tfaction
Framework for Monorepo to build high level Terraform Workflows by GitHub Actions
MIT License
Bot releases are visible (Hide)
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.2...v1.4.0 | Base revision
Features
#1325 #1611 setup: Support setting google-github-actions/auth's access_token_scopes
This update adds the setting gcp_access_token_scopes to enable tfaction to set google-github-actions/auth's access_token_scopes.
The format is same with google-github-actions/auth's access_token_scopes.
tfaction-root.yaml
e.g.
targets:
- working_directory: gcp/
target: gcp/
terraform_plan_config:
gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group'
tfaction.yaml
terraform_plan_config:
gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group'
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.1...v1.3.2 | Base revision
Fixes
#1574 #1612 Improve the error message if plan_workflow_name is wrong
Published by github-actions[bot] 7 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.1...v1.4.0-1
Features
#1325 #1611 feat(setup): support setting google-github-actions/auth's access_token_scopes
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.0...v1.3.1 | Base revision
Others
#1564 #1593 export-secrets: Output secret names for troubleshooting
The action export-secrets outputs secret names passed to the action for troubleshooting.
The log is useful to check if secrets are passed to the action properly.
If secrets aren't passed properly, this isn't a bug of tfaction.
You have to check your workflow and the usage of tfaction.
#1590 #1591 Migrate Jest to Vitest @exoego
#1595 Throw an error object instead of a string
Published by github-actions[bot] 7 months ago
#1593 export-secrets: Output secret names for troubleshooting
The action export-secrets outputs secret names passed to the action for troubleshooting.
The log is useful to check if secrets are passed to the action properly.
If secrets aren't passed properly, this isn't a bug of tfaction.
You have to check your workflow and the usage of tfaction.
#1590 #1591 Migrate Jest to Vitest @exoego
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.3...v1.3.0 | Base revision
Features
#1528 Run CI on working directories that depend on a updated local path Module @exoego
https://suzuki-shunsuke.github.io/tfaction/docs/feature/local-path-module
By default, tfaction runs CI on only working directories where any code is updated.
This means even if a working directory depends on a local path Module out of the working directory and the module is updated, CI isn't run on the working directory.
e.g.
- A working directory A depends on local path Module B
- Module B is located out of the working directory A
- In a pull request C, working directory A isn't changed but the module B is changed
- Then CI isn't run on the working directory A by default
working directory A/
modules/
module B
This release enables you to run CI on the working directory A too.
To do that, please update tfaction-root.yaml as the following.
tfaction-root.yaml
update_local_path_module_caller:
enabled: true
This feature depends on terraform-config-inspect, so you have to install it.
Same with other tools, you can install terraform-config-inspect with aqua.
e.g.
packages:
- name: hashicorp/terraform-config-inspect
version: a34142ec2a72dd916592afd3247dd354f1cc7e5c
In that case, Go is required.
If this feature is enabled, when a module is updated in a pull request, CI is run on working directories depending on the module.
The module dependency is checked recursively.
For example, in the above case if the module B depends on a module C and module C is updated in a pull request,
CI is run on the working directory A even if the working directory A and the module B aren't updated.
🎉 New Contributors
Thank you for your contribution!
@exoego #1528
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.2...v1.2.3 | Base revision
Bug Fixes
#1583 test-module: Fix a bug that a Module document isn't updated by terraform-docs in case of pull_request_target event
#1584 test-module: Fix a bug that a Module document isn't updated by terraform-docs properly if terraform-docs's output.file is set
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.1...v1.2.2 | Base revision
Bug Fixes
#1578 test-module: Run terraform init to install providers and modules before running linters such as tflint
tflint expect that all referenced modules will be already installed and described in our manifest.
Published by github-actions[bot] 7 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.2-1...v1.2.2-1 | Base revision
Bug Fixes
#1576 #1578 test-module: Run terraform init to install providers and modules
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.0...v1.2.1 | Base revision
Bug Fixes
#1572 apply: Fix a bug the template invalid-workflow-sha isn't found
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.1...v1.2.0 | Base revision
Features
#1554 Support executing Terraform compatible tools such as OpenTofu and Terragrunt instead of Terraform
[!CAUTION]
We don't usually use OpenTofu and Terragrunt, so we haven't done only simple verification.
https://suzuki-shunsuke.github.io/tfaction/docs/feature/use-terraform-compatible-tool/
tfaction executes Terraform commands such as terraform init, fmt, validate, plan, apply, and so on.
This release enables you to execute any tools compatible with Terraform instead of Terraform.
You can use tools such as OpenTofu and Terragrunt instead of Terraform.
How to use
You can specify a tool by the setting terraform_command in tfaction-root.yaml and tfaction.yaml.
tfaction-root.yaml
terraform_command: tofu # terragrunt
target_groups:
- working_directory: aws/
terraform_command: tofu # terragrunt
tfaction.yaml
terraform_command: tofu # terragrunt
Then the given command is executed instead of terraform.
For example, if terraform_command is tofu, commands such as tofu init, fmt, validate, plan, apply are executed instead of terraform.
💡 Combine OpenTofu and Terragrunt
You can also combine OpenTofu and Terragrunt.
- Set
terraform_commandtoterragrunt - Set the environment variable
TERRAGRUNT_TFPATHtotofu
💡 Validate terraform_command
You can validate terraform_command in GitHub Actions Workflows.
e.g.
