Framework for Monorepo to build high level Terraform Workflows by GitHub Actions
MIT License
Bot releases are visible (Hide)
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.2...v1.4.0 | Base revision
#1325 #1611 setup: Support setting google-github-actions/auth's access_token_scopes
This update adds the setting gcp_access_token_scopes
to enable tfaction to set google-github-actions/auth
's access_token_scopes
.
The format is same with google-github-actions/auth
's access_token_scopes
.
tfaction-root.yaml
e.g.
targets:
- working_directory: gcp/
target: gcp/
terraform_plan_config:
gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group'
tfaction.yaml
terraform_plan_config:
gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group'
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.1...v1.3.2 | Base revision
#1574 #1612 Improve the error message if plan_workflow_name
is wrong
Published by github-actions[bot] 7 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.1...v1.4.0-1
#1325 #1611 feat(setup): support setting google-github-actions/auth's access_token_scopes
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.3.0...v1.3.1 | Base revision
#1564 #1593 export-secrets: Output secret names for troubleshooting
The action export-secrets
outputs secret names passed to the action for troubleshooting.
The log is useful to check if secrets are passed to the action properly.
If secrets aren't passed properly, this isn't a bug of tfaction.
You have to check your workflow and the usage of tfaction.
#1590 #1591 Migrate Jest to Vitest @exoego
#1595 Throw an error object instead of a string
Published by github-actions[bot] 7 months ago
#1593 export-secrets: Output secret names for troubleshooting
The action export-secrets
outputs secret names passed to the action for troubleshooting.
The log is useful to check if secrets are passed to the action properly.
If secrets aren't passed properly, this isn't a bug of tfaction.
You have to check your workflow and the usage of tfaction.
#1590 #1591 Migrate Jest to Vitest @exoego
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.3...v1.3.0 | Base revision
#1528 Run CI on working directories that depend on a updated local path Module @exoego
https://suzuki-shunsuke.github.io/tfaction/docs/feature/local-path-module
By default, tfaction runs CI on only working directories where any code is updated.
This means even if a working directory depends on a local path Module out of the working directory and the module is updated, CI isn't run on the working directory.
e.g.
working directory A/
modules/
module B
This release enables you to run CI on the working directory A too.
To do that, please update tfaction-root.yaml as the following.
tfaction-root.yaml
update_local_path_module_caller:
enabled: true
This feature depends on terraform-config-inspect, so you have to install it.
Same with other tools, you can install terraform-config-inspect with aqua.
e.g.
packages:
- name: hashicorp/terraform-config-inspect
version: a34142ec2a72dd916592afd3247dd354f1cc7e5c
In that case, Go is required.
If this feature is enabled, when a module is updated in a pull request, CI is run on working directories depending on the module.
The module dependency is checked recursively.
For example, in the above case if the module B depends on a module C and module C is updated in a pull request,
CI is run on the working directory A even if the working directory A and the module B aren't updated.
Thank you for your contribution!
@exoego #1528
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.2...v1.2.3 | Base revision
#1583 test-module: Fix a bug that a Module document isn't updated by terraform-docs
in case of pull_request_target
event
#1584 test-module: Fix a bug that a Module document isn't updated by terraform-docs
properly if terraform-docs's output.file is set
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.1...v1.2.2 | Base revision
#1578 test-module: Run terraform init
to install providers and modules before running linters such as tflint
tflint expect that all referenced modules will be already installed and described in our manifest.
Published by github-actions[bot] 7 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.2-1...v1.2.2-1 | Base revision
#1576 #1578 test-module: Run terraform init
to install providers and modules
Published by github-actions[bot] 7 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.2.0...v1.2.1 | Base revision
#1572 apply: Fix a bug the template invalid-workflow-sha isn't found
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.1...v1.2.0 | Base revision
#1554 Support executing Terraform compatible tools such as OpenTofu and Terragrunt instead of Terraform
[!CAUTION]
We don't usually use OpenTofu and Terragrunt, so we haven't done only simple verification.
https://suzuki-shunsuke.github.io/tfaction/docs/feature/use-terraform-compatible-tool/
tfaction executes Terraform commands such as terraform init, fmt, validate, plan, apply, and so on.
This release enables you to execute any tools compatible with Terraform instead of Terraform.
You can use tools such as OpenTofu and Terragrunt instead of Terraform.
You can specify a tool by the setting terraform_command
in tfaction-root.yaml
and tfaction.yaml
.
tfaction-root.yaml
terraform_command: tofu # terragrunt
target_groups:
- working_directory: aws/
terraform_command: tofu # terragrunt
tfaction.yaml
terraform_command: tofu # terragrunt
Then the given command is executed instead of terraform
.
For example, if terraform_command
is tofu
, commands such as tofu init, fmt, validate, plan, apply are executed instead of terraform.
You can also combine OpenTofu and Terragrunt.
terraform_command
to terragrunt
TERRAGRUNT_TFPATH
to tofu
terraform_command
You can validate terraform_command
in GitHub Actions Workflows.
e.g.
