Framework for Monorepo to build high level Terraform Workflows by GitHub Actions
MIT License
Bot releases are hidden (Show)
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.9...v0.4.10-0 | Base revision
#171 Update tflint action to notify with github-comment
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.8...v0.4.9 | Base revision
#151 #153 terraform-plan, terraform-apply: Support skipping terraform plan
and terraform apply
in case of pull request by Renovate
#158 terraform-plan, tfmigrate-plan, setup: Set pull request label ${TFACTION_TARGET}
in setup
action
terraform plan
and terraform apply
in case of pull request by Renovate#151 #153
The default behavior isn't changed.
To enable this feature, set skip_terraform_by_renovate
in tfaction-root.yaml
.
skip_terraform_by_renovate: true
Then terraform plan
and terraform apply
are skipped in pull requests by Renovate.
This is useful to update dependencies which are unrelated to the result of terraform plan
and terraform apply
.
But you should run terraform plan
and terraform apply
when Terraform or Terraform Providers are updated by Renovate.
So please set renovate_terraform_labels
in tfaction-root.yaml
and addLabels in renovate.json
.
e.g.
renovate_terraform_labels:
- terraform
{
"packageRules": [
{
"matchManagers": ["terraform", "terraform-version"],
"addLabels": ["terraform"]
},
{
"matchPackageNames": ["hashicorp/terraform"],
"addLabels": ["terraform"]
}
]
}
The second rule is required if you manage Terraform with aqua.
If any one of labels in renovate_terraform_labels
is set to the pull request, tfaction would run terraform plan
and terraform apply
.
#164 list-taregts: Add input github_token
Published by suzuki-shunsuke over 2 years ago
#164 list-taregts: Add input github_token
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.8...v0.4.9 | Base revision
#151 #153 terraform-plan, terraform-apply: Support skipping terraform plan
and terraform apply
in case of pull request by Renovate
#158 terraform-plan, tfmigrate-plan, setup: Set pull request label ${TFACTION_TARGET}
in setup
action
terraform plan
and terraform apply
in case of pull request by Renovate#151 #153
The default behavior isn't changed.
To enable this feature, set skip_terraform_by_renovate
in tfaction-root.yaml
.
skip_terraform_by_renovate: true
Then terraform plan
and terraform apply
are skipped in pull requests by Renovate.
This is useful to update dependencies which are unrelated to the result of terraform plan
and terraform apply
.
But you should run terraform plan
and terraform apply
when Terraform or Terraform Providers are updated by Renovate.
So please set renovate_terraform_labels
in tfaction-root.yaml
and addLabels in renovate.json
.
e.g.
renovate_terraform_labels:
- terraform
{
"packageRules": [
{
"matchManagers": ["terraform", "terraform-version"],
"addLabels": ["terraform"]
},
{
"matchPackageNames": ["hashicorp/terraform"],
"addLabels": ["terraform"]
}
]
}
The second rule is required if you manage Terraform with aqua.
If any one of labels in renovate_terraform_labels
is set to the pull request, tfaction would run terraform plan
and terraform apply
.
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.7...v0.4.8 | Base revision
#149 terraform apply
isn't run even if follow up pull request is merged
This bug is due to #119
Affected version is v0.4.0 ~ v0.4.7 .
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.7...v0.4.8-0 | Base revision
#149 terraform apply
isn't run even if follow up pull request is merged
This bug is due to #119
Affected version is v0.4.0 ~ v0.4.7 .
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.6...v0.4.7 | Base revision
#143 #144 #145 #146 scaffold-working-dir doesn't work
#147 Skip Conftest if the policy isn't found
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.5...v0.4.6 | Base revision
#142 Fix an error if no working directory is found
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.5...v0.4.6-0 | Base revision
#140 terraform-plan, tfmigrate-plan, terraform-apply: Specify AWS_DEFAULT_REGION
It failed to run aws s3 cp
because the region isn't specified.
<botocore.awsrequest.AWSRequest object at 0x7f1eae1d0f00>
https://github.com/aws/aws-cli/issues/5262#issuecomment-705832151
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.4...v0.4.5 | Base revision
#131 Remove some fields from Job Configuration
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.3...v0.4.4 | Base revision
#58 #128 get-target-config): Support reading configuration from tfaction.yaml
You can configure the following fields in not only tfaction-root.yaml
but also tfaction.yaml
.
aws_region:
s3_bucket_name_plan_file:
s3_bucket_name_tfmigrate_history:
template_dir:
gcs_bucket_name_plan_file:
aws_assume_role_arn:
gcp_service_account:
gcp_workload_identity_provider:
secrets:
terraform_plan_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_plan
tfmigrate_plan_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_plan
terraform_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_apply
tfmigrate_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_apply
⚠️ Note that target
isn't supported.
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.2...v0.4.3 | Base revision
#126 tfmigrate-plan, terraform-plan: Stop checking plan file existence before removing plan file
#127 tfmigrate-plan: fix the template file path of tfmigrate.hcl
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.1...v0.4.2 | Base revision
#122 create-scaffold-pr: set TFACTION_JOB_TYPE
Fix the error.
Run suzuki-shunsuke/tfaction/[email protected]
Error: "environment variable TFACTION_JOB_TYPE is required"
Published by suzuki-shunsuke over 2 years ago
#122 create-scaffold-pr: set TFACTION_JOB_TYPE
Fix the error.
