### Example usage of tofu-fmt action Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-fmt/README.md This example demonstrates how to use the tofu-fmt action to automatically fix formatting problems in OpenTofu files and create a pull request. ```yaml name: Fix OpenTofu file formatting on: push: branches: - main jobs: format: runs-on: ubuntu-latest name: Check OpenTofu file are formatted correctly steps: - name: Checkout uses: actions/checkout@v4 - name: tofu fmt uses: dflook/tofu-fmt@v2 with: path: my-tofu-config - name: Create Pull Request uses: peter-evans/create-pull-request@v5 with: commit-message: tofu fmt title: Reformat tofu files body: Update OpenTofu files to canonical format using `tofu fmt` branch: automated-tofu-fmt ``` -------------------------------- ### Get OpenTofu String Output in GitHub Actions Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-output/README.md This example demonstrates how to use the tofu-output action to retrieve a string output (hostname) from OpenTofu configuration within a GitHub Actions workflow. ```yaml on: [push] jobs: show_hostname: runs-on: ubuntu-latest name: Show the hostname steps: - name: Checkout uses: actions/checkout@v4 - name: Get outputs uses: dflook/tofu-output@v2 id: tf-outputs with: path: my-tofu-config - name: Print the hostname run: echo "The hostname is ${{ steps.tf-outputs.outputs.hostname }}" ``` -------------------------------- ### Unlock State Workflow Example Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-unlock-state/README.md Example GitHub Actions workflow demonstrating the use of the tofu-unlock-state action. ```yaml name: "Unlock state" on: workflow_dispatch: inputs: path: description: "Path to the OpenTofu root module" required: true lock_id: description: "Lock ID to be unlocked" required: true env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: unlock: name: Unlock runs-on: ubuntu-latest steps: - name: Checkout current branch uses: actions/checkout@v4 - name: OpenTofu Unlock uses: dflook/tofu-unlock-state@v2 with: path: ${{ github.event.inputs.path }} lock_id: ${{ github.event.inputs.lock_id }} ``` -------------------------------- ### Basic Infrastructure Drift Check Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-check/README.md This example workflow demonstrates how to schedule a daily check for infrastructure drift using the tofu-check action. ```yaml name: Check for infrastructure drift on: schedule: - cron: "0 8 * * *" jobs: check_drift: runs-on: ubuntu-latest name: Check for drift of OpenTofu configuration steps: - name: Checkout uses: actions/checkout@v4 - name: Check uses: dflook/tofu-check@v2 with: path: my-tofu-configuration ``` -------------------------------- ### Example GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-version/README.md A complete GitHub Actions workflow demonstrating the usage of the tofu-version action to print OpenTofu and provider versions. ```yaml on: [push] jobs: required_version: runs-on: ubuntu-latest name: Print the required OpenTofu and provider versions steps: - name: Checkout uses: actions/checkout@v4 - name: Test tofu-version uses: dflook/tofu-version@v2 id: tofu-version with: path: my-configuration - name: Print the version run: echo "The version was ${{ steps.tofu-version.outputs.tofu }}" - name: Print aws provider version run: echo "The aws provider version was ${{ steps.tofu-version.outputs.aws }}" ``` -------------------------------- ### Basic OpenTofu Validation Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-validate/README.md This example workflow demonstrates how to run OpenTofu validation on every push. It checks the OpenTofu configuration in the 'my-tofu-config' directory. ```yaml on: [push] jobs: validate: runs-on: ubuntu-latest name: Validate OpenTofu module steps: - name: Checkout uses: actions/checkout@v4 - name: tofu validate uses: dflook/tofu-validate@v2 with: path: my-tofu-config ``` -------------------------------- ### Get Complex OpenTofu Outputs in GitHub Actions Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-output/README.md This example shows how to retrieve and process complex OpenTofu outputs (objects and arrays of objects) like VPC IDs and subnet IDs using the tofu-output action and workflow expressions. ```hcl output "vpc" { value = aws_vpc.test } output "subnets" { value = [aws_subnet.a, aws_subnet.b, aws_subnet.c] } ``` ```yaml jobs: output_example: runs-on: ubuntu-latest name: An example of workflow expressions with tofu output steps: - name: Checkout uses: actions/checkout@v4 - name: Get outputs uses: dflook/tofu-output@v2 id: tf-outputs with: path: my-tofu-config - name: Print VPC run: | echo "The vpc-id is ${{ fromJson(steps.tf-outputs.outputs.vpc).id }}" echo "The subnet-ids are ${{ join(fromJson(steps.tf-outputs.outputs.subnets).