Skip to main content

GitHub Action: atmos-terraform-apply

This Github Action is used to run Terraform apply for a single, Atmos-supported component with a saved planfile in S3 and DynamoDB.

Introduction

This Github Action is used to run Terraform apply for a single, Atmos-supported component with a saved planfile in S3 and DynamoDB.

Before running this action, first create and store a planfile with the companion action, github-action-atmos-terraform-plan.

For more, see Atmos GitHub Action Integrations

Usage

Prerequisites

This GitHub Action requires AWS access for two different purposes. This action will attempt to first pull a Terraform planfile from a S3 Bucket with metadata in a DynamoDB table with one role. Then the action will run terraform apply against that component with another role. We recommend configuring OpenID Connect with AWS to allow GitHub to assume roles in AWS and then deploying both a Terraform Apply role and a Terraform State role. For Cloud Posse documentation on setting up GitHub OIDC, see our github-oidc-provider component.

In order to retrieve Terraform Plan Files (not to be confused with Terraform State files, e.g. tfstate), we configure an S3 Bucket to store plan files and a DynamoDB table to track plan metadata. Both need to be deployed before running this action. For more on setting up those components, see the gitops component. This action will then use the github-action-terraform-plan-storage action to update these resources.

Config

The action expects the atmos configuration file atmos.yaml to be present in the repository. The config should have the following structure:

integrations:
github:
gitops:
opentofu-version: 1.7.3
terraform-version: 1.5.2
infracost-enabled: false
artifact-storage:
region: us-east-2
bucket: cptest-core-ue2-auto-gitops
table: cptest-core-ue2-auto-gitops-plan-storage
role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha
role:
plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
matrix:
sort-by: .stack_slug
group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-")
important

Please note! This GitHub Action only works with atmos >= 1.63.0. If you are using atmos < 1.63.0 please use v1 version of this action.

Support OpenTofu

This action supports OpenTofu.

important

Please note! OpenTofu supported by Atmos >= 1.73.0. For details read

To enable OpenTofu add the following settings to atmos.yaml

  • Set the opentofu-version in the atmos.yaml to the desired version
  • Set components.terraform.command to tofu

Example


components:
terraform:
command: tofu

...

integrations:
github:
gitops:
opentofu-version: 1.7.3
...

Workflow example

In this example, the action is triggered when certain events occur, such as a manual workflow dispatch or the opening, synchronization, or reopening of a pull request, specifically on the main branch. It specifies specific permissions related to assuming roles in AWS. Within the "apply" job, the "component" and "stack" are hardcoded (foobar and plat-ue2-sandbox). In practice, these are usually derived from another action.

tip

We recommend combining this action with the affected-stacks GitHub Action inside a matrix to plan all affected stacks in parallel.

  name: github-action-atmos-terraform-apply

on:
workflow_dispatch:
pull_request:
types:
- closed
branches:
- main

# These permissions are required for GitHub to assume roles in AWS
permissions:
id-token: write
contents: read

jobs:
apply:
runs-on: ubuntu-latest
steps:
- name: github-action-atmos-terraform-apply
uses: cloudposse/github-action-atmos-terraform-apply@v2
with:
component: "foobar"
stack: "plat-ue2-sandbox"
atmos-config-path: ./rootfs/usr/local/etc/atmos/

Migrating from v1 to v2

The notable changes in v2 are:

  • v2 works only with atmos >= 1.63.0
  • v2 drops install-terraform input because terraform is not required for affected stacks call
  • v2 drops atmos-gitops-config-path input and the ./.github/config/atmos-gitops.yaml config file. Now you have to use GitHub Actions environment variables to specify the location of the atmos.yaml.

The following configuration fields now moved to GitHub action inputs with the same names

name
atmos-version
atmos-config-path

The following configuration fields moved to the atmos.yaml configuration file.

nameYAML path in atmos.yaml
aws-regionintegrations.github.gitops.artifact-storage.region
terraform-state-bucketintegrations.github.gitops.artifact-storage.bucket
terraform-state-tableintegrations.github.gitops.artifact-storage.table
terraform-state-roleintegrations.github.gitops.artifact-storage.role
terraform-plan-roleintegrations.github.gitops.role.plan
terraform-apply-roleintegrations.github.gitops.role.apply
terraform-versionintegrations.github.gitops.terraform-version
enable-infracostintegrations.github.gitops.infracost-enabled
sort-byintegrations.github.gitops.matrix.sort-by
group-byintegrations.github.gitops.matrix.group-by

