terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard
verified publisher icon integrations

[BUG]: Terraform plan hangs/freezes when used in a GitHub Actions workflow AND auth is based on GitHub App

Open tiberium opened this issue 1 year ago • 6 comments

Expected Behavior

terraform plan should work in a GitHub Actions workflow with authentication based on GitHub App (using PEM file as the private key).

Actual Behavior

When I try to run terraform plan -out=plan in a GitHub Action, and I set the envs to provide the GitHub App configuration (all three envs set correctly: GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PEM_FILE), the GitHub Actions job freezes/hangs after doing few Refreshing state... operations.

When executed from a local machine, outside the GitHub Actions context, with the same terraform file, with the same envs, and the same terraform version, the terraform plan operation works as expected. It seems to me that the problem only exists when the terraform command is executed on the GitHub Actions runner. Tested on two runners: ubuntu-latest and arc-runner-set (k8s).

When using PAT generated from the GitHub App, the behavior is correct - the terraform plan command works as expected both locally and on the GitHub Actions runner.

Terraform Version

Terraform v1.7.1

GitHub Provider v6.2.1 (tested also with v6.0.1, same behavior)

Affected Resource(s)

Affects basic terraform plan command (at least) when executed in a GitHub Actions job context AND the auth is based on GitHub App.

Terraform Configuration Files

No response

Steps to Reproduce

jobs:
  terraform-plan:
    runs-on: [ ubuntu-latest ]
    steps:  
      - name: Checkout repository
        uses: actions/checkout@v4
  
      - name: Setup terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.7.1
          terraform_wrapper: false
      
      - name: Configure AWS
         # To access the state file
         # ...
      
      - name: Terraform init
        run: terraform init
        
      - name: Terraform plan
        env:
          GITHUB_OWNER: ***
          GITHUB_APP_ID: ***
          GITHUB_APP_INSTALLATION_ID: ***
          GITHUB_APP_PEM_FILE: ***
        run: terraform plan -out=${{ runner.temp }}/plan

Debug Output

No response

Panic Output

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

tiberium avatar Apr 25 '24 11:04 tiberium

Seems that we have the same issue in our setup, the plan gets stuck while reading it's state:

TF version 1.8.5 Provider Version: 6.2.2

bahag-hammera avatar Jul 03 '24 13:07 bahag-hammera

I am also having this issue, did anyone ever find a resolution or workaround?

TF version 1.10.5 Provider version 6.3.1

mhosker avatar Feb 19 '25 23:02 mhosker

To follow up on my above comment, I have tried:

  • Giving the app all permisisons to rule out a permissions issue.
  • Adding an empty app_auth {} block under the provider block.
  • Running locally and all works fine.

For note I am using a GitHub actions shared runner in a free GitHub org - I am starting to think that the free org may be having an impact... as I have seen this work in an enterprise org with the same config...

mhosker avatar Feb 19 '25 23:02 mhosker

I don't know, but maybe it helps to you @mhosker 👇 I was providing some vars with enviornment varaibles. So for a variable username you have to create an env var TF_VAR_username. Unfortunately this is case sensitive, so TF_VAR_USERNAME will not work. Also, it might worth to run the command like this: terraform plan -input=false because if the cli expects a variable that is not provided, then it won't hang waiting for input.

roncsak avatar Feb 25 '25 09:02 roncsak

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

github-actions[bot] avatar Dec 07 '25 02:12 github-actions[bot]

Hey there 👋

Thanks for raising this issue! I'm sorry to hear that you are facing this problem.

If someone can currently reproduce this, could you add the TF_LOG=DEBUG env variable?

We're running a pretty similar GHA workflow against GHEC and not seeing this issue

deiga avatar Dec 09 '25 08:12 deiga

I don't know, but maybe it helps to you @mhosker 👇 I was providing some vars with enviornment varaibles. So for a variable username you have to create an env var TF_VAR_username. Unfortunately this is case sensitive, so TF_VAR_USERNAME will not work. Also, it might worth to run the command like this: terraform plan -input=false because if the cli expects a variable that is not provided, then it won't hang waiting for input.

the above comment is underliked.

Indeed it hung waiting for input. Could only see it after -input=false

hq9000 avatar Dec 20 '25 13:12 hq9000

I don't know, but maybe it helps to you @mhosker 👇 I was providing some vars with enviornment varaibles. So for a variable username you have to create an env var TF_VAR_username. Unfortunately this is case sensitive, so TF_VAR_USERNAME will not work. Also, it might worth to run the command like this: terraform plan -input=false because if the cli expects a variable that is not provided, then it won't hang waiting for input.

the above comment is underliked.

Indeed it hung waiting for input. Could only see it after -input=false

Yeah, it's recommended to always set -input false with Terraform when running in "CI"

deiga avatar Dec 20 '25 13:12 deiga