Is it possible to get the output from an apply? I'd very much like it to write a comment on the pull request when it's done applying

Once again, thanks for this great Action!

Since the steps are repetitive, quite verbose and with clear parameters, I wanted to encapsulate it within a GitHub composite action.

I managed to work around its current limitations -i.e. not supporting the continue-on-error functionality.
But the action just did not post a comment. Not even mentioned: "this is not a PR..."

@robburger
❓ Am I missing something?
I would love to use this "composite" version in my workflows.

.github/actions/terraform_comment_pr/actions.yml

name: 'Terraform Comment PR'
description: 'Init, Plan and Apply TF projects, commenting Plan output onto PR'
inputs:
  deploymentDirectory:  # id of input
    description: 'the directory of the terraform project'
    required: true
  env:  # id of input
    description: 'the deployment environment'
    required: true
  workspaceEnv:  # id of input
    description: 'the deployment WORKSPACE environment to be activated'
    required: true

runs:
  using: "composite"
  steps:
    - uses: hashicorp/setup-terraform@v1
      with:
        terraform_version: 0.14.5

    - name: >
        Terraform Init >> Env: ${{ inputs.env }} | Dir: ${{ inputs.deploymentDirectory }}
      shell: bash
      run: |
        cd ${{ inputs.deploymentDirectory }}
        terraform init -backend=true -backend-config=environment/${{ inputs.env }}/backend-config.tfvars
        terraform workspace new ${{ inputs.workspaceEnv }} || terraform workspace select ${{ inputs.workspaceEnv }}  

    - name: >
        Terraform Plan >> Env: ${{ inputs.env }} | Dir: ${{ inputs.deploymentDirectory }}
      id: plan
      shell: bash
      run: |
        cd ${{ inputs.deploymentDirectory }}
        # Workaround continue-on-error not being supported
        terraform plan -var-file environment/${{ inputs.env }}/environment.tfvars -detailed-exitcode \
        || echo "::set-output name=exitcode_continue_on_error::$?"

    - name: >
        Post Plan >> Env: ${{ inputs.env }} | Dir: ${{ inputs.deploymentDirectory }}
      if: always() && github.ref != 'refs/heads/master' && (steps.plan.outcome == 'success' || steps.plan.outcome == 'failure')
      uses: robburger/terraform-pr-commenter@v1
      env:
        TF_WORKSPACE: ${{ format('Env= {0} | Dir= {1}', inputs.env, inputs.deploymentDirectory) }}
      with:
        commenter_type: plan
        commenter_input: ${{ format('{0}{1}', steps.plan.outputs.stdout, steps.plan.outputs.stderr) }}
        commenter_exitcode: ${{ steps.plan.outputs.exitcode }}

    - name: Raise error if plan.exitcode == 1
      if: steps.plan.outputs.exitcode == 1
      shell: bash
      run: exit 1

    - name: >
        Terraform Apply >> Env: ${{ inputs.env }} | Dir: ${{ inputs.deploymentDirectory }}
      if: steps.plan.outputs.exitcode == 2 
      shell: bash
      run: |
        cd ${{ inputs.deploymentDirectory }}
        terraform apply -var-file environment/${{ inputs.env }}/environment.tfvars -input=false -auto-approve

And the actual workflow would look like this:

- name: Terraform Comment PR
  uses: ./.github/actions/terraform_comment_pr
  with:
    deploymentDirectory: ${{ matrix.project.dir }}
    env:  ${{ matrix.project.env }}
    workspaceEnv: ${{ env.ENV }} 

Hi,
When using -diff option for terraform fmt, the comment in PR looks weird. Thanks for looking into this.

      - name: Terraform Format
        id: fmt
        run: terraform -chdir=${{ env.working_directory}} fmt -check -recursive -diff
        continue-on-error: true

      - name: Post Format Result
        if: always() && github.event_name == 'pull_request' && (steps.fmt.outcome == 'success' || steps.fmt.outcome == 'failure')
        uses: robburger/terraform-pr-commenter@v1.5.0
        with:
          commenter_type: fmt
          commenter_input: ${{ format('{0}{1}', steps.fmt.outputs.stdout, steps.fmt.outputs.stderr) }}
          commenter_exitcode: ${{ steps.fmt.outputs.exitcode }}

The robburger/terraform-pr-commenter@v1 workflow was function properly for me for some time.

