Dev.to

Terraform with GitHub Actions

Now that I can manipulate AWS infrastructure using Terraform, I want to automate the process of applying changes that I commit to my repository. To do this, I'll set up GitHub Actions. The workflow should: Trigger when I make changes in the terraform directory and push to the main branch Set up Terraform in the GitHub Actions environment Use AWS credentials securely Post the output of terraform plan as a PR comment for review Run terraform apply automatically after the PR is merged Important Note: The Terraform AWS provider searches for credentials in a specific order, as explained in the documentation. Locally, I want to use the shared credentials/configuration files. In GitHub Actions, I will instead use environment variables, setting them from Repository secrets in GitHub. I had to adjust the AWS provider configuration to support this setup. Here’s what my original provider configuration looked like: provider "aws" { shared_config_files = ["/Users/paulbenetis/.aws/config"] shared_credentials_files = ["/Users/paulbenetis/.aws/credentials"] profile = "default" default_tags { tags = { Project = "devops-toolkit" } } } Since GitHub Actions won't use shared config or credentials files, I removed those fields. The provider will still look for them automatically if necessary, according to its credential resolution order. I also removed the profile setting, because I only have a default profile locally, and Terraform uses that automatically. However, Terraform needs to know the AWS region. Since my region was previously set in the config file, I now need to explicitly define it for GitHub Actions. I use a terraform.tfvars file to set the region: aws_region = "us-east-1" I also created a variables.tf file to declare variables. (These declarations could be placed elsewhere, but I chose to keep them here for now.) variable "aws_region" { description = "AWS region" type = string } The resulting AWS provider configuration now looks like this: provider "aws" { region = var.aws_region default_tags { tags = { Project = "devops-toolkit" } } } Even though GitHub Actions could supply TF_VAR_aws_region as an environment variable, Terraform will use the value from terraform.tfvars when present. It’s important to know that Terraform checks environment variables first, then falls back to files like terraform.tfvars as described in variable precedence rules. Setting up the GitHub Actions Workflows I’ll set up two workflows: One to run terraform plan and post the output to the PR One to run terraform apply after the PR is merged Terraform Plan Workflow The workflow .github/workflows/terraform-plan.yaml is responsible for running the plan and posting it as a PR comment: name: Terraform Plan on: pull_request: branches: - main permissions: pull-requests: write jobs: terraform-plan: name: Terraform Plan and PR Comment runs-on: ubuntu-latest env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} defaults: run: working-directory: ./terraform steps: - name: Checkout Code uses: actions/checkout@v4.2.2 - name: Setup Terraform uses: hashicorp/setup-terraform@v3.1.2 with: terraform_version: 1.11.4 - name: Initialize Terraform run: terraform init - name: Validate Terraform run: terraform validate - name: Terraform Plan and Save Output run: terraform plan -no-color > plan_output.txt - name: Post Plan as PR Comment uses: marocchino/sticky-pull-request-comment@v2.9.2 with: path: terraform/plan_output.txt Each time I push a new commit to the feature branch, the terraform plan output will update the existing PR comment. The sticky-pull-request-comment action is great because it updates the previous comment instead of creating a new one every time. The required permission to allow GitHub Actions to modify PR comments is: permissions: pull-requests: write Terraform Apply Workflow The second workflow .github/workflows/terraform-apply.yaml will automatically apply the changes when the PR is merged to main: name: Terraform Apply on: push: branches: - main workflow_dispatch: jobs: terraform: name: Terraform Apply runs-on: ubuntu-latest env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} defaults: run: working-directory: ./terraform steps: - name: Checkout Code uses: actions/checkout@v4.2.2 - name: Setup Terraform uses: hashicorp/setup-terraform@v3.1.2 with: terraform_version: 1.11.4 - name: Initialize Terraform run: terraform

Apr 26, 2025 - 13:47
 0
Terraform with GitHub Actions

Now that I can manipulate AWS infrastructure using Terraform, I want to automate the process of applying changes that I commit to my repository. To do this, I'll set up GitHub Actions.

The workflow should:

  • Trigger when I make changes in the terraform directory and push to the main branch
  • Set up Terraform in the GitHub Actions environment
  • Use AWS credentials securely
  • Post the output of terraform plan as a PR comment for review
  • Run terraform apply automatically after the PR is merged

Important Note:

The Terraform AWS provider searches for credentials in a specific order, as explained in the documentation.

Locally, I want to use the shared credentials/configuration files.

In GitHub Actions, I will instead use environment variables, setting them from Repository secrets in GitHub.

I had to adjust the AWS provider configuration to support this setup.

