Terraform and GitHub Actions
Overview
GitHub actions are a great way to automate Terraform pipelines. The best way is to have a GitHub self-hosted runner setup in your infrastructure. This allows you to keep your AWS credentials out of GitHub’s infrastructure.
Github Workflow
terraform-github-actions contains an example workflow for Terraform and GitHub
A good approach is on a pull request run the workflow without the terraform apply and when it is merged with main branch include the terraform apply step.
It’s also good to use terraform workspaces for different environments and AWS assume roles to be able to work with multiple AWS accounts.
Tests
It’s important to include tests. I suggest:
tfsec can check for standard insecure configuration like AWS security groups open to all IP addresses.
Inspec tests run after the terraform apply to test the correctness of the AWS infrastructure. Create a profile directory to contain the inspec tests against AWS.
NOTE: you need to be authenticated against a valid AWS account to run the tests
terraform-github-actions terraform directory contains a test project using S3 buckets with known bad terraform to run tfsec against. This project has a number of issues that are known to fail tfsec checks.
References
https://github.com/neillturner/terraform-github-actions
https://wahlnetwork.com/2020/05/12/continuous-integration-with-github-actions-and-terraform/
https://github.com/WahlNetwork/github-action-terraform
https://learn.hashicorp.com/tutorials/terraform/github-actions
https://medium.com/@dnorth98/automated-terraform-deployments-to-aws-with-github-actions-c590c065c179
https://github.com/tfsec/tfsec-example-project
https://github.com/tfsec/tfsec
https://github.com/reviewdog/action-tfsec
https://www.owenrumney.co.uk/running-tfsec-as-a-github-action
https://github.com/inspec/inspec-aws
https://docs.chef.io/inspec/resources/
keywords: terraform github actions CI CD tfsec inspec AWS self hosted runner