Recently, I noticed that it cannot write comments to GitHub Pull Request.

Found the following error under robburger/terraform-pr-commenter@v1 workflow.

Releasing state lock. This may take a few moments...
" "0"
INFO: Looking for an existing plan PR comment.
Error relocating /usr/bin/curl: curl_easy_nextheader: symbol not found
Error relocating /usr/bin/curl: curl_easy_header: symbol not found
INFO: No existing plan PR comment found.
INFO: Adding plan comment to PR.
Error relocating /usr/bin/curl: curl_easy_nextheader: symbol not found
Error relocating /usr/bin/curl: curl_easy_header: symbol not found

We just published this fork we are currently using in our projects and thus maintaining:

https://github.com/marketplace/actions/terraform-pr-commenter-jimdo

The main difference is that this allows for multiple terraform plan comments in one PR. E.g. for different terraform runs on cluster level and on kubernetes level.

The recent change in commit 53de913 to the way the plan truncation happens cuts off the Changes to Outputs: section, which follows the Plan: x to add, x to change, x to destroy. line.

Fix: have a look at the horizontal rule characters again and try to truncate before them.

Hi!

First of all, thanks for the great tool. Been using it for few days and really digging it.

I'm trying to publish a plan output of a larger environment, but I get an error "Error: Argument list too long". The plan output is around ~2800 rows long.

I ran into the following error, so I will share the situation.
version: v1.5.0

Step 3/6 : RUN apk add --no-cache -q     bash     curl     jq
   ---> Running in ae6d5c417541
    bash (no such package):
  ERROR: unable to select packages:
      required by: world[bash]
    curl (no such package):
      required by: world[curl]
    jq (no such package):
      required by: world[jq]
The command '/bin/sh -c apk add --no-cache -q     bash     curl     jq' returned a non-zero code: 3
  Warning: Docker build failed with exit code 3, back off 5.943 seconds before retry.

It looks like an error happened in Docker build step because it is unable to install the package.

Hi!

We have multiple environments but are not using workspaces. Instead, we use the "separate directories" strategy. However, we would still like to get separate PR comments for each environments's plan.

Am I correct in that a workaround is we can still rely on the TF_WORKSPACE environment (and set it only for the robburger/terraform-pr-commenter@v1 action) to make sure we get separate PR comments?

Plan: 2 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply \"tfplan\"
" "0"
INFO: Looking for an existing plan PR comment.
curl: (16) Error in the HTTP2 framing layer
INFO: No existing plan PR comment found.
INFO: Adding plan comment to PR.
curl: (16) Error in the HTTP2 framing layer

- name: Post Plan
  if: always() && github.ref != 'refs/heads/master' && (steps.plan.outcome == 'success' || steps.plan.outcome == 'failure')
  uses: robburger/terraform-pr-commenter@v1
  with:
    commenter_type: plan
    commenter_input: ${{ format('{0}{1}', steps.plan.outputs.stdout, steps.plan.outputs.stderr) }}
    commenter_exitcode: ${{ steps.plan.outputs.exitcode }}
  env:
   GITHUB_TOKEN: ${{ secrets.GOOGLE_CREDENTIALS }}

Am I missing something?

It would be great if the summary for the plan action would show the top-line changes, so the information could be more glanceable, like below:

FULL_PLAN_HERE

Or:

FULL_PLAN_HERE

This could be done by grepping the text for the right strings:

SUMMARY = grep -E '(to add|No changes)'

This is a great action. Thanks for sharing!

In order to provide a bit more context when running on multiple working directories and environments, I've been using a workaround. Injecting the values of interest into the TF_WORKSPACE env variable.

