terraform-github-actions

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.31.0 to use exactly this release
• @v1.31 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• Values in the variables input of dflook/terraform-plan will be masked in the PR comment if the Terraform variable is marked 'sensitive'. Previously a label was required to avoid revealing sensitive values.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.30.0 to use exactly this release
• @v1.30 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• The TERRAFORM_ACTIONS_GITHUB_TOKEN environment variable can be set to the github token for the actions to use instead of using GITHUB_TOKEN. This is useful if using the terraform GitHub provider which also uses the GITHUB_TOKEN variable, allowing the github actions and terraform provider to use separate tokens.

• The GITHUB_TOKEN/TERRAFORM_ACTIONS_GITHUB_TOKEN can now be a github app token or fine grained personal access token. As before, it can also be a classic PAT or use the token provided by github actions.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.29.1 to use exactly this release
• @v1.29 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• Multiline string terraform outputs are now properly set as action outputs, and properly masked in the workflow log.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.29.0 to use exactly this release
• @v1.29 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• Terraform executables are integrity checked using Hashicorp signed checksums before use.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.28.1 to use exactly this release
• @v1.28 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• GITHUB_OUTPUT: unbound variable errors with v1.28.0 on self-hosted runners with older runner versions.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.28.0 to use exactly this release
• @v1.28 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• Terraform version detection rules updated to include information about backends removed in Terraform 1.3.

Fixed

• Deprecation warnings about the set-output actions workflow command.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.27.0 to use exactly this release
• @v1.27 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• dflook/terraform-plan and dflook/terraform-apply now work with plans that are too large to fit in a PR comment.

  If plan is too large it will be truncated in the comment, with the full plan viewable in the workflow log.
  When dflook/terraform-apply aborts the apply because the plan is outdated, a partial diff will be shown in the workflow log with a link to the workflow with the full plan for direct comparison.

Fixed

• Warnings are ignored when deciding if a plan has changed and should no longer cause aborted applies if the order of the warnings changes.
• The unchanged resource attribute count is ignored when deciding if a plan has changed and should no longer cause aborted applies with harmless provider version changes.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.26.0 to use exactly this release
• @v1.26 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• The number of moved resources in a plan is summarised in the PR comment.

Fixed

• The plan was not being correctly extracted when it contained only resource moves, which resulted in noisy PR comments and may have caused apply operations to be aborted - Thanks to merykozlowska!

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.25.1 to use exactly this release
• @v1.25 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• Failure to install terraform after change in the download page - Thanks kylewlacy

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.25.0 to use exactly this release
• @v1.25 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• New run_id output for dflook/terraform-plan and dflook/terraform-apply which are set when using Terraform Cloud/Enterprise. It is the remote run-id of the plan or apply operation.
• The json_plan_path output of dflook/terraform-plan now works when using Terraform Cloud/Enterprise.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.24.0 to use exactly this release
• @v1.24 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• New to_add, to_change and to_destroy outputs for the dflook/terraform-plan action that contain the number of resources that would be added, changed or deleted by the plan.

  These can be used in an if expression in a workflow to conditionally run steps, e.g. when the plan would destroy something.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.23.0 to use exactly this release
• @v1.23 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Changed

• Input variables no longer help identify the plan comment. Each PR comment is still identified by it's configured terraform backend state file. This is a very subtle change but enables better reporting of why an apply operation is aborted, e.g. "plan has changed" vs "plan not found".

  This means that if you have more than one dflook/terraform-plan action for the same root module & backend but with different variables, you should ensure they use different labels.

• The workflow output when an apply has been aborted because of changes in the plan has been clarified - thanks toast-gear!

Fixed

• Pre-release terraform versions now won't be used when selecting the latest terraform version.
• Invalid terraform files that contained an unterminated string would take an extremely long time to parse before failing the job.
• dflook/terraform-validate now automatically sets terraform.workspace to default when validating a module that uses a remote or cloud backend.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.22.2 to use exactly this release
• @v1.22 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• The PR plan comment was incorrectly including resource refresh lines when there were changes to outputs but not resources, while using Terraform >=0.15.4. As well as being noisy, this could lead to failures to apply due to incorrectly detecting changes in the plan.
• Removed incorrect deprecation warning in dflook/terraform-destroy. Thanks dgrenner!

