Continuous Integration with GitHub Actions and HashiCorp Terraform
Overview
In this scenario, continuous integration of an AWS environment is desired. Configuration is managed via HashiCorp Terraform. Continuous Integration is managed via GitHub Actions. By loading the necessary Terraform configuration files into this repository along with two GitHub Workflows, the Terraform files can be used to Plan and Apply into the target environment.
NOTE: GitHub Actions are disabled for this repository to prevent abuse. You can view previous runs here.
Details
This repository contains two GitHub Workflow files:
-
Terraform Plan - Triggered by any Pull Request.
-
Terraform Apply - Triggered by a Push into the
masterbranch.
Terraform Plan
-
Checks the Terraform configuration for security vulnerabilities with tfsec.
-
Constructs AWS credentials using a Secrets stored in this repository.
-
Loads the Terraform CLI wrapper with Setup Terraform
-
Terraform CLI performs an
InitandPlanbased on the pull request's configuration. -
GitHub Actions Bot adds a comment to the pull request with the results. Example: Pull Request 1
You can view pervious Terraform Plan workflows here.
Terraform Apply
-
Constructs AWS credentials using a Secrets stored in this repository.
-
Loads the Terraform CLI wrapper with Setup Terraform
-
Terraform CLI performs an
InitandApplybased on the new push configuration.
You can view pervious Terraform Apply workflows here.
Credentials
Credentials should be stored in the user\.aws\credential file using Secrets stored in this repository.
Example:
mkdir -p ~/.aws
echo "[default]" > ~/.aws/credentials
echo "aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}" >> ~/.aws/credentials
echo "aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> ~/.aws/credentials