Which works 👍

- name: >
    Post Plan >> Env: ${{ matrix.project.env }} | Dir: ${{ matrix.project.dir }}
  if: always() && github.ref != 'refs/heads/master' && (steps.plan.outcome == 'success' || steps.plan.outcome == 'failure')
  uses: robburger/terraform-pr-commenter@v1
  env:
    TF_WORKSPACE: ${{ format('Env= {0} | Dir= {1}', matrix.project.env, matrix.project.dir) }}
  with:
    commenter_type: plan
    commenter_input: ${{ format('{0}{1}', steps.plan.outputs.stdout, steps.plan.outputs.stderr) }}
    commenter_exitcode: ${{ steps.plan.outputs.exitcode }}

But I noticed that, sometimes, the action incorrectly identifies an "already existing" comment and decides to update it.
For example, I have 9 different working-directories / env. But only get 5 PR comments

@robburger Any ideas?
How exactly is the "uniqueness" of a comment defined?
I imagined that, by adding more detail to the TF_WORKSPACE, it would make it more accurate.

Currently, this action POSTs the comment after DELETE if there is an existing plan or other comment. This makes it impossible to compare the differences in plans between those changes.

As in the "Create or Update Comment" action, the "PATCH /repos/{owner}/{repo}/issues/comments/{comment_id}" can be used. When a comment is updated, the edit history of the comment is available.

Would you be willing to provide this as an option?

Can an additional (optional) input be created e.g.:

  allow_pr_override:
    description: '(Optional) Allow existing comments on PR to be overridden.'
    required: false
    type: boolean
    default: true 

The reason this would be handy is because I do automated tests on a single workspace "default", but my tests involves using terraform plan, to plan and apply a build, and then after on the same PR I also do a terraform plan --destroy and then apply a destroy.

Because my initial plan which shows the build, the second plan (destroy plan) overrides the build plan on the PR, I would like this not to happen as I want to see both comments on the same PR for my build plan as well as my destroy plan as the test involves a build apply plan as well as a destroy apply plan.

The build plan will be commented as expected, but when my workflow reaches the destroy plan step, the existing build plan comment will be overriden and thus I end up only seeing the destroy plan on the PR comments.

I want this override to be configurable on the inputs on this action if possible. if the setting is false, I want the action to just add another comment on the same PR, and if the setting is true, it can override:

At the moment it only and always will override.

Using the example workflow file from: https://github.com/marketplace/actions/terraform-pr-commenter

Can see in the actions where my plan was run and there i can see the relevant updates

Hi, thanks for such a useful action!

After trying this out, I'm a little confused on how to properly fail the workflow job if one of the terraform steps fail.

We're passing continue-on-error: true to the terraform step, like the example shows. It seems the commenter step(s) should exit non-zero after posting the comment as to stop processing subsequent job steps, but the commenter exits zero even when it was handed a non-zero from the terraform wrapper.

I feel like I'm missing something obvious but the readme states

In English: "Always run this step, but only on a pull request and only when the previous step succeeds or fails...and then stop the build.

What trigger should be used stop the build?

Thanks again!

At least that's what I think is causing the following issue.
Left is the output from Terraform Plan.
Right is the comment generated in the PR by the terraform-pr-commenter action.

Each line that starts with either the Terraform Remove hyphen sign or a yaml hyphen indicating a list item are highlighted in the comment as being removed.

I have blanked some values that contained "sensitive" information.

Download action repository 'robburger/terraform-pr-commenter@v1'
v1 is currently v1.3.0
0.14.9: Pulling from hashicorp/terraform

Deprecated messages such as this in the terraform plan:

Warning: Argument is deprecated

  with module.terraform-module-account.aws_s3_bucket.aman,
  on .terraform/modules/terraform-module-account/aman.tf line 9, in resource "aws_s3_bucket" "aman":
   9:   acl           = "private"

Use the aws_s3_bucket_acl resource instead

are not displayed in the PR.

Can the messages be captured and displayed please.

Sometimes our plans get quite lengthy if we make a core level change that fans out. In these cases, we get "argument list too long" errors in docker. Would it be possible to add support for passing a plan file reference to the commenter rather than the raw comment text, and have the commenter script cat the file itself?

If using Terraform v1.x and a plan produces no output, the comment on the timeline is empty.

Terraform v1.0 introduced additional possible outputs for plan, so more regexing is needed to catch all "stories".

Used to be: No changes. Infrastructure is up-to-date.
Now: No changes. Your infrastructure matches the configuration.

