Terraform Composite GitHub Actions

Contains composite GitHub actions used within Terraform AWS Module projects.

Actions

Commit

The clowdhaus/terraform-composite-actions/commit action will commit any changes back to your git-branch. When used in conjunction with clowdhaus/terraform-composite-actions/pre-commit, this action will ensure that pull-requests are well formatted and the automatically generated documentation is updated.

GitHub Token Permissions

A GitHub personal access token is required in order for the action to be able to successfully commit and push any changes back to the specified branch.

⚠️ Access Tokens & Pull-Requests from Forked Reposiories ⚠️

When using this action from a forked copy, it will only succeed if either of two conditions are met:

1. The user who has forked the project must create a GitHub personal access token with the defined permissions and store it in their forked repository under the same name as the upstream secret (defined in the workflow file)
2. The entity that presides over the source repository extends access to the secret (you should be mindful of what this means - extending secret access to forked repositories means those forks could potentially retrieve those secret values) via https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

jobs:
  commit:
    name: Commit changes
    runs-on: ubuntu-latest
    steps:
      - name: Commit changes
        uses: clowdhaus/terraform-composite-actions/commit@main
        with:
          git-branch: ${{ github.event.pull_request.head.ref }}
          github-repository: ${{github.event.pull_request.head.repo.full_name}}
          github-token: ${{ secrets.YOUR_GITHUB_PAT }}

Directories

The clowdhaus/terraform-composite-actions/directories action will return a list of directories that contain a versions.tf, where the presence of a versions.tf file is loosely representative of a Terraform project root directory. This is useful for running a set of commands in each Terraform root directory under a given project.

jobs:
  directories:
    name: Get Terraform directories
    runs-on: ubuntu-latest
    steps:
      - name: Sign AWS Lambda artifact
        uses: clowdhaus/terraform-composite-actions/directories@main
        id: search
      - name: Outputs
        run: echo "${{ steps.search.outputs.directories }}"

Pre-Commit

The clowdhaus/terraform-composite-actions/pre-commit action will install the following tools which are intended to support the pre-commit hooks used within Terraform modules:

Default

• pre-commit
• terraform using provided terraform-version input (required)
• tflint using provided tflint-version input (default = latest)
• terraform-docs using provided terraform-docs-version input (default = v0.16.0)

Optional

• tfsec, when install-tfsec=true (default = false), using provided tfsec-version input (default = 1.28.0)
• hcledit when install-hcledit=true (default = false), using provided hcledit-version input (default = 0.2.3)

Example

jobs:
  pre-commit:
    name: Pre-commit hooks execute
    runs-on: ubuntu-latest
    steps:
      - name: Sign AWS Lambda artifact
        uses: clowdhaus/terraform-composite-actions/pre-commit@main
        with:
          # Configure default software
          terraform-version: 1.2.0
          terraform-docs-version: v0.16.0
          terraform-architecture: amd64
          # Configure optional software
          install-hcledit: true
          hcledit-version: 0.2.3
          args: "--all-files --color always --show-diff-on-failure"

License

Apache-2.0 Licensed. See LICENSE.