I have to use github actions for a terraform plan/apply - which isn’t ideal since there isn’t an option in GHA to take user input. My ideal flow, as I’ve used with other CICD tools, is to:
trigger a terraform plan (write plan to file)
pause/prompt the user for input (apply plan?)
tf apply the plan (with plan file (if user approved))
In GHA, I have one workflow to run a tf plan & save the plan file as artifact. Then a 2nd workflow to pull that artifact & apply the plan.
I’m mostly curious to know how old a plan can be be and if I should do some additional checking on this… like, don’t apply if the plan is older than 10 minutes… or some logic. Is this needed or can I rely on TF to check that the state is stale?
Otherwise, since it’s GHA, if you have any good patterns for tf plan/apply, I’m open.
Thanks for the suggestion. But that looks like a gatekeeping method more than anything. GHA just isn’t intended to have any workflow interaction - all inputs are up front.
I think I’m stuck with what I have… which is just one workflow with 3 steps.
tf-plan (stash plan file as artifact)
verify (pull artifact; verify artifact is not older than 10 mins; sleep for a few mins to give the user time to review the plan & cancel the workflow)
tf-apply
Verifying the age of the tf-plan artifact may not be necessary, but doesn’t hurt.
Hi,
Just to mention,
Currently at our company we’re using Atlantis (runatlantis.io), which allows you to interact in GitHub with inputs like plan/import/apply.
For our case, it worked well. It might be worth checking out.
I guess my point was, if you have a plan step upstream, then the deploy step (with approval) downstream, you could avoid applying by not approving the workflow, so you wouldn’t need any manual input in the GitHub Actions workflow itself. So yes, it would be gatekeeping only, and of course you’d need to revert the change or roll forward to avoid having things in a broken state, but might work in a pinch.