Hi everyone,
I have a few questions regarding the underlying asynchronous architecture between HCP Terraform (API)/TFC Agents & GitHub Actions
1. The Core Architecture: API Queuing & TFC Agent Polling
When an API-driven workflow is configured, GitHub Actions triggers a run via a POST /api/v2/runs API call to the HCP Terraform control plane.
-
Mechanically, how does this run payload get picked up by a private TFC Agent(thats self-hosted)?
-
Does the HCP Terraform SaaS control plane append this run to an asynchronous queue(like KAFKA/MQ etc), and does the TFC Agent continuously long-poll that queue via an outbound HTTPS connection?
2. Native OIDC Support across JavaScript Ecosystem Actions
We want to leverage OpenID Connect (OIDC) via GitHub’s Workload Identity to eliminate long-lived team/user tokens from our workflows completely.
If we configure a trusted OIDC identity provider on the HCP Terraform side (using GitHub’s issuer and audience claims), can this dynamic OIDC token exchange be used interchangeably across both action patterns:
-
The API-Driven Workflow (
hashicorp/tfc-workflows-github)Can this high-level action natively ingest the GitHub OIDC token directly to authenticate its underlying API tasks (like uploading configuration tarballs or queuing runs) without requiring a hardcoded
TF_API_TOKENsecret?
If anyone has run into limitations or has working syntax examples of how OIDC cleanly maps to these actions, your insights would be greatly appreciated!
Thanks in advance.
Sam