*.id) }}" ``` -------------------------------- ### Full Example of Tofu Plan Inputs Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-plan/README.md Demonstrates extensive inputs for the tofu-plan action, including environment variables, PR comment labeling, workspace selection, variable files, and backend configuration overrides. ```yaml name: PR Plan on: [pull_request] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_CLOUD_TOKENS: tofu.example.com=${{ secrets.TF_REGISTRY_TOKEN }} TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }} permissions: contents: read pull-requests: write jobs: plan: runs-on: ubuntu-latest name: Create OpenTofu plan steps: - name: Checkout uses: actions/checkout@v4 - name: tofu plan uses: dflook/tofu-plan@v2 with: path: my-tofu-config label: production workspace: prod var_file: env/prod.tfvars variables: | turbo_mode=true backend_config_file: env/prod.backend backend_config: token=${{ secrets.BACKEND_TOKEN }} ``` -------------------------------- ### Example GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-version/README.md A complete GitHub Actions workflow demonstrating the usage of the terraform-version action to retrieve Terraform and provider versions. ```yaml on: [push] jobs: required_version: runs-on: ubuntu-latest name: Print the required Terraform and provider versions steps: - name: Checkout uses: actions/checkout@v4 - name: Test terraform-version uses: dflook/terraform-version@v2 id: terraform-version with: path: my-configuration - name: Print the version run: echo "The version was ${{ steps.terraform-version.outputs.terraform }}" - name: Print aws provider version run: echo "The aws provider version was ${{ steps.terraform-version.outputs.aws }}" ``` -------------------------------- ### Example GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-new-workspace/README.md This workflow demonstrates creating a workspace named after the git branch and deploying infrastructure using terraform-new-workspace and terraform-apply actions. ```yaml name: Run integration tests on: [pull_request] jobs: integration: runs-on: ubuntu-latest name: Run integration tests steps: - name: Checkout uses: actions/checkout@v4 - name: Use branch workspace uses: dflook/terraform-new-workspace@v2 with: path: terraform workspace: ${{ github.head_ref }} - name: Deploy test infrastrucutre uses: dflook/terraform-apply@v2 with: path: terraform workspace: ${{ github.head_ref }} auto_approve: true ``` -------------------------------- ### Example GitHub Action Workflow with Retry Logic Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-destroy-workspace/README.md This workflow shows how to implement retry logic for the tofu destroy operation if it initially fails. ```yaml name: Cleanup on: pull_request: types: [closed] jobs: destroy_workspace: runs-on: ubuntu-latest name: Destroy OpenTofu workspace steps: - name: Checkout uses: actions/checkout@v4 - name: tofu destroy uses: dflook/tofu-destroy-workspace@v2 id: first_try continue-on-error: true with: path: my-tofu-config workspace: ${{ github.head_ref }} - name: Retry failed destroy uses: dflook/tofu-destroy-workspace@v2 if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} with: path: my-tofu-config workspace: ${{ github.head_ref }} ``` -------------------------------- ### Example: Retry Terraform Destroy Operation Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-destroy-workspace/README.md This example shows how to retry a failed 'terraform destroy' operation by using 'continue-on-error' and conditional execution. ```yaml name: Cleanup on: pull_request: types: [closed] jobs: destroy_workspace: runs-on: ubuntu-latest name: Destroy Terraform workspace steps: - name: Checkout uses: actions/checkout@v4 - name: terraform destroy uses: dflook/terraform-destroy-workspace@v2 id: first_try continue-on-error: true with: path: my-terraform-config workspace: ${{ github.head_ref }} - name: Retry failed destroy uses: dflook/terraform-destroy-workspace@v2 if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} with: path: my-terraform-config workspace: ${{ github.head_ref }} ``` -------------------------------- ### Full Terraform Plan Inputs Example Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-plan/README.md Demonstrates comprehensive inputs for the Terraform plan action, including environment variables, PR comment labeling, workspace selection, variable files, and backend configuration. ```yaml name: PR Plan on: [pull_request] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_CLOUD_TOKENS: terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }} TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }} permissions: contents: read pull-requests: write jobs: plan: runs-on: ubuntu-latest name: Create Terraform plan steps: - name: Checkout uses: actions/checkout@v4 - name: terraform plan uses: dflook/terraform-plan@v2 with: path: my-terraform-config label: production workspace: prod var_file: env/prod.tfvars variables: | turbo_mode=true backend_config_file: env/prod.backend backend_config: token=${{ secrets.BACKEND_TOKEN }} ``` -------------------------------- ### Terraform