I started getting the following error
Error: An error occurred trying to start process '/usr/bin/docker' with working directory '/home/runner/work/...'. Argument list too long
with

      - name: Terragrunt Plan
        id: plan
        if: github.event_name == 'pull_request'
        run: terragrunt run-all plan -no-color --terragrunt-non-interactive
        continue-on-error: true

      - name: Post Plan
        uses: robburger/[email protected]
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          EXPAND_SUMMARY_DETAILS: 'true' # Override global environment variable; expand details just for this step
        with:
          commenter_type: plan
          commenter_input: ${{ format('{0}{1}', steps.plan.outputs.stdout, steps.plan.outputs.stderr) }}
          commenter_exitcode: ${{ steps.plan.outputs.exitcode }}

I was able to work around it by truncating the plan to 65535 characters before sending it to terraform-pr-commenter, but what is the maximum string length we can send to terraform-pr-commenter as I feel that is where the issue is? The terraform-pr-commenter code should properly truncate the string down to 65300 characters

  if [[ $EXIT_CODE -eq 0 || $EXIT_CODE -eq 2 ]]; then
    CLEAN_PLAN=$(echo "$INPUT" | sed -r '/^(An execution plan has been generated and is shown below.|Terraform used the selected providers to generate the following execution|No changes. Infrastructure is up-to-date.|No changes. Your infrastructure matches the configuration.|Note: Objects have changed outside of Terraform)$/,$!d') # Strip refresh section
    CLEAN_PLAN=$(echo "$CLEAN_PLAN" | sed -r '/Plan: /q') # Ignore everything after plan summary
    CLEAN_PLAN=${CLEAN_PLAN::65300} # GitHub has a 65535-char comment limit - truncate plan, leaving space for comment wrapper
    CLEAN_PLAN=$(echo "$CLEAN_PLAN" | sed -r 's/^([[:blank:]]*)([-+~])/\2\1/g') # Move any diff characters to start of line
    if [[ $COLOURISE == 'true' ]]; then
      CLEAN_PLAN=$(echo "$CLEAN_PLAN" | sed -r 's/^~/!/g') # Replace ~ with ! to colourise the diff in GitHub comments
    fi

although it would be nice to merge pull request #25 to give an indication that the plan was truncated/referenced elsewhere.

Doesn't work, I see output saying it will create a comment for the plan but nothing appears.

Thank you for the great action! We're running it in production now. 🙂

I have a feature request that would help us: we're running this action for a bunch of modules in one repo, i.e. our repo looks something like this:

root
- vpc
- dns
- eks
- ...etc...

We use an Actions matrix to run the same steps for each directory. This works! 🎉 However, the comment for each init/plan/apply doesn't indicate which module it came from:

This could be fixed by adding the working directory to the message, so it would be e.g. <directory>: Terraform <action> <result> for workspace <workspace>. Another option would be to add the directory to commenter_input, but I haven't tried this yet, as I've assumed that argument should contain only output from Terraform itself.

Does this sound like a sensible feature? Thank you!

I notice #25 has 18 thumbs ups and no source code changes have been made during entire 2022.

My workflow looks like this

      - run: |
          terraform init
          terraform plan -out tfplan
        id: plan
      - uses: robburger/terraform-pr-commenter@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          commenter_type: plan
          commenter_input: ${{ format('{0}{1}', steps.plan.outputs.stdout, steps.plan.outputs.stderr) }}
          commenter_exitcode: ${{ steps.plan.outputs.exitcode }}

Earlier I was using Makefile, I thought if it is doing something with exit code, So I had replaced make plan by the current multiline command which does terraform init and terraform plan but it doesn't seem to solve the issue.

Terraform version I'm using is 0.14.10

- uses: hashicorp/setup-terraform@v1
        with:
          terraform_version: 0.14.10
          terraform_wrapper: false

Below is plan output for which PR comment is empty.

Terraform will perform the following actions:

  # aws_security_group_rule.core_to_xxxhas moved to aws_security_group_rule.core_to_xxx[0]
    resource "aws_security_group_rule" "core_to_xxx" {
        id                = "sgrule-00000"
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 0 to change, 0 to destroy.

Hello, i've upgraded my terraform to 0.15, and it seems that i can't see my changes, because the sentence has changed, on terraform's side.

ex on 0.15 :

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

VS on 0.13, for example :

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

We can see the "An execution plan has been generated and is shown below." has disappear.

Maybe we can fix the regex to catch both sentences ?