3

As part of provisioning google cloud resources with GitHub actions using terraform I need to bypass some input values using terraform variables file, the issue is THL does not support Golang.

I have tried to do the following:

  1. Create a GitHub actions workflow with
  workflow_dispatch:
    inputs:
      new_planet:
        description: 'Bucket Name'
        required: true
        default: 'some bucket'

At the end of the workflow there:

- name: terraform plan
        id: plan
        run: |
          terraform plan -var-file=variables.tf

In the variables.tf:

variable "backend_bucket" {
  type = string
  default = ${{ github.event.inputs.new_planet }}
  description = "The backend bucket name"

I will appreciate it if you have any idea how to bypass the input values from the workflow into the terraform.

Shay Pinchasi
  • 131
  • 1
  • 1
  • 6

1 Answers1

2

You can use the backend-config option in the command line [1]. You would first need to configure the backend (e.g., by creating a backend.tf file) and add this:

terraform {
  backend "s3" {
  }
}

This way, you would be prompted for input every time you run terraform init. However, there is an additional CLI option, -input=false which prevents Terraform from asking for input. This snippet below will move into the directory where the Terraform code is (depending on the name of the repo, the directory name will be different) and run terraform init with the -backend-config options as well as -input set to false:

      - name: Terraform Init
        id: init
        run: |
          cd terraform-code
          terraform init -backend-config="bucket=${{ secrets.STATE_BUCKET_NAME }}" \
             -backend-config="key=${{ secrets.STATE_KEY }}" \
             -backend-config="region=${{ secrets.AWS_REGION }}" \
             -backend-config="access_key=${{ secrets.AWS_ACCESS_KEY_ID }}" \
             -backend-config="secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}" \
             -input=false -no-color

I suppose you don't want the name of the bucket and other sensitive values to be hardcoded, I suggest using the GitHub Actions secrets [2].

After you set this up, you can run terraform plan without having to specify variables for the backend config. On the other hand, you could create a terraform.tfvars file in one of the previous steps so it can be consumed by plan step. Here is one of my examples:

      - name: Terraform Tfvars
        id: tfvars
        run: |
          cd terraform-code
          cat << EOF > terraform.tfvars 
            profile                 = "profilename"
            aws_region              = "us-east-1"
          EOF

You would finish off with the following snippet (note the -input=false again:

      - name: Terraform Plan
        id: plan
        run: |
          cd terraform-code        
          terraform plan -no-color -input=false
        continue-on-error: true

All of the terraform part is available through the GitHub Action provided by Hashicorp [3].

[1] https://www.terraform.io/docs/language/settings/backends/configuration.html#partial-configuration

[2] https://docs.github.com/en/actions/security-guides/encrypted-secrets

[3] https://github.com/hashicorp/setup-terraform

Marko E
  • 13,362
  • 2
  • 19
  • 28
  • I am not sure you understood my issue and the backend was a bad example. – Shay Pinchasi Oct 25 '21 at 15:33
  • I did. You want to pass the backend bucket name as a variable but to avoid having to provide any input, hence I laid out how to do it properly without hardcoding anything. – Marko E Oct 25 '21 at 19:28