diggerhq/tfcloud-alt: terraform cloud alternative

URL

UPDATE

Please visit more mature repository here: https://github.com/diggerhq/digger

Introduction

Do we really need terraform cloud? TerraformCloud, Spacelift and other cloud runners present dedicated CI/CD to run terraform.

Why are people using Terraform Cloud? Why not run Terraform in Github Actions? For my usecase as a small startup it seems to me that relying on github actions should be enough. I might be missing something but it seems that I need from a terraform runner is the following flow:

Runs terraform plan on every PR
Runs terraform apply on merge to master/main branch
Handle of concurrency by queining multiple applies together

More advanced flows such as multiple environments and comment-to-apply can also be acheived as an extension of above. So why do we need a dedicated service to run our terraform ? What other features or caveats have I not thought of yet?

How to run

Bring your own terraform

If you have terraform already on github and you would like to use this then you can do the following:

Create directory .github/workflows
Create the following workflow for plans .github/workflows/tfplan.yml

name: Create terraform plan

on: [pull_request]

permissions:
  contents: read
  pull-requests: write

jobs:
  plan:
    runs-on: ubuntu-latest
    name: Create a plan for an example terraform configuration
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform plan
        uses: dflook/terraform-plan@v1
        with:
          path: terraform_examples
          variables: |
            xxxxx = "${{ secrets.xxxxx }}"

Create the following workflow for applies .github/workflows/tfapply.yml

name: Apply terraform plan

on:
  push:
    branches:
      - main

permissions:
  contents: read
  pull-requests: write

jobs:
  apply:
    runs-on: ubuntu-latest
    name: Apply terraform plan
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: terraform_examples
          variables: |
            xxxxx = "${{ secrets.xxxxx }}"

Use sample repository

You can also play with this sample repository which contains sample code. To do this you need to fork the repository and set the following secrets:

AWS_ACCESS_KEY_ID=xxxxx
AWS_SECRET_ACCESS_KEY=yyyyyy
DB_PASSWORD=pwdpwdpwdpwd

And you can create a PR with some terraform change to trigger the action.

Thanks

I used this terraform action for the demo: https://github.com/dflook/terraform-github-actions