name: 'Terraform Plan/Apply' on: push: branches: - main pull_request: branches: - main #Special permissions required for OIDC authentication permissions: id-token: write contents: read pull-requests: write #These environment variables are used by the terraform azure provider to setup OIDD authenticate. env: ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" jobs: terraform-plan: name: 'Terraform Plan' runs-on: ubuntu-latest env: #this is needed since we are running terraform with read-only permissions ARM_SKIP_PROVIDER_REGISTRATION: true outputs: tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v4 # Install the latest version of the Terraform CLI - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: false # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - name: Terraform Init run: terraform init # Checks that all Terraform configuration files adhere to a canonical format # Will fail the build if not - name: Terraform Format run: terraform fmt -check # Generates an execution plan for Terraform # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. - name: Terraform Plan id: tf-plan run: | export exitcode=0 terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? echo "exitcode=$exitcode" >> $GITHUB_OUTPUT if [ $exitcode -eq 1 ]; then echo Terraform Plan Failed! exit 1 else exit 0 fi # Save plan to artifacts - name: Publish Terraform Plan uses: actions/upload-artifact@v4 with: name: tfplan path: tfplan # Create string output of Terraform Plan - name: Create String Output id: tf-plan-string run: | TERRAFORM_PLAN=$(terraform show -no-color tfplan) delimiter="$(openssl rand -hex 8)" echo "summary<<${delimiter}" >> $GITHUB_OUTPUT echo "## Terraform Plan Output" >> $GITHUB_OUTPUT echo "
Click to expand" >> $GITHUB_OUTPUT echo "" >> $GITHUB_OUTPUT echo '```terraform' >> $GITHUB_OUTPUT echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT echo '```' >> $GITHUB_OUTPUT echo "
" >> $GITHUB_OUTPUT echo "${delimiter}" >> $GITHUB_OUTPUT # Publish Terraform Plan as task summary - name: Publish Terraform Plan to Task Summary env: SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} run: | echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY # If this is a PR post the changes - name: Push Terraform Output to PR if: github.ref != 'refs/heads/main' uses: actions/github-script@v7 env: SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const body = `${process.env.SUMMARY}`; github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: body }) terraform-apply: name: 'Terraform Apply' if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 runs-on: ubuntu-latest environment: production needs: [terraform-plan] steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v4 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - name: Terraform Init run: terraform init # Download saved plan from artifacts - name: Download Terraform Plan uses: actions/download-artifact@v4 with: name: tfplan # Terraform Apply - name: Terraform Apply run: terraform apply -auto-approve tfplan