- uses: suzuki-shunsuke/tfaction/[email protected]
id: target-config
- run: |
echo "::error:: terraform_command is invalid"
exit 1
if: |
! contains(fromJSON('["terraform", "terragrunt", "tofu"]'), steps.target-config.outputs.terraform_command)
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.0...v1.1.1 | Base revision
Fixes
#1538 chore(deps): update suzuki-shunsuke/trivy-config-action action to v0.2.2
You can specify Trivy's configuration file path by the nevironment variable TRIVY_CONFIG in GitHub Actions Workflows.
env:
TRIVY_CONFIG: ${{ github.workspace }}/trivy.yaml
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.4...v1.1.0 | Base revision
Features
#1519 Allow conftest policy directory to be specified in global config
Published by github-actions[bot] 8 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.0-1...v1.1.0-1 | Base revision
Features
#1519 Allow conftest policy directory to be specified in global config
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.3...v1.0.4 | Base revision
Bug Fixes
#1512 #1513 list-targets-with-changed-files: Fix a bug that the action list-targets-with-changed-files failed due to the error Error: "[object Object]" is not valid JSON in the apply workflow
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.2...v1.0.3 | Base revision
Refactoring
#1474 Format codes with prettier
#1475 Remove codes regarding the deprecated setting s3_bucket_name_plan_file
#1476 Remove codes regarding the deprecated setting gcs_bucket_name_plan_file
#1479 Refacgtor TypeScript
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.1...v1.0.2 | Base revision
Bug Fixes
#1471 test: fix a bug that *.tf isn't formatted automatically by terraform fmt if the event type is pull_request_target
Published by github-actions[bot] 10 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.0...v1.0.1 | Base revision
Bug Fixes
#1398 #1407 release-module: Fix a bug that tfaction can't release modules that is more than 2+ level of directories
Published by github-actions[bot] 10 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.7.3...v1.0.0 | Base revision
🎉 Finally, tfaction v1 is out 🎉
Thank you for your contribution!
Especially, thank you @rrreeeyyy and @nari-ex from Topotal, inc.
They cooperated the test of v1! https://github.com/suzuki-shunsuke/tfaction/issues/1349
Overviews
- ⚠️ Breaking Changes
- #1286 #1291 list-targets: Outputs terraform_targets and tfmigrate_targets are removed
- #1284 #1291 scaffold-working-dir: Stop adding conftest to aqua.yaml
- #1285 #1291 get-global-config: Skip creating aqua.yaml by default
- #1283 #1291 get-global-config: Enable trivy and disable tfsec by default
- #1282 #1291 actions inputs
github_app_tokenwere removed - #1340 #1291 scaffold-module: Separate the action with two actions
- Features
- #1343 #1291 Support destroying resources
- Others
- #1290 #1291 Upgrade Node.js to 20
Features
Support destroying resources
#1343 #1291
Support destroying resources with terraform plan's -destroy option.
If you want to destroy all resources, please set destroy: true in tfaction.yaml.
tfaction.yaml
destroy: true
How to upgrade
- Merge jobs for terraform and tfmigrate according to the guide
https://github.com/suzuki-shunsuke/tfaction/releases/tag/v0.7.3
- Add conftest to aqua.yaml on the repository root directory
aqua g -i open-policy-agent/conftest
- Remove conftest from aqua.yaml on each working directory
- Add aqua.yaml to working directory's templates
aqua init
aqua g -i terraform-linters/tflint aquasecurity/trivy hashicorp/terraform
We don't recommend but if you don't want to add aqua.yaml to working directory's templates and want to keep the previous behaviour, you can keep generating aqua.yaml automatically.
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: false
- Migrate tfsec to trivy
Please follow the official migration guide.
https://github.com/aquasecurity/tfsec#-tfsec-to-trivy-migration
And remove tfsec from aqua.yaml and add trivy to aqua.yaml
aqua g -i aquasecurity/trivy
We don't recommend but if you don't want to migrate tfsec to trivy, you can keep using tfsec instead of trivy.
tfaciton-root.yaml
tfsec:
enabled: true
trivy:
enabled: false
- Remove inputs
github_tokenand rename inputsgithub_app_tokentogithub_token
tfaction creates pull requests and push commits using github_token.
To trigger new workflow runs, github_token should be GitHub access token issued by GitHub App rather than GitHub Actions token ${{github.token}}.
When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
Before
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{ github.token }}
github_app_token: ${{ steps.generate_token.outputs.token }}
After
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{ steps.generate_token.outputs.token }}
- Fix the workflow to scaffold Terraform Modules
- Remove the input
module_path - Set environment variables
TFACTION_MODULE_PATHandTFACTION_MODULE_TEMPLATE_DIR - Add templates for scaffolding Terraform Modules example
Before
on:
workflow_dispatch:
inputs:
module_path:
description: 'module path'
required: true
jobs:
scaffold:
# ...
steps:
# ...
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{steps.generate_token.outputs.token}}
module_path: ${{inputs.module_path}}
After
on:
workflow_dispatch:
inputs:
module_path:
description: 'module path'
required: true
template_dir: # Add the input
type: choice
default: templates/module-aws
options:
- templates/module-aws
jobs:
scaffold:
# ...
env: # Set environment variables
TFACTION_MODULE_PATH: ${{inputs.module_path}}
TFACTION_MODULE_TEMPLATE_DIR: ${{inputs.template_dir}}
steps:
# ...
- uses: suzuki-shunsuke/tfaction/[email protected]
with: # Remove the input module_path
github_token: ${{steps.generate_token.outputs.token}}
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{steps.generate_token.outputs.token}}
- Upgrade actions to v1
Before
- uses: suzuki-shunsuke/tfaction/[email protected]
After
- uses: suzuki-shunsuke/tfaction/[email protected]
Example
Published by github-actions[bot] 11 months ago