How to Configure GitHub Actions 3.0 for Multi-Cloud CI/CD with Terraform 1.8 and Pulumi 3.120 – Step-by-Step

Modern multi-cloud CI/CD pipelines require seamless integration of infrastructure-as-code (IaC) tools like Terraform and Pulumi with robust automation platforms. This guide walks you through setting up GitHub Actions 3.0 to orchestrate multi-cloud deployments using Terraform 1.8 and Pulumi 3.120, covering prerequisites, pipeline configuration, and validation steps.

Prerequisites

• Active GitHub account with a repository for your CI/CD workflows
• Terraform 1.8 installed locally (or use GitHub Actions runners)
• Pulumi 3.120 CLI configured with your Pulumi access token
• Cloud provider accounts: AWS, Azure, or GCP (we’ll use AWS and Azure for this demo)
• Service principal/ IAM roles for GitHub Actions to access cloud resources

Step 1: Configure Cloud Provider Credentials as GitHub Secrets

GitHub Actions uses encrypted secrets to store sensitive credentials. Navigate to your repository Settings > Secrets and variables > Actions and add the following secrets:

• AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS access
• AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID, and AZURE_CLIENT_SECRET for Azure access
• PULUMI_ACCESS_TOKEN from your Pulumi account settings
• TERRAFORM_CLOUD_TOKEN (optional, if using Terraform Cloud for state management)

Step 2: Set Up Terraform 1.8 Workflow for Multi-Cloud Infrastructure

Create a GitHub Actions workflow file at .github/workflows/terraform-deploy.yml. This workflow will handle Terraform init, validate, plan, and apply for multi-cloud resources:

name: Terraform 1.8 Multi-Cloud Deploy
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Terraform 1.8
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.8.0
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Configure Azure Credentials
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
      - name: Terraform Init
        run: terraform init
      - name: Terraform Validate
        run: terraform validate
      - name: Terraform Plan
        run: terraform plan -out=tfplan
      - name: Terraform Apply
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: terraform apply -auto-approve tfplan

Note: GitHub Actions 3.0 includes native support for workflow versioning and improved runner performance, which we leverage here with the latest action versions.

Step 3: Integrate Pulumi 3.120 for Dynamic Infrastructure Provisioning

Next, create a separate workflow for Pulumi 3.120 to handle dynamic infrastructure components that complement Terraform-managed resources. Create .github/workflows/pulumi-deploy.yml:

name: Pulumi 3.120 Multi-Cloud Deploy
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  pulumi:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Pulumi 3.120
        uses: pulumi/setup-pulumi@v2
        with:
          pulumi-version: 3.120.0
      - name: Configure Pulumi Access Token
        run: pulumi login --token ${{ secrets.PULUMI_ACCESS_TOKEN }}
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Configure Azure Credentials
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
      - name: Pulumi Preview
        run: pulumi preview
      - name: Pulumi Up
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: pulumi up --yes

Step 4: Combine Workflows for End-to-End Multi-Cloud CI/CD

To orchestrate both Terraform and Pulumi deployments in a single pipeline, create a parent workflow .github/workflows/multi-cloud-cicd.yml that triggers both jobs sequentially:

name: Multi-Cloud CI/CD with GitHub Actions 3.0
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  terraform-deploy:
    uses: ./.github/workflows/terraform-deploy.yml
  pulumi-deploy:
    needs: terraform-deploy
    uses: ./.github/workflows/pulumi-deploy.yml

GitHub Actions 3.0’s reusable workflows feature simplifies this orchestration, reducing duplicate code and improving maintainability.

Step 5: Validate the Pipeline

Push a change to your main branch to trigger the pipeline. Monitor the run under the Actions tab in your GitHub repository:

1. Verify Terraform init, validate, plan, and apply steps complete successfully for AWS and Azure resources
2. Check Pulumi preview and up steps provision dynamic resources (e.g., serverless functions, databases) across both clouds
3. Confirm multi-cloud resources are accessible and properly configured via your cloud provider consoles

Best Practices for Production Use

• Use Terraform workspaces or Pulumi stacks to separate dev, staging, and production environments
• Enable GitHub Actions 3.0’s audit logging for compliance tracking
• Store Terraform state in a remote backend (S3, Azure Blob Storage) or Terraform Cloud
• Use Pulumi’s secrets management to encrypt sensitive configuration values
• Add manual approval steps for production deployments using GitHub Actions environments

Conclusion

By combining GitHub Actions 3.0 with Terraform 1.8 and Pulumi 3.120, you can build a robust, multi-cloud CI/CD pipeline that leverages the strengths of both IaC tools. This setup enables consistent, repeatable deployments across cloud providers while maintaining full visibility and control over your infrastructure lifecycle.