terraform-github-actions

terraform-check action

This is one of a suite of Terraform related actions - find them at dflook/terraform-github-actions.

Check for drift in Terraform managed resources. This action runs the terraform plan command, and fails the build if any changes are required. This is intended to run on a schedule to notify if manual changes to your infrastructure have been made.

Inputs

path

Path to the Terraform root module to check
- Type: string
- Optional
- Default: The action workspace
workspace

Terraform workspace to run the plan in
- Type: string
- Optional
- Default: default
variables

Variables to set for the Terraform plan. This should be valid Terraform syntax - like a variable definition file.
```
with:
  variables: |
    image_id = "$"
    availability_zone_names = [
      "us-east-1a",
      "us-west-1c",
    ]
```
Variables set here override any given in var_files.
- Type: string
- Optional
var_file

List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace
```
with:
  var_file: |
    common.tfvars
    prod.tfvars
```
- Type: string
- Optional
backend_config

List of Terraform backend config values, one per line.
```
with:
  backend_config: token=$
```
- Type: string
- Optional
backend_config_file

List of Terraform backend config files to use, one per line. Paths should be relative to the GitHub Actions workspace
```
with:
  backend_config_file: prod.backend.tfvars
```
- Type: string
- Optional
parallelism

Limit the number of concurrent operations
- Type: number
- Optional
- Default: The terraform default (10)

Outputs

failure-reason

When the job outcome is failure because the there are outstanding changes to apply, this will be set to ‘changes-to-apply’. If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run a step when there are changes to apply.

Environment Variables

GITHUB_DOT_COM_TOKEN

This is used to specify a token for GitHub.com when the action is running on a GitHub Enterprise instance. This is only used for downloading OpenTofu binaries from GitHub.com. If this is not set, an unauthenticated request will be made to GitHub.com to download the binary, which may be rate limited.
- Type: string
- Optional
TERRAFORM_CLOUD_TOKENS

API tokens for cloud hosts, of the form <host>=<token>. Multiple tokens may be specified, one per line. These tokens may be used with the remote backend and for fetching required modules from the registry.

e.g:
```
env:
  TERRAFORM_CLOUD_TOKENS: app.terraform.io=$
```
With other registries:
```
env:
  TERRAFORM_CLOUD_TOKENS: |
    app.terraform.io=$
    terraform.example.com=$
```
- Type: string
- Optional
TERRAFORM_SSH_KEY

A SSH private key that Terraform will use to fetch git module sources.

This should be in PEM format.

For example:
```
env:
  TERRAFORM_SSH_KEY: $
```
- Type: string
- Optional
TERRAFORM_PRE_RUN

A set of commands that will be ran prior to terraform init. This can be used to customise the environment before running Terraform.

The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use.

The runtime image is currently based on debian:bullseye, with the command run using bash -xeo pipefail.

For example:
```
env:
  TERRAFORM_PRE_RUN: |
    # Install latest Azure CLI
    curl -skL https://aka.ms/InstallAzureCLIDeb | bash
      
    # Install postgres client
    apt-get install -y --no-install-recommends postgresql-client
```
- Type: string
- Optional
TERRAFORM_HTTP_CREDENTIALS

Credentials that will be used for fetching modules sources with git::http://, git::https://, http:// & https:// schemes.

Credentials have the format <host>=<username>:<password>. Multiple credentials may be specified, one per line.

Each credential is evaluated in order, and the first matching credentials are used.

Credentials that are used by git (git::http://, git::https://) allow a path after the hostname. Paths are ignored by http:// & https:// schemes. For git module sources, a credential matches if each mentioned path segment is an exact match.

For example:
```
env:
  TERRAFORM_HTTP_CREDENTIALS: |
    example.com=dflook:$
    github.com/dflook/terraform-github-actions.git=dflook-actions:$
    github.com/dflook=dflook:$
    github.com=graham:$  
```
- Type: string
- Optional

Example usage

This example workflow runs every morning and will fail if there has been unexpected changes to your infrastructure.

name: Check for infrastructure drift

on:
  schedule:
    - cron:  "0 8 * * *"

jobs:
  check_drift:
    runs-on: ubuntu-latest
    name: Check for drift of Terraform configuration
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Check
        uses: dflook/terraform-check@v1
        with:
          path: my-terraform-configuration

This example executes a run step only if there are changes to apply.

name: Check for infrastructure drift

on:
  schedule:
    - cron:  "0 8 * * *"

jobs:
  check_drift:
    runs-on: ubuntu-latest
    name: Check for drift of Terraform configuration
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Check
        uses: dflook/terraform-check@v1
        id: check
        with:
          path: my-terraform-configuration

      - name: Changes detected
        if: $
        run: echo "There are outstanding changes to apply"