For example, to migrate from v1 to v2, you should have something similar to the following in your atmos.yaml:

./.github/config/atmos.yaml

# ... your existing configuration

integrations:
github:
gitops:
terraform-version: 1.5.2
infracost-enabled: false
artifact-storage:
region: us-east-2
bucket: cptest-core-ue2-auto-gitops
table: cptest-core-ue2-auto-gitops-plan-storage
role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha
role:
plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
matrix:
sort-by: .stack_slug
group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-")

.github/workflows/main.yaml

  - name: github-action-atmos-terraform-apply
uses: cloudposse/github-action-atmos-terraform-apply@v2
with:
component: "foobar"
stack: "plat-ue2-sandbox"
atmos-config-path: ./rootfs/usr/local/etc/atmos/
atmos-version: 1.63.0

This corresponds to the v1 configuration (deprecated) below.

The v1 configuration file ./.github/config/atmos-gitops.yaml looked like this:

atmos-version: 1.45.3
atmos-config-path: ./rootfs/usr/local/etc/atmos/
terraform-state-bucket: cptest-core-ue2-auto-gitops
terraform-state-table: cptest-core-ue2-auto-gitops
terraform-state-role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha
terraform-plan-role: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
terraform-apply-role: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
terraform-version: 1.5.2
aws-region: us-east-2
enable-infracost: false
sort-by: .stack_slug
group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-")

And the v1 GitHub Action Workflow looked like this.

.github/workflows/main.yaml

  - name: github-action-atmos-terraform-apply
uses: cloudposse/github-action-atmos-terraform-apply@v1
with:
component: "foobar"
stack: "plat-ue2-sandbox"
atmos-gitops-config-path: ./.github/config/atmos-gitops.yaml

Migrating from v0 to v1

  1. v1 drops the component-path variable and instead fetches if directly from the atmos.yaml file automatically. Simply remove the component-path argument from your invocations of the cloudposse/github-action-atmos-terraform-apply action.
  2. v1 moves most of the inputs to the Atmos GitOps config path ./.github/config/atmos-gitops.yaml. Simply create this file, transfer your settings to it, then remove the corresponding arguments from your invocations of the cloudposse/github-action-atmos-terraform-apply action.
name
atmos-version
atmos-config-path
terraform-state-bucket
terraform-state-table
terraform-state-role
terraform-plan-role
terraform-apply-role
terraform-version
aws-region
enable-infracost

If you want the same behavior in v1 as in v0 you should create config ./.github/config/atmos-gitops.yaml with the same variables as in v0 inputs.

- name: github-action-atmos-terraform-apply
uses: cloudposse/github-action-atmos-terraform-apply@v1
with:
atmos-gitops-config-path: ./.github/config/atmos-gitops.yaml
component: "foobar"
stack: "plat-ue2-sandbox"

Which would produce the same behavior as in v0, doing this:

- name: github-action-atmos-terraform-apply
uses: cloudposse/github-action-atmos-terraform-apply@v0
with:
component: "foobar"
stack: "plat-ue2-sandbox"
component-path: "components/terraform/s3-bucket"
terraform-apply-role: "arn:aws:iam::111111111111:role/acme-core-gbl-identity-gitops"
terraform-state-bucket: "acme-core-ue2-auto-gitops"
terraform-state-role: "arn:aws:iam::999999999999:role/acme-core-ue2-auto-gitops-gha"
terraform-state-table: "acme-core-ue2-auto-gitops"
aws-region: "us-east-2"

Inputs

NameDescriptionDefaultRequired
atmos-config-pathThe path to the atmos.yaml fileN/Atrue
atmos-versionThe version of atmos to install>= 1.63.0false
branding-logo-imageBranding logo image urlhttps://cloudposse.com/logo-300x69.svgfalse
branding-logo-urlBranding logo urlhttps://cloudposse.com/false
componentThe name of the component to apply.N/Atrue
debugEnable action debug mode. Default: 'false'falsefalse
infracost-api-keyInfracost API keyN/Afalse
shaCommit SHA to apply. Default: github.sha${{ github.event.pull_request.head.sha }}true
stackThe stack name for the given component.N/Atrue
tokenUsed to pull node distributions for Atmos from Cloud Posse's GitHub repository. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.${{ github.server_url == 'https://github.com' && github.token || '' }}false

Outputs

NameDescription
statusApply Status. Either 'succeeded' or 'failed'