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.22.1 to use exactly this release
• @v1.22 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• Better support for some self-hosted runners that run in containers and don't correctly pass the event payload.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.22.0 to use exactly this release
• @v1.22 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• Workspace management for Terraform Cloud/Enterprise has been reimplemented to avoid issues with the terraform workspace command when using the remote backend or a cloud config block:

  • dflook/terraform-new-workspace can now create the first workspace
  • dflook/terraform-destroy-workspace can now delete the last remaining workspace
  • dflook/terraform-new-workspace and dflook/terraform-destroy-workspace work with a remote backend that specifies a workspace by name

• The terraform version to use will now be detected from additional places:

  • The terraform version set in the remote workspace when using Terraform Cloud/Enterprise as the backend
  • An asdf .tool-versions file
  • The terraform version that wrote an existing state file
  • A TERRAFORM_VERSION environment variable

  The best way to specify the version is using a required_version constraint.

  See dflook/terraform-version docs for details.

Changed

As a result of the above terraform version detection additions, note these changes:

• Actions always use the terraform version set in the remote workspace when using TFC/E, if it exists. This mostly effects dflook/terraform-fmt, dflook/terraform-fmt-check and dflook/terraform-validate.

• If the terraform version is not specified anywhere then new workspaces will be created with the latest terraform version. Existing workspaces will use the terraform version that was last used for that workspace.

• If you want to always use the latest terraform version, instead of not specifying a version you now need to set an open-ended version constraint (e.g. >1.0.0)

• All actions now support the inputs and environment variables related to the backend, for discovering the terraform version from a TFC/E workspace or remote state. This add the inputs workspace, backend_config, backend_config_file, and the TERRAFORM_CLOUD_TOKENS environment variable to the dflook/terraform-fmt, dflook/terraform-fmt-check and dflook/terraform-validate actions.

• ⚠️ Some unused packages were removed from the container image, most notably Python 2.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.21.1 to use exactly this release
• @v1.21 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• dflook/terraform-new-workspace support for Terraform v1.1.0.

  This stopped working after a change in the behaviour of terraform init.

  There is an outstanding issue in Terraform v1.1.0 using the remote backend that prevents creating a new workspace when no workspaces currently exist. If you are affected by this, you can pin to an earlier version of Terraform using one of methods listed in the dflook/terraform-version docs.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.21.0 to use exactly this release
• @v1.21 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• A new workspace input for dflook/terraform-validate allows validating usage of terraform.workspace in the terraform code.

  Terraform doesn't initialize terraform.workspace based on the backend configuration when running a validate operation.
  This new input allows setting the full name of the workspace to use while validating, even when you wouldn't normally do so for a plan/apply (e.g. when using the remote backend)

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.20.1 to use exactly this release
• @v1.20 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Fixed

• There was a problem selecting the workspace when using the remote backend with a full workspace name in the backend block.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.20.0 to use exactly this release
• @v1.20 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Added

• New text_plan_path and json_plan_path outputs for dflook/terraform-apply to match the outputs for dflook/terraform-plan.

  These are paths to the generated plan in human-readable and JSON formats.

  If the plan generated by dflook/terraform-plan is different from the plan generated by dflook/terraform-apply the apply step will fail with failure-reason set to plan-changed. These new outputs make it easier to inspect the differences.

All the terraform actions in this repository are released as one.
Use the actions as part of a GitHub Actions workflow, e.g:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2

    - uses: dflook/[email protected]
      with:
        path: my-terraform-config

You can specify an action version as:

• @v1.19.0 to use exactly this release
• @v1.19 to use the latest patch release for this specific minor version
• @v1 to use the latest patch release for this specific major version

Changes

Changed

• When triggered by issue_comment or pull_request_review_comment events, the action will first add a 👍 reaction to the comment
• PR comment status messages include a single emoji that shows progress at a glance
• Actions that don't write to the terraform state no longer lock it.