terraform-github-actions icon indicating copy to clipboard operation
terraform-github-actions copied to clipboard

Published 20 hours ago verified publisher icon dflook

Ability to pass the plan to the terraform-apply action

Open doktor500 opened this issue 3 years ago • 1 comments

Suggestion

It would be great to be able to pass the output from the terraform-plan GitHub action as an input to the terraform-apply action since it is quite common to have workflows where we would benefit from running the plan in advance before a deployment step while tests are running etc. and pass the output of the plan to the apply step with the aim to speed up the overall workflow time significatively

doktor500 avatar Jun 07 '22 12:06 doktor500

Before using this GHA suite, we were using something similar to the block below to save the TFplan file as an artifact and download it later in the apply job.

---
name: pr-plan

on:
  pull_request:
    branches: [main]

# prevents multiple workflows from accessing Terraform state
concurrency:
  group: terraform-lock

permissions:
  contents: read  # This is required for actions/checkout

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
  plan:
    runs-on: ubuntu-latest
    name: Terraform Plan
    steps:
      # Generates an execution plan for Terraform
      - name: Terraform Plan
        id: terraform-plan
        run: terraform plan -out=/tmp/${{workspace-id}}.plan.out

      - name: Upload Plan To Artifacts
        uses: actions/upload-artifact@v2
        with:
          name: ${{github.event.number}}-${{workspace-id}}.plan.out
          path: /tmp/${{workspace-id}}.plan.out

---
name: apply-approved-plan
concurrency:
  group: terraform-lock

permissions:
  contents: read  # This is required for actions/checkout
  pull-requests: read  # This is required for gh-find-current-pr

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
  apply:
    runs-on: ubuntu-latest
    name: Terraform Apply
    steps:

      # This action sends a request to GitHub to find the PR associated with the current SHA, and returns its number in the number output.
      - uses: jwalton/gh-find-current-pr@v1
        id: findPr
        with:
          state: all  # By default, gh-find-current-pr will only return open PRs, setting to "all" to pick "open" and "closed" as example

      # Download plan file from the plan workflow
      - uses: dawidd6/action-download-artifact@v2
        id: download-plan
        env:
          PR_NUMBER: ${{ steps.findPr.outputs.pr }}
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          workflow: ${{workspace-id}}.yaml
          workflow_conclusion: success
          name: ${{ env.PR_NUMBER }}-${{workspace-id}}.plan.out
          path: /tmp
          pr: ${{ env.PR_NUMBER }}

      # Terraform init and apply the downloaded plan
      - name: Terraform Apply
        run: terraform apply /tmp/${{workspace-id}}.plan.out

thiagoalmeidasa avatar Jul 26 '22 12:07 thiagoalmeidasa

I've had to hack this


on:
  pull_request:
    branches: [main]

concurrency:
  group: terraform-lock

jobs:
  plan:
    runs-on: ubuntu-latest
    name: Plan
    env:
      TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: terraform plan
        id: plan
        uses: dflook/terraform-plan@v1
        env: # environment variable
          GITHUB_APP_PEM_FILE: ${{ secrets.HUB_APP_PEM_FILE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: us-west-1
          TERRAFORM_PRE_RUN: ln -s /github/workspace/plan.out /tmp/plan.out 
        with:
          path: tf
          parallelism: 20
      - name: Upload Plan To Artifacts
        uses: actions/upload-artifact@v3
        with:
          name: plan.out
          path: plan.out
----
name: apply-approved-plan
on:
  pull_request:
    branches: [main]
    types: [closed]
concurrency:
  group: terraform-lock
jobs:
  apply:
    runs-on: ubuntu-latest
    name: Terraform Apply
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        
      - uses: dawidd6/action-download-artifact@v2
        id: download-plan
        with:
          workflow: createplan.yml
          workflow_conclusion: success
          name: plan.out
          path: /tmp
          pr: ${{github.event.pull_request.number}}

      # Terraform init and apply the downloaded plan
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.3.6
      - name: Terraform Apply
        env: # environment variable
          GITHUB_APP_PEM_FILE: ${{ secrets.HUB_APP_PEM_FILE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: us-west-1
        id: apply
        run: cd tf && terraform init && terraform apply /tmp/plan.out
      - uses: actions/github-script@v6
        with:
          script: |
            const output = `
              #### Terraform Apply 📖\`${{ steps.apply.outcome }}\`

              <details><summary>Apply</summary>

              \`\`\`\n
              ${{ steps.apply.outputs.stdout }}
              \`\`\`

              </details>

              *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
            github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: output
            })

stephenrjohnson avatar Dec 01 '22 00:12 stephenrjohnson

This was added in v1.40.0. There is a plan_path input for dflook/terraform-apply and a matching plan_path output for dflook/terraform-plan.

dflook avatar Jan 10 '24 12:01 dflook