ❤️
I found out that I can save terraform tfstate in Amazon S3 buckets. I'll comeback with another update later if I found something. But I really appreciate your blog post series, So I encourage you to write another post as the fifth one on how to save terraform tfstate in AWS S3 buckets and how to separate apply from plan :)