I am using github workflow for terraform operations and trying to follow the typical steps when a new commit is pushed to main branch. gcp WIF is set up for github as identity provider
- a PR is merged => a new commit is pushed to main branch
- a job for terraform plan is executed with tf-plan@gcp-project.iam.gserviceaccount.com
-
use
google-github-actions/auth@v3to get authenticated -
run terraform plan -out=tfplan
-
upload tfplan
-
- a job for terraform apply is executed with protected environment, which requires an approval and with tf-apply@gcp-project.iam.gserviceaccount.com
- download tfplan
- use
google-github-actions/auth@v3to get authenticated terraform initterraform apply -auto-approve -input=false tfplan
terraform apply job remains in pending until someone approves it. The issue is that terraform apply -auto-approve -input=false tfplan tries to use tf-plan service account which is baked in tfstate, instead of tf-apply service account.
Using tf-apply for terraform plan AND apply would not work because terraform apply job may remain in pending state for a while and the temporary authentication token may get expired (by default, the generated token is good for 1 hour).
Therefore, I am trying to make terraform apply to use the authentication setup generated in terraform apply job. However, I have not found any solution to do this. I would appreciate any help to solve this.
BTW, in terraform cloud, the process flow follows the same but no matter how long terraform apply remains in pending state, it always works. For your information, I also set up gcp WIF with terraform cloud so auth works the same as github. I don’t know how they are doing it.