Automating Infrastructure with GitHub Actions and HashiCorp Terraform
Introduction
In the world of modern software development, managing infrastructure as code (IaC) has become a vital practice. By leveraging tools like HashiCorp Terraform and GitHub Actions, developer teams can automate their infrastructure workflows, ensuring consistency, reducing manual errors, and improving collaboration. This article will guide you through setting up and automating infrastructure deployments on AWS using GitHub Actions in conjunction with HashiCorp’s HCP Terraform.
Why Use GitHub Actions with HCP Terraform?
Using GitHub Actions combined with HashiCorp Terraform is a common practice among development teams embarking on their IaC journey. GitHub Actions is a powerful tool that allows you to automate workflows directly from your code repository. However, as your infrastructure grows, managing it solely through GitHub Actions can lead to configuration drift—a scenario where the actual state of infrastructure diverges from its desired state.
To mitigate this, running Terraform configurations remotely via HCP Terraform is recommended. HCP Terraform is a managed cloud platform that ensures safer handling of resource creation, modification, and deletion. It offers robust systems and safeguards for team management and drift prevention, making it more effective than running configurations on GitHub Actions runners.
Workflow Overview
This guide will demonstrate how to use HCP Terraform to define AWS infrastructure and use GitHub Actions to automate changes. The process involves setting up a GitHub Actions workflow that interacts with HCP Terraform to deploy AWS resources such as Amazon EC2 instances.
Prerequisites
Before we dive into the setup, ensure you have the following:
- AWS Account: An AWS account with permissions to create resources.
- HCP Terraform Account: A workspace set up in HCP Terraform.
- GitHub Account: A repository for storing your Terraform configuration files.
- Terraform CLI: Installed on your local machine for testing purposes.
Adding AWS Credentials to HCP Terraform
To allow HCP Terraform to deploy resources in AWS, you need to securely provide AWS credentials. Set the AWS access key and secret access key environment variables in your HCP Terraform workspace. Follow this guide for detailed instructions.
Adding HCP Terraform Token to GitHub Actions
Fetch your TF_API_TOKEN by following the instructions in the HCP Terraform documentation. This token allows GitHub Actions to interact with your HCP Terraform workspace.
- Open your GitHub repository.
- Navigate to Settings -> Secrets -> Actions.
- Add a new repository secret named TF_API_TOKEN and paste the API token into the value field.
Creating the GitHub Actions Workflow
With credentials set up, the next step is to create a GitHub Actions workflow. Below is an example of a workflow YAML file that defines a job with steps to initialize, plan, apply, and destroy Terraform configurations.
“`yaml
name: AWS Infra Creation Using HCP Terraformon:
workflow_call:
secrets:
TF_API_TOKEN:
required: true
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch:env:
tfcode_path: tfcloud_samples/amazon_ec2
tfc_organisation: demo-tf-org
tfc_hostname: app.terraform.io
tfc_workspace: demo-tf-workspacejobs:
aws_tfc_job:
name: Create AWS Infra Using TFC
runs-on: ubuntu-lateststeps:
- name: Checkout tf code in runner environment
uses: actions/checkout@v3.5.2 - name: Setup Terraform CLI
uses: hashicorp/setup-terraform@v2.0.2
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - name: Terraform init and validate
run: |
echopwd
echo " Running Terraform Init"
terraform init
echo " Running Terraform Validate"
terraform validate
working-directory: ${{ env.tfcode_path }} - name: Terraform Plan
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.0
id: run
with:
workspace: ${{ env.tfc_workspace }}
plan_only: true
message: "Plan Run from GitHub Actions"
hostname: ${{ env.tfc_hostname }}
token: ${{ secrets.TF_API_TOKEN }}
organization: ${{ env.tfc_organisation }} - name: Terraform Plan Output
uses: hashicorp/tfc-workflows-github/actions/plan-output@v1.3.0
id: plan-output
with:
hostname: ${{ env.tfc_hostname }}
token: ${{ secrets.TF_API_TOKEN }}
organization: ${{ env.tfc_organisation }}
plan: ${{ steps.run.outputs.plan_id }} - name: Reference Plan Output
run: |
echo "Plan status: ${{ steps.plan-output.outputs.plan_status }}"
echo "Resources to Add: ${{ steps.plan-output.outputs.add }}"
echo "Resources to Change: ${{ steps.plan-output.outputs.change }}"
echo "Resources to Destroy: ${{ steps.plan-output.outputs.destroy }}"apply_terraform_plan:
needs: aws_tfc_job
if: github.event_name == ‘workflow_dispatch’
runs-on: ubuntu-latest
steps: - name: Checkout
uses: actions/checkout@v3.5.2 - name: Setup Terraform CLI
uses: hashicorp/setup-terraform@v2.0.2
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - name: Terraform init and validate
run: |
echopwd
echo " Running Terraform Init"
terraform init
echo " Running Terraform Validate"
terraform validate
working-directory: ${{ env.tfcode_path }} - name: Terraform Apply
run: echo " Running Terraform Apply"; terraform apply -auto-approve
working-directory: ${{ env.tfcode_path }} - name: Terraform Destroy
run: echo " Running Terraform Destroy"; terraform destroy -auto-approve
working-directory: ${{ env.tfcode_path }}
“`Workflow Breakdown
Define the Triggers
The workflow will be triggered by various events such as pushes, pull requests to the main branch, or manual triggers via the GitHub Actions interface.
Configure Environment Variables
Specify environment variables like
tfcode_path,tfc_organisation,tfc_hostname, andtfc_workspaceto point to your Terraform configurations and HCP Terraform workspace.Define Jobs
Each automation step is defined inside the
jobsblock. The first job clones the repository into the runner environment. The next steps set up the Terraform CLI, initialize and validate Terraform, and run a plan to check the proposed infrastructure changes.Terraform Plan and Apply
The workflow runs
terraform planto preview the changes and outputs the plan status and resource changes. After reviewing the plan, theterraform applycommand is executed to apply the changes. Optionally, you can add aterraform destroystep to clean up resources, especially useful in non-production environments.Security and Further Learning
Integrating GitHub Actions with HCP Terraform provides a secure and efficient way to manage infrastructure. HCP Terraform workspaces can be configured with environment variables or dynamic credentials, ensuring that sensitive information is handled securely. The GitHub Actions workflow doesn’t directly handle credentials, reducing the risk of compromised credentials.
HCP Terraform also offers features like access controls, a private module registry, and policy enforcement to ensure that infrastructure changes are compliant with organizational policies.
Conclusion
By leveraging GitHub Actions and HCP Terraform, teams can achieve reliable and efficient infrastructure management. This setup provides a powerful, automated pipeline for deploying and managing AWS infrastructure. It ensures that infrastructure changes are safe, consistent, and compliant with organizational standards.
For further customization, explore the extensive documentation and resources available for both GitHub Actions and HCP Terraform.
—
Author Bio: Saravanan Gnanaguru is a HashiCorp Ambassador and an expert in cloud automation and infrastructure as code.
By following this guide, you can set up a robust and secure automated infrastructure management system using GitHub Actions and HashiCorp Terraform, ensuring a streamlined deployment process for your AWS resources.
- name: Checkout tf code in runner environment
For more Information, Refer to this article.
