In my journey to transition from data analytics into cloud engineering and DevOps, I wanted to master Infrastructure as Code(IaC) and automation.
One of the projects I recently completed was building a CI/CD pipeline using Terraform Cloud and GitHub Actions to deploy AWS Infrastructure. This workflow reflects real-world workflows and DevOps practices where infrastructure is version-controlled, automated, and secure.
In this post, I'll cover:
- The architecture of my Terraform Cloud pipeline
- Key GitHub Actions & HCL configurations
- Lessons learned and next steps for scaling this workflow
๐Project Overview
Objective: Automatically provision and update AWS infrastructure using Terraform Cloud whenever new commits are pushed to main.
Core Tools & Services Used:
- Terraform Cloud - Remote backend, state management, and automated runs
- GitHub Actions - CI/CD pipeline for VCS integration
- Terraform & AWS - Infrastructure as Code and resource provisioning
- AWS S3 + DynamoDB - Optional state backup (Terraform Cloud handles the primary state)
- IAM Roles & GitHub Secrets - Secure authentication
Pipeline workflow:
Developer Commit -> GitHub Actions -> Terraform Validate-> Terraform Cloud Remote Plan -> Terraform Apply -> AWS Resources
This allowed me to version-control my infrastructure and deploy changes safely without manually logging into the AWS console.
๐ Step 1: Terraform Cloud Setup
- Created a Terraform Cloud Organization and workspace(workspace linked to github).
- Configured HCL project files for VPC, EC2, and RDS resources.
- Enabled remote execution so Terraform Cloud applies changes automatically.
Backend block in main.tf:
terraform {
cloud{
organization = "my-org"
workspaces {
name = "project2-dev"
}
}
}
This eliminates the need to manage local state or S3/DynamoDB locks manually- Terraform Cloud takes care of it.
๐ Step 2: GitHub Actions Workflow for CI/CD
Instead of applying Terraform directly in GitHub Actions, my workflow validates the code and relies on Terraform Cloud for the plan/apply.
name: Terraform CI/CD
on:
push:
branches:
- main
jobs:
terraform-cloud:
runs-on: ubuntu-latest
env:
TF_CLOUD_ORGANIZATION: my-org
TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
TF_WORKSPACE: poject2-dev
steps:
- name: Checkout Repo
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.11.4 #Pin version for consistency
- name: Terraform Validate
run: terraform validate
- name: Trigger Terraform Cloud Run
run: |
terraform login --token=$TF_API_TOKEN
terraform init
terraform plan
terraform apply - auto-approve
Key points:
- GitHub Actions store the Terraform Cloud API token.
- Workflow validates locally but delegates execution to Terraform Cloud.
- Optional approval steps can be handled via Terraform Cloud's policy or run queue.
๐ก Step 3: Security and Secrets
- Terraform Cloud handles the remote state securely.
- No secrets or .tfstate files are committed to Github.
- IAM roles use least privilege to limit AWS resource access.
- AWS credentials were stored as GitHub Secrets
๐Lessons Learned
- Terraform Cloud simplifies team collaboration - no local state headaches.
- CI/CD + IaC improves reliability - every infrastructure change is tested and approved.
- Version-controlled deployments provide a clear audit trail for cloud environments.
๐Next Steps
- Add multi-enviroment pipelines(dev, staging, prod)
- Send Slack or Teams notifications on successful plans and applies.
๐ฌ Have you automated Terraform with Terraform Cloud or another CI/CD tool? I'd love to hear how you handle multi-environment deployments and approvals.
Top comments (0)