Automated Plan/Apply in CI/CD Pipelines

Advanced20 min

Set up automated Terraform plan and apply workflows in GitHub Actions or GitLab CI with proper safeguards.

Prerequisites

-Terraform installed
-Remote backend configured
-CI/CD platform access (GitHub Actions or GitLab CI)

Steps

Create the GitHub Actions workflow file

Set up a workflow that runs terraform plan on pull requests and apply on merge to main.

$ mkdir -p .github/workflows && cat <<'EOF' > .github/workflows/terraform.yml name: Terraform on: pull_request: branches: [main] push: branches: [main] env: TF_VERSION: "1.7.0" jobs: plan: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - run: terraform init - run: terraform validate - run: terraform plan -no-color -out=tfplan - uses: actions/upload-artifact@v4 with: name: tfplan path: tfplan EOF

Use -no-color in CI to avoid ANSI escape codes in log output.

Add the apply job for main branch

Add a job that applies changes only when code is merged to the main branch.

$ cat <<'EOF' >> .github/workflows/terraform.yml apply: runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - run: terraform init - run: terraform apply -auto-approve EOF

The -auto-approve flag skips confirmation. This is only safe when gated by PR review and environment protection rules.

Configure cloud credentials as secrets

Add cloud provider credentials to your CI/CD platform's secret store.

$ gh secret set AWS_ACCESS_KEY_ID --body "AKIA..." gh secret set AWS_SECRET_ACCESS_KEY --body "wJal..."

Never commit credentials to the repository. Always use CI/CD secrets or OIDC federation.

Add PR comment with plan output

Post the terraform plan output as a comment on the pull request for team review.

$ cat <<'EOF' >> .github/workflows/terraform.yml - name: Comment Plan uses: actions/github-script@v7 if: github.event_name == 'pull_request' with: script: | const output = `#### Terraform Plan \`\`\`\n${{ steps.plan.outputs.stdout }}\`\`\` `; github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: output }); EOF

Add format and validation checks

Include terraform fmt and validate as early checks to catch formatting and syntax issues.

$ cat <<'EOF' > .github/workflows/terraform-checks.yml name: Terraform Checks on: pull_request jobs: checks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 - name: Format Check run: terraform fmt -check -recursive - name: Init run: terraform init -backend=false - name: Validate run: terraform validate EOF

Run fmt -check first. It is the fastest check and catches the most common issues.

Set up environment protection rules

Add GitHub environment protection rules to require approval before applying to production.

$ gh api repos/{owner}/{repo}/environments/production -X PUT -f 'reviewers[][type]=User' -f 'reviewers[][id]=1'

Combine environment protection with branch protection rules for defense in depth.

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Terraform CI/CD Setup Script
# Creates GitHub Actions workflows for Terraform automation

echo "==> Creating workflow directories..."
mkdir -p .github/workflows

cat > .github/workflows/terraform.yml <<'WORKFLOW'
name: Terraform
on:
  pull_request:
    branches: [main]
    paths: ["**.tf", "**.tfvars"]
  push:
    branches: [main]
    paths: ["**.tf", "**.tfvars"]

permissions:
  contents: read
  pull-requests: write

env:
  TF_VERSION: "1.7.0"
  AWS_REGION: "us-east-1"

jobs:
  fmt-validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}
      - run: terraform fmt -check -recursive
      - run: terraform init -backend=false
      - run: terraform validate

  plan:
    needs: fmt-validate
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}
      - run: terraform init
      - id: plan
        run: terraform plan -no-color -out=tfplan
        continue-on-error: true
      - uses: actions/upload-artifact@v4
        with:
          name: tfplan
          path: tfplan
          retention-days: 5

  apply:
    needs: fmt-validate
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    environment: production
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}
      - run: terraform init
      - run: terraform apply -auto-approve
WORKFLOW

echo "==> Workflow created at .github/workflows/terraform.yml"
echo ""
echo "Next steps:"
echo "  1. Set repository secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY"
echo "  2. Create a 'production' environment with protection rules"
echo "  3. Push the workflow and open a PR to test"

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Terraform CI/CD Setup Script # Creates GitHub Actions workflows for Terraform automation echo "==> Creating workflow directories..." mkdir -p .github/workflows cat > .github/workflows/terraform.yml <<'WORKFLOW' name: Terraform on: pull_request: branches: [main] paths: ["**.tf", "**.tfvars"] push: branches: [main] paths: ["**.tf", "**.tfvars"] permissions: contents: read pull-requests: write env: TF_VERSION: "1.7.0" AWS_REGION: "us-east-1" jobs: fmt-validate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - run: terraform fmt -check -recursive - run: terraform init -backend=false - run: terraform validate plan: needs: fmt-validate runs-on: ubuntu-latest if: github.event_name == 'pull_request' env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - run: terraform init - id: plan run: terraform plan -no-color -out=tfplan continue-on-error: true - uses: actions/upload-artifact@v4 with: name: tfplan path: tfplan retention-days: 5 apply: needs: fmt-validate runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} - run: terraform init - run: terraform apply -auto-approve WORKFLOW echo "==> Workflow created at .github/workflows/terraform.yml" echo "" echo "Next steps:" echo " 1. Set repository secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY" echo " 2. Create a 'production' environment with protection rules" echo " 3. Push the workflow and open a PR to test"