- uses: suzuki-shunsuke/tfaction/[email protected]
id: target-config
- run: |
echo "::error:: terraform_command is invalid"
exit 1
if: |
! contains(fromJSON('["terraform", "terragrunt", "tofu"]'), steps.target-config.outputs.terraform_command)
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.0...v1.1.1 | Base revision
#1538 chore(deps): update suzuki-shunsuke/trivy-config-action action to v0.2.2
You can specify Trivy's configuration file path by the nevironment variable TRIVY_CONFIG
in GitHub Actions Workflows.
env:
TRIVY_CONFIG: ${{ github.workspace }}/trivy.yaml
Published by github-actions[bot] 8 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.4...v1.1.0 | Base revision
#1519 Allow conftest policy directory to be specified in global config
Published by github-actions[bot] 8 months ago
https://github.com/suzuki-shunsuke/tfaction/compare/v1.1.0-1...v1.1.0-1 | Base revision
#1519 Allow conftest policy directory to be specified in global config
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.3...v1.0.4 | Base revision
#1512 #1513 list-targets-with-changed-files: Fix a bug that the action list-targets-with-changed-files
failed due to the error Error: "[object Object]" is not valid JSON
in the apply workflow
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.2...v1.0.3 | Base revision
#1474 Format codes with prettier
#1475 Remove codes regarding the deprecated setting s3_bucket_name_plan_file
#1476 Remove codes regarding the deprecated setting gcs_bucket_name_plan_file
#1479 Refacgtor TypeScript
Published by github-actions[bot] 9 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.1...v1.0.2 | Base revision
#1471 test: fix a bug that *.tf isn't formatted automatically by terraform fmt
if the event type is pull_request_target
Published by github-actions[bot] 10 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v1.0.0...v1.0.1 | Base revision
#1398 #1407 release-module: Fix a bug that tfaction can't release modules that is more than 2+ level of directories
Published by github-actions[bot] 10 months ago
Issues | Pull Requests | https://github.com/suzuki-shunsuke/tfaction/compare/v0.7.3...v1.0.0 | Base revision
Thank you for your contribution!
Especially, thank you @rrreeeyyy and @nari-ex from Topotal, inc.
They cooperated the test of v1! https://github.com/suzuki-shunsuke/tfaction/issues/1349
github_app_token
were removed#1343 #1291
Support destroying resources with terraform plan
's -destroy
option.
If you want to destroy all resources, please set destroy: true
in tfaction.yaml
.
tfaction.yaml
destroy: true
https://github.com/suzuki-shunsuke/tfaction/releases/tag/v0.7.3
aqua g -i open-policy-agent/conftest
aqua init
aqua g -i terraform-linters/tflint aquasecurity/trivy hashicorp/terraform
We don't recommend but if you don't want to add aqua.yaml to working directory's templates and want to keep the previous behaviour, you can keep generating aqua.yaml automatically.
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: false
Please follow the official migration guide.
https://github.com/aquasecurity/tfsec#-tfsec-to-trivy-migration
And remove tfsec from aqua.yaml and add trivy to aqua.yaml
aqua g -i aquasecurity/trivy
We don't recommend but if you don't want to migrate tfsec to trivy, you can keep using tfsec instead of trivy.
tfaciton-root.yaml
tfsec:
enabled: true
trivy:
enabled: false
github_token
and rename inputs github_app_token
to github_token
tfaction creates pull requests and push commits using github_token
.
To trigger new workflow runs, github_token
should be GitHub access token issued by GitHub App rather than GitHub Actions token ${{github.token}}
.
When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
Before
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{ github.token }}
github_app_token: ${{ steps.generate_token.outputs.token }}
After
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{ steps.generate_token.outputs.token }}
module_path
TFACTION_MODULE_PATH
and TFACTION_MODULE_TEMPLATE_DIR
Before
on:
workflow_dispatch:
inputs:
module_path:
description: 'module path'
required: true
jobs:
scaffold:
# ...
steps:
# ...
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{steps.generate_token.outputs.token}}
module_path: ${{inputs.module_path}}
After
on:
workflow_dispatch:
inputs:
module_path:
description: 'module path'
required: true
template_dir: # Add the input
type: choice
default: templates/module-aws
options:
- templates/module-aws
jobs:
scaffold:
# ...
env: # Set environment variables
TFACTION_MODULE_PATH: ${{inputs.module_path}}
TFACTION_MODULE_TEMPLATE_DIR: ${{inputs.template_dir}}
steps:
# ...
- uses: suzuki-shunsuke/tfaction/[email protected]
with: # Remove the input module_path
github_token: ${{steps.generate_token.outputs.token}}
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{steps.generate_token.outputs.token}}
Before
- uses: suzuki-shunsuke/tfaction/[email protected]
After
- uses: suzuki-shunsuke/tfaction/[email protected]
Published by github-actions[bot] 11 months ago