Output Example (JSON) Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-remote-state/README.md This JSON output represents the root-level outputs from a Terraform configuration, including a 'service_hostname' key. ```json { "service_hostname": "example.com" } ``` -------------------------------- ### Get Terraform String Output in GitHub Actions Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-output/README.md This example demonstrates how to use the terraform-output action to retrieve a string output (hostname) from Terraform configuration within a GitHub Actions workflow. ```yaml on: [push] jobs: show_hostname: runs-on: ubuntu-latest name: Show the hostname steps: - name: Checkout uses: actions/checkout@v4 - name: Get outputs uses: dflook/terraform-output@v2 id: tf-outputs with: path: my-terraform-config - name: Print the hostname run: echo "The hostname is ${{ steps.tf-outputs.outputs.hostname }}" ``` -------------------------------- ### Example GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-remote-state/README.md A complete GitHub Actions workflow demonstrating the use of the tofu-remote-state action to fetch S3 remote state and then use a URL output to send a request. ```yaml name: Send request on: push: branches: - main env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: get_remote_state: runs-on: ubuntu-latest name: Run Test steps: - name: Get remote state uses: dflook/tofu-remote-state@v2 id: remote-state with: backend_type: s3 backend_config: | bucket=tofu-github-actions key=tofu-remote-state region=eu-west-2 - name: Send request run: | curl "${{ steps.remote-state.outputs.url }}" ``` -------------------------------- ### Basic Terraform Check Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-check/README.md An example GitHub Actions workflow that uses the terraform-check action to check for infrastructure drift every morning. ```yaml name: Check for infrastructure drift on: schedule: - cron: "0 8 * * *" jobs: check_drift: runs-on: ubuntu-latest name: Check for drift of Terraform configuration steps: - name: Checkout uses: actions/checkout@v4 - name: Check uses: dflook/terraform-check@v2 with: path: my-terraform-configuration ``` -------------------------------- ### Repository Dispatch Payload Example Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-apply/README.md A minimal example payload for a repository_dispatch event, which can be used to trigger workflows from other workflows. The payload must include the pull_request API URL. ```json { "pull_request": { "url": "https://api.github.com/repos/dflook/terraform-github-actions/pulls/1" } } ``` -------------------------------- ### Terraform Output Example (HCL) Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-remote-state/README.md An example of a Terraform HCL configuration defining an output variable named 'service_hostname'. ```hcl output "service_hostname" { value = "example.com" } ``` -------------------------------- ### GitHub Actions Workflow Example Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-remote-state/README.md This workflow demonstrates how to use the terraform-remote-state action to fetch remote state outputs and use them in subsequent steps, such as making a curl request. ```yaml name: Send request on: push: branches: - main env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: get_remote_state: runs-on: ubuntu-latest name: Run Test steps: - name: Get remote state uses: dflook/terraform-remote-state@v2 id: remote-state with: backend_type: s3 backend_config: | bucket=terraform-github-actions key=terraform-remote-state region=eu-west-2 - name: Send request run: | curl "${{ steps.remote-state.outputs.url }}" ``` -------------------------------- ### Example GitHub Action Workflow for Workspace Cleanup Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-destroy-workspace/README.md This workflow demonstrates how to automatically destroy a workspace named after the git branch when a pull request is closed. ```yaml name: Destroy testing workspace on: pull_request: types: [closed] jobs: integration: runs-on: ubuntu-latest name: Cleanup after integration tests steps: - name: Checkout uses: actions/checkout@v4 - name: tofu destroy uses: dflook/tofu-destroy-workspace@v2 with: path: tofu workspace: ${{ github.head_ref }} ``` -------------------------------- ### Basic Terraform Validation Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-validate/README.md An example GitHub Actions workflow that runs on every push to validate Terraform configurations using the dflook/terraform-validate action. ```yaml on: [push] jobs: validate: runs-on: ubuntu-latest name: Validate Terraform module steps: - name: Checkout uses: actions/checkout@v4 - name: terraform validate uses: dflook/terraform-validate@v2 with: path: my-terraform-config ``` -------------------------------- ### Use terraform-validate Action Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-validate/README.md This example