Here’s what my original provider configuration looked like:

provider "aws" {
  shared_config_files      = ["/Users/paulbenetis/.aws/config"]
  shared_credentials_files = ["/Users/paulbenetis/.aws/credentials"]
  profile                  = "default"

  default_tags {
    tags = {
      Project = "devops-toolkit"
    }
  }
}

Since GitHub Actions won't use shared config or credentials files, I removed those fields.

The provider will still look for them automatically if necessary, according to its credential resolution order.

I also removed the profile setting, because I only have a default profile locally, and Terraform uses that automatically.

However, Terraform needs to know the AWS region. Since my region was previously set in the config file, I now need to explicitly define it for GitHub Actions.

I use a terraform.tfvars file to set the region:

aws_region = "us-east-1"

I also created a variables.tf file to declare variables. (These declarations could be placed elsewhere, but I chose to keep them here for now.)

variable "aws_region" {
  description = "AWS region"
  type        = string
}

The resulting AWS provider configuration now looks like this:

provider "aws" {
  region = var.aws_region

  default_tags {
    tags = {
      Project = "devops-toolkit"
    }
  }
}

Even though GitHub Actions could supply TF_VAR_aws_region as an environment variable, Terraform will use the value from terraform.tfvars when present.

It’s important to know that Terraform checks environment variables first, then falls back to files like terraform.tfvars as described in variable precedence rules.

Setting up the GitHub Actions Workflows

I’ll set up two workflows:

  • One to run terraform plan and post the output to the PR
  • One to run terraform apply after the PR is merged

Terraform Plan Workflow

The workflow .github/workflows/terraform-plan.yaml is responsible for running the plan and posting it as a PR comment:

name: Terraform Plan

on:
  pull_request:
    branches:
      - main

permissions:
  pull-requests: write

jobs:
  terraform-plan:
    name: Terraform Plan and PR Comment
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    defaults:
      run:
        working-directory: ./terraform

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4.2.2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3.1.2
        with:
          terraform_version: 1.11.4

      - name: Initialize Terraform
        run: terraform init

      - name: Validate Terraform
        run: terraform validate

      - name: Terraform Plan and Save Output
        run: terraform plan -no-color > plan_output.txt

      - name: Post Plan as PR Comment
        uses: marocchino/sticky-pull-request-comment@v2.9.2
        with:
          path: terraform/plan_output.txt

Each time I push a new commit to the feature branch, the terraform plan output will update the existing PR comment.

The sticky-pull-request-comment action is great because it updates the previous comment instead of creating a new one every time.

The required permission to allow GitHub Actions to modify PR comments is:

permissions:
  pull-requests: write

Terraform Apply Workflow

The second workflow .github/workflows/terraform-apply.yaml will automatically apply the changes when the PR is merged to main:

name: Terraform Apply

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  terraform:
    name: Terraform Apply
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    defaults:
      run:
        working-directory: ./terraform

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4.2.2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3.1.2
        with:
          terraform_version: 1.11.4

      - name: Initialize Terraform
        run: terraform init

      - name: Validate Terraform
        run: terraform validate

      - name: Plan Terraform
        run: terraform plan

      - name: Apply Terraform
        if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve

The workflow_dispatch: setting also allows me to manually trigger the workflow if needed.

In GitHub, the secrets.AWS_ACCESS_KEY_ID and secrets.AWS_SECRET_ACCESS_KEY are securely stored in the repository settings under Secrets.

The terraform apply step will only execute if changes are pushed to the main branch.

Testing the Setup

To test the automation, I added the following resource to my s3.tf file:

resource "aws_s3_bucket" "test_bucket" {
  bucket = "paulb-devops-toolkit-test-bucket"
}

After merging the PR into main, the GitHub Action ran and successfully created the S3 bucket in AWS!

Conclusion

With this setup, I now have a fully automated Terraform workflow:

  • PRs show the terraform plan output for easy review
  • Merging to main automatically applies the changes

This keeps infrastructure changes safe, reviewable, and reproducible — all powered by GitHub Actions!

Read More

Tags:

Previous Article

[TOC]Build a full-stack simple blog application

Next Article

How I Use AI to Design Webflow Sites 2x Faster

Related Posts

Soundcore Space One Headphones on Sale – Outstanding Sound Quality

Soundcore Space One Headphones on Sale – Outstanding So...

Apr 23, 2025  0

GPT 4.1, o3 and o4-mini are OpenAI's smartest, RIP JavaScript Records and Tuples, a new 800KB JavaScript runtime, and more

GPT 4.1, o3 and o4-mini are OpenAI's smartest, RIP Java...

Apr 20, 2025  0

How to Generate Procedural Audio Textures in the Browser (No Samples Needed)

How to Generate Procedural Audio Textures in the Browse...

Apr 24, 2025  0