Terraform module for S3 bucket backed state
This is an initial proof of concept for an alternative to Terraform Cloud. The idea is to deploy resources to supported Cloud Service Providers using GitHub actions rather than Terraform Cloud. The GitHub repository performing the deployment will be granted appropriate permission against the Cloud Service Provider via OIDC. Terraform state files will be stored in an S3 bucket with DynamoDB used for locking. The approach used here was developed before AWS S3 supported strong consistency. The general steps can be found here:
- Source Control: GitHub Repository
- Workflow: GitHub Actions using:
- Terraform Remote Backend: AWS S3 with DynamoDB
- Terraform Target: AWS
---
name: "Terraform CI with S3 Backend"
on:
push:
branches: [main]
env:
BUCKET_NAME : ${{ secrets.AWS_S3_BUCKET_NAME }}
AWS_REGION : "ca-central-1"
# permission can be added at job level or workflow level
permissions:
id-token: write
contents: read # This is required for actions/checkout@v2
defaults:
run:
working-directory: workload # WHere the Terraform config lives
jobs:
TerraformCI:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v2
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHubOidcTestSession
aws-region: ${{ env.AWS_REGION }}
# Ref for Teffaform Versions: https://releases.hashicorp.com/terraform/
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.0.11
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Fmt
id: fmt
run: terraform fmt
continue-on-error: true
- name: Terraform Validate
id: validate
run: terraform validate
- name: Terraform Plan
id: plan
run: terraform plan -no-color
- name: Terraform apply
id: apply
run: terraform apply -auto-approve