demonstrates how to use the terraform-validate action in a GitHub workflow. It checks the Terraform configuration in the root of the repository. ```yaml - name: Validate Terraform configuration uses: dflook/terraform-github-actions/terraform-validate@main ``` -------------------------------- ### Example Provider Version Output Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-version/README.md This HCL snippet demonstrates how a provider version is declared in Terraform configuration. The action will output the version of providers like 'random' if they are used. ```hcl provider "random" { version = "2.2.0" } ``` -------------------------------- ### Dockerfile for Custom Image Source: https://github.com/dflook/terraform-github-actions/blob/main/docs/custom_tools.md Build a custom Docker image by starting from a published image and adding necessary tools. This custom image can then be used in your GitHub Actions workflow. ```dockerfile FROM danielflook/terraform-github-actions:v1.37.0 RUN curl -skL https://aka.ms/InstallAzureCLIDeb | bash RUN apt-get install -y --no-install-recommends postgresql-client ``` -------------------------------- ### Example GitHub Actions Workflow for Terraform Formatting Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-fmt/README.md This workflow automatically checks and fixes Terraform file formatting on push to the main branch. It checks out the code, runs the terraform-fmt action, and creates a pull request for any changes. ```yaml name: Fix Terraform file formatting on: push: branches: - main jobs: format: runs-on: ubuntu-latest name: Check Terraform file are formatted correctly steps: - name: Checkout uses: actions/checkout@v4 - name: terraform fmt uses: dflook/terraform-fmt@v2 with: path: my-terraform-config - name: Create Pull Request uses: peter-evans/create-pull-request@v5 with: commit-message: terraform fmt title: Reformat terraform files body: Update Terraform files to canonical format using `terraform fmt` branch: automated-terraform-fmt ``` -------------------------------- ### Get Complex Terraform Outputs in GitHub Actions Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-output/README.md This example shows how to extract and use complex Terraform outputs, such as objects and arrays of objects, within a GitHub Actions workflow using the terraform-output action and JSON parsing. ```hcl output "vpc" { value = aws_vpc.test } output "subnets" { value = [aws_subnet.a, aws_subnet.b, aws_subnet.c] } ``` ```yaml jobs: output_example: runs-on: ubuntu-latest name: An example of workflow expressions with terraform output steps: - name: Checkout uses: actions/checkout@v4 - name: Get outputs uses: dflook/terraform-output@v2 id: tf-outputs with: path: my-terraform-config - name: Print VPC run: | echo "The vpc-id is ${{ fromJson(steps.tf-outputs.outputs.vpc).id }}" echo "The subnet-ids are ${{ join(fromJson(steps.tf-outputs.outputs.subnets).*.id) }}" ``` -------------------------------- ### Example: Destroy Workspace on PR Close Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-destroy-workspace/README.md This example demonstrates how to automatically destroy a Terraform workspace named after the git branch when a pull request is closed. ```yaml name: Destroy testing workspace on: pull_request: types: [closed] jobs: integration: runs-on: ubuntu-latest name: Cleanup after integration tests steps: - name: Checkout uses: actions/checkout@v4 - name: terraform destroy uses: dflook/terraform-destroy-workspace@v2 with: path: terraform workspace: ${{ github.head_ref }} ``` -------------------------------- ### Basic GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-test/README.md A standard GitHub Actions workflow demonstrating checkout and the dflook/tofu-test action. ```yaml name: "Run Tests" on: [push] jobs: test: name: Unlock runs-on: ubuntu-latest steps: - name: Checkout current branch uses: actions/checkout@v4 - name: OpenTofu Tests uses: dflook/tofu-test@v2 with: path: modules/vpc ``` -------------------------------- ### Basic GitHub Actions Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-test/README.md A standard GitHub Actions workflow demonstrating how to use the terraform-test action. Ensure to checkout the code before running the action. ```yaml name: "Run Tests" on: [push] jobs: test: name: Unlock runs-on: ubuntu-latest steps: - name: Checkout current branch uses: actions/checkout@v4 - name: Terraform Tests uses: dflook/terraform-test@v2 with: path: modules/vpc ``` -------------------------------- ### Minimal Repository Dispatch Payload Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-plan/README.md A minimal JSON payload example for triggering a workflow via repository_dispatch, including the pull_request URL. ```json { "pull_request": { "url": "https://api.github.com/repos/dflook/terraform-github-actions/pulls/1" } } ``` -------------------------------- ### Run Pre-Init Commands Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-new-workspace/README.md