Run suzuki-shunsuke/tfaction/[email protected]
Error: "environment variable TFACTION_JOB_TYPE is required"
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.4.0...v0.4.1 | Base revision
#121 scaffold-working-dir: set TFACTION_JOB_TYPE
Fix the error.
Run suzuki-shunsuke/tfaction/[email protected]
env:
GITHUB_TOKEN: ***
TFACTION_TARGET: gcp/suzuki-shunsuke-test-1
Error: "environment variable TFACTION_JOB_TYPE is required"
Published by suzuki-shunsuke over 2 years ago
#121 scaffold-working-dir: set TFACTION_JOB_TYPE
Fix the error.
Run suzuki-shunsuke/tfaction/[email protected]
env:
GITHUB_TOKEN: ***
TFACTION_TARGET: gcp/suzuki-shunsuke-test-1
Error: "environment variable TFACTION_JOB_TYPE is required"
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.3.0...v0.4.0 | Base revision
#111 Rename targets
to target_groups
in tfaction-root.yaml
#115 export-secrets: Change the structure of secrets
in tfaction-root.yaml
AS IS
secrets:
<environment variable name>: <secret name>
TO BE
secrets:
- env_name: <environment variable name>
secret_name: <secret name>
#107 #112 export-aws-secrets-manager
#107 #112 #114 Support getting secrets from AWS Secrets Manager
#116 Update github-action-tflint and github-action-tfsec: Change Reviewdog format from checkstyle to Reviewdog Diagnostic Format
#118 Fix invalid command: aws s3 delete
#117 #119 Fix create-follow-up-pr
Published by suzuki-shunsuke over 2 years ago
#118 Fix invalid command: aws s3 delete
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.3.0...v0.4.0-0 | Base revision
#111 Rename targets
to target_groups
in tfaction-root.yaml
#115 export-secrets: Change the structure of secrets
in tfaction-root.yaml
AS IS
secrets:
<environment variable name>: <secret name>
TO BE
secrets:
- env_name: <environment variable name>
secret_name: <secret name>
#107 #112 export-aws-secrets-manager
#107 #112 #114 Support getting secrets from AWS Secrets Manager
#116 Update github-action-tflint and github-action-tfsec: Change Reviewdog format from checkstyle to Reviewdog Diagnostic Format
Published by suzuki-shunsuke over 2 years ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.2.1...v0.3.0 | Base revision
#92 The output format of list-targets has been changed from string
to object
#101 Configuration structure was changed
The environment variable TFACTION_JOB_TYPE
is required
string
to object
e.g.
AS IS: github/foo
TO BE: {target: 'github/foo', runs_on: 'ubuntu-latest'}
tfmigrate:
name: "tfmigrate (${{matrix.target.target}})" # CHANGED
runs-on: ${{matrix.target.runs_on}} # CHANGED
needs: setup
if: "join(fromJSON(needs.setup.outputs.tfmigrate_targets), '') != ''"
strategy:
fail-fast: false
matrix:
target: ${{fromJSON(needs.setup.outputs.tfmigrate_targets)}}
env:
TFACTION_TARGET: ${{matrix.target.target}} # CHANGED
terraform:
name: "terraform (${{matrix.target.target}})" # CHANGED
runs-on: ${{matrix.target.runs_on}} # CHANGED
needs: setup
if: "join(fromJSON(needs.setup.outputs.terraform_targets), '') != ''"
strategy:
fail-fast: false
matrix:
target: ${{fromJSON(needs.setup.outputs.terraform_targets)}}
env:
TFACTION_TARGET: ${{matrix.target.target}} # CHANGED
terraform_plan_config:
# aws_assume_role_arn
# gcp_service_account
# gcp_workload_identity_provider
# environment
# secrets
# runs_on
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_plan
tfmigrate_plan_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_plan
terraform_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_apply
tfmigrate_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_apply
TFACTION_JOB_TYPE
is requiredThe value is either terraform
or tfmigrate
.
e.g. GitHub Actions Workflow
tfmigrate-plan:
env:
TFACTION_TARGET: ${{matrix.target.target}}
TFACTION_JOB_TYPE: tfmigrate
Support configuring GitHub Actions job's runs-on
and environment
per target group and job
Add export-secrets
action
runs-on
and environment
per target group and jobe.g.
targets:
- target: atlas/
# ...
runs_on: ubuntu-18.04
terraform_plan_config:
runs_on: ubuntu-latest
environment: pull_request
# ...
export-secrets
actionThis is useful to change secrets per target and job
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
secrets: ${{ toJSON(secrets) }}
- uses: suzuki-shunsuke/tfaction/setup@main
id: setup
with:
github_app_token: ${{ steps.generate_token.outputs.token }}
tfaction-root.yaml
targets:
- target: atlas/
# ...
runs_on: ubuntu-18.04
terraform_plan_config:
# ...
secrets:
# <environment variable name>: <secret name>
ATLAS_API_KEY: ATLAS_API_KEY_READ_ONLY # Use read only API Key for pull request
terraform_apply_config:
# ...
secrets:
ATLAS_API_KEY: ATLAS_API_KEY
# ...