Skip to content

Automate Terraform Deployments: (2/2) Process

This reusable GitHub Actions workflow is invoked by the Detect Changed terraform.tfvars Files workflow. It processes one .tfvars file at a time, performing:

  • Terraform environment setup
  • Validation, linting, and security scanning
  • Cost estimation
  • Conditional apply or destroy actions based on CI mode

This modular design ensures targeted, environment-specific deployments to Azure.

Purpose

  • Isolate processing for each changed .tfvars file.
  • Automate Terraform lifecycle (plan, validate, apply/destroy).
  • Integrate security and cost checks into the deployment pipeline.
  • Support multiple environments without affecting unrelated infrastructure.

Trigger Conditions

This workflow is not triggered directly by pushes or PRs.
It is invoked via workflow_call from another workflow, with:

Inputs

Name Type Required Description
tfvars_file string Path to the .tfvars file to process

Secrets

Secret Name Purpose
GRINNTEC_TERRAFORM_DEPLOYMENTS_AZURE_PAT GitHub token for private module access
AZURE_SUBSCRIPTION_ID Azure subscription ID
AZURE_TENANT_ID Azure tenant ID
AZURE_CLIENT_ID Azure service principal client ID
INFRACOST_API_KEY API key for Infracost cost estimation

Concurrency Control

concurrency:
  cancel-in-progress: false
  group: ${{ inputs.tfvars_file }}
- Ensures only one run per .tfvars file at a time. - Prevents race conditions in state management.

Workflow Logic

  1. Azure Login (OIDC)

    • Authenticates to Azure without storing credentials.
    • Uses azure/login@v1.

  2. Checkout Repository

    • Full history checkout for Terraform context.

  3. Show Working File & Directory

    • Logs the .tfvars file path and directory for traceability.

  4. Read CI Mode

    • Determines if the run should apply, destroy, or just plan.

  5. Configure Git for Private Modules

    • Ensures Terraform can pull private GitHub modules.

  6. Cache Terraform Providers

    • Speeds up runs by caching provider binaries.

  7. Set Up Terraform

    • Installs Terraform CLI.

  8. Ensure Lockfile Exists

    • Guarantees provider versions are pinned.

  9. Extract Key Variables

    • Reads app_name, env, and location from .tfvars.

  10. Create Backend Config File

    • Configures remote state in Azure Blob Storage.

  11. Terraform Format

    • Enforces formatting standards.

  12. Run TFLint

    • Lints Terraform code for best practices.

  13. Terraform Validate

    • Validates syntax and configuration.

  14. Terraform Plan

    • Generates execution plan.

  15. Security Scan (Checkov)

    • Detects misconfigurations and security risks.

  16. Cost Estimation (Infracost)

    • Estimates monthly costs of planned changes.

  17. Terraform Apply (if CI mode = apply)

    • Applies changes to Azure.

  18. Terraform Destroy (if CI mode = destroy)

    • Tears down infrastructure.

Security Considerations

  • OIDC Authentication: No static Azure credentials stored.
  • Scoped Secrets: Only required secrets are passed.
  • Private Module Access: PAT is scoped to necessary repos.
  • State Isolation: Backend config ensures environment separation.

Key Components

Component Description
.github/actions/show-file Displays file path and directory
.github/actions/read-ci-mode Reads deployment mode from .tfvars
.github/actions/configure-git-private-modules Configures Git for private Terraform modules
.github/actions/cache-terraform-providers Caches provider binaries
.github/actions/ensure-tf-lockfile-exists Ensures lockfile is present
.github/actions/extract-tfvars Extracts key variables from .tfvars
.github/actions/create-terraform-backend-config-file Creates backend config for remote state
.github/actions/terraform-fmt Formats Terraform code
.github/actions/tflint Lints Terraform code
.github/actions/terraform-validate Validates Terraform configuration
.github/actions/terraform-plan Runs Terraform plan
.github/actions/terraform-security-scan Runs Checkov security scan
.github/actions/terraform-cost-estimate Runs Infracost
.github/actions/terraform-apply Applies Terraform changes
.github/actions/terraform-destroy Destroys Terraform-managed resources

Example Flow

  1. Detect Changed .tfvars Files workflow finds environments/dev/terraform.tfvars changed.
  2. Calls this workflow with: 
    tfvars_file: environments/dev/terraform.tfvars
  3. Workflow runs:
  4. Validates and scans the configuration.
  5. Runs cost estimation.
  6. Applies or destroys resources based on CI mode.

Maintenance Notes

  • Keep custom actions updated for compatibility with Terraform and Azure changes.
  • Rotate secrets regularly.
  • Review CI mode logic to ensure safe deployments.
  • Update backend config logic if state storage changes.