Use TERRAFORM_PRE_RUN to execute commands before 'terraform init'. Specify the action's minor version if using this. ```yaml env: TERRAFORM_PRE_RUN: | # Install latest Azure CLI curl -skL https://aka.ms/InstallAzureCLIDeb | bash # Install postgres client apt-get install -y --no-install-recommends postgresql-client ``` -------------------------------- ### Run Check on Every Push Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-fmt-check/README.md This workflow runs on every push event and checks the formatting of OpenTofu files in the specified path. It requires the 'actions/checkout' action to be used. ```yaml name: Check file formatting on: [push] jobs: check_format: runs-on: ubuntu-latest name: Check OpenTofu file are formatted correctly steps: - name: Checkout uses: actions/checkout@v4 - name: tofu fmt uses: dflook/tofu-fmt-check@v2 with: path: my-tofu-config ``` -------------------------------- ### Basic Terraform Format Check Workflow Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-fmt-check/README.md This workflow runs on every push and uses the `terraform-fmt-check` action to ensure all Terraform files in the specified path are correctly formatted. It fails the job if any files are not formatted. ```yaml name: Check file formatting on: [push] jobs: check_format: runs-on: ubuntu-latest name: Check Terraform file are formatted correctly steps: - name: Checkout uses: actions/checkout@v4 - name: terraform fmt uses: dflook/terraform-fmt-check@v2 with: path: my-terraform-config ``` -------------------------------- ### Configure Backend Token for Terraform Version Discovery Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-fmt-check/README.md Use this input to provide a token for authenticating with a backend service, which helps in discovering the Terraform version. This is particularly useful when the version is not explicitly specified. ```yaml with: backend_config: token=${{ secrets.BACKEND_TOKEN }} ``` -------------------------------- ### Apply a Stored Plan File Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-apply/README.md Use the `plan_path` input to specify the path to a plan file generated by a previous `dflook/terraform-plan` action. This avoids regenerating the plan and can be faster if the plan is identical to the one attached to the PR comment. ```yaml with: plan_path: path/to/your/plan.tfplan ``` -------------------------------- ### Destroy Terraform Workspace on PR Close Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-destroy/README.md Example workflow to automatically destroy Terraform resources in a workspace named after the git branch when a pull request is closed. ```yaml name: Cleanup on: pull_request: types: [closed] jobs: destroy_workspace: runs-on: ubuntu-latest name: Destroy Terraform workspace steps: - name: Checkout uses: actions/checkout@v4 - name: terraform destroy uses: dflook/terraform-destroy@v2 with: path: my-terraform-config workspace: ${{ github.head_ref }} ``` -------------------------------- ### Check Terraform Formatting with dflook/terraform-fmt-check Source: https://context7.com/dflook/terraform-github-actions/llms.txt Use this action to verify that your Terraform files adhere to the canonical style. It fails the build with detailed annotations if formatting issues are found. Ensure 'actions/checkout@v4' is used prior to this step. ```yaml name: Check formatting on: [push] jobs: check_format: runs-on: ubuntu-latest name: Check Terraform formatting steps: - name: Checkout uses: actions/checkout@v4 - name: terraform fmt check uses: dflook/terraform-fmt-check@v2 id: fmt-check with: path: my-terraform-config - name: Formatting issues found if: ${{ failure() && steps.fmt-check.outputs.failure-reason == 'check-failed' }} run: echo "Run 'terraform fmt' to fix formatting issues" ``` -------------------------------- ### Conditional Workflow on Validation Failure Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-validate/README.md This example shows a workflow that executes a step only if the OpenTofu validation previously failed. It checks the 'failure-reason' output from the 'tofu validate' step. ```yaml on: [push] jobs: validate: runs-on: ubuntu-latest name: Validate OpenTofu module steps: - name: Checkout uses: actions/checkout@v4 - name: tofu validate uses: dflook/tofu-validate@v2 id: validate with: path: my-tofu-config - name: Validate failed if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }} run: echo "tofu validate failed" ``` -------------------------------- ### Configure HTTP Credentials for Module Sources Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-new-workspace/README.md Provide credentials for fetching modules via HTTP/HTTPS. Credentials are in the format '=:', one per line. ```yaml env: TERRAFORM_HTTP_CREDENTIALS: | example.com=dflook:${{ secrets.HTTPS_PASSWORD }} github.com/dflook/terraform-github-actions.git=dflook-actions:${{ secrets.ACTIONS_PAT }} github.com/dflook=dflook:${{ secrets.DFLOOK_PAT }} github.com=graham:${{ secrets.GITHUB_PAT }} ``` -------------------------------- ### Terraform Refresh Lock Info Example Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-refresh/README.md This JSON structure represents the `lock-info` output when a Terraform state lock fails. It contains details about the lock, such as ID, path, operation, and owner. ```json { "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", "Path": "terraform-github-actions/test-unlock-state", "Operation": "OperationTypeApply", "Who": "root@e9d43b0c6478", "Version": "1.3.7", "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", "Info": "" } ``` -------------------------------- ### Apply PR approved plans on push to main Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-apply/README.md This workflow runs on every push to the main branch. If the commit originated from a merged PR, it applies the plan from that PR. Requires read permissions for contents and write for pull-requests. ```yaml name: Apply on: push: branches: - main permissions: contents: read pull-requests: write jobs: apply: runs-on: ubuntu-latest name: Apply approved plan env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 - name: terraform apply uses: dflook/terraform-apply@v2 with: path: my-terraform-config ``` -------------------------------- ### Use tfvars files Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-test/README.md Specify a list of tfvars files to use for the tests via the `var_file` input. Paths are relative to the GitHub Actions workspace. ```yaml with: var_file: | common.tfvars prod.tfvars ``` -------------------------------- ### Apply Plan Using an Issue Comment Source: https://github.com/dflook/terraform-github-actions/blob/main/tofu-apply/README.md This workflow applies a plan on demand when a user comments 'tofu apply' on a PR. It requires the plan to be generated by the tofu-plan action and stored in a previous comment. ```yaml name: OpenTofu Apply on: [issue_comment] jobs: apply: if: "${{ github.event.issue.pull_request && contains(github.event.comment.body, 'tofu apply') }}" runs-on: ubuntu-latest name: Apply OpenTofu plan env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: - name: Checkout uses: actions/checkout@v4 with: ref: refs/pull/${{ github.event.issue.number }}/merge - name: OpenTofu apply uses: dflook/tofu-apply@v2 with: path: my-tofu-config ``` -------------------------------- ### Example GitHub Actions workflow to unlock Terraform state Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-unlock-state/README.md This workflow demonstrates how to use the `terraform-unlock-state` action. It is triggered manually via `workflow_dispatch` and requires the Terraform module path and lock ID as inputs. ```yaml name: "Unlock state" on: workflow_dispatch: inputs: path: description: "Path to the Terraform root module" required: true lock_id: description: "Lock ID to be unlocked" required: true env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: unlock: name: Unlock runs-on: ubuntu-latest steps: - name: Checkout current branch uses: actions/checkout@v4 - name: Terraform Unlock uses: dflook/terraform-unlock-state@v2 with: path: ${{ github.event.inputs.path }} lock_id: ${{ github.event.inputs.lock_id }} ``` -------------------------------- ### Apply specific resources on schedule Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-apply/README.md This workflow runs daily to update specific resources, such as TLS certificates, if necessary. It uses `auto_approve: true` and specifies target resources. ```yaml name: Rotate certs on: schedule: - cron: "0 8 * * *" jobs: apply: runs-on: ubuntu-latest name: Rotate certs steps: - name: Checkout uses: actions/checkout@v4 - name: terraform apply uses: dflook/terraform-apply@v2 with: path: my-terraform-config auto_approve: true target: | kubernetes_secret.tls_cert_public kubernetes_secret.tls_cert_private ``` -------------------------------- ### Customize Environment with TERRAFORM_PRE_RUN Source: https://github.com/dflook/terraform-github-actions/blob/main/docs/custom_tools.md Use the TERRAFORM_PRE_RUN environment variable to execute commands before Terraform runs. This is useful for installing additional tools like AWS CLI or PostgreSQL client. The command is executed with `bash -xeo pipefail`. ```yaml env: TERRAFORM_PRE_RUN: | # Install latest Azure CLI curl -skL https://aka.ms/InstallAzureCLIDeb | bash # Install postgres client apt-get install -y --no-install-recommends postgresql-client ``` -------------------------------- ### Specify Backend Config File for Terraform Version Discovery Source: https://github.com/dflook/terraform-github-actions/blob/main/terraform-fmt-check/README.md Provide a path to a backend configuration file to assist in discovering the Terraform version. This is an alternative to directly specifying backend configuration values. ```yaml with: backend_config_file: prod.backend.tfvars ```