• Generate .tfmigrate.hcl
• Generate migration file template
• Create pull request
  • Set pull request label tfmigrate:<target>
  • Guide in pull request body

Hi! I found thing that seems like bug.

In action terrafom-plan, when terraform plan fails old tfplan.binary is supposed to be deleted in case of S3. But it remains in case of GCS.

Is this a behavior you suppose? If not, I'm going to make PR.

https://suzuki-shunsuke.github.io/tfaction/docs/feature/support-skipping-terraform-renovate-pr

Motivation

We would like to create and merge many pull requests by Renovate.
When we manage dependencies such as Terraform, Terraform Providers, tfsec, tflint, etc and create pull request per working directory, we have to handle many pull requests by Renovate.

I found that when we update tfsec and tflint we don't have to run terraform plan and terraform apply.
We only have to run tfsec and tflint.
On the other hand, when Terraform and Terraform Providers are updated, we have to run terraform plan and terraform apply.

By skipping terraform plan and terraform apply, we can efficiently update dependencies.

• We can prevent unexpected changes from being applied
• We can prevent CI failure due to terraform plan's unexpected changes
• We can prevent API rate exceeded by terraform plan and terraform apply

How

Add the fields in tfaction-root.yaml.

• skip_by_renovate
• renovate_terraform_labels

When skip_terraform_by_renovate is true, in pull requests by Renovate terraform plan and terraform apply are skipped.
If commits by non Renovate are included in the pull request, terraform plan and terraform apply aren't skipped.
When pull request labels in renovate_terraform_labels are set, terraform plan and terraform apply are executed.

Example Configuration

tfaction-root.yaml

skip_terraform_by_renovate: true
renovate_terraform_labels:
- terraform

renovate.json

{
  "packageRules": [
    {
      "matchManagers": ["terraform", "terraform-version"],
      "addLabels": ["terraform"]
    },
    {
      "matchPackageNames": ["hashicorp/terraform"],
      "addLabels": ["terraform"]
    }
  ]
}

Error: ENOENT: no such file or directory, open 'github/foo/tfaction.yaml'

Due to #128

Affected version: v0.4.4 v0.4.5 v0.4.6

Workaround

Please use tfaction v0.4.3 in the workflow scaffold-working-directory.

https://suzuki-shunsuke.github.io/tfaction/docs/feature/skip-creating-pr

tfaction suports creating some types of pull requests.

• Follow up Pull Request
• Scaffold working directory Pull Request
• Scaffold tfmigrate migration Pull Request

They are really useful, but they are created by GitHub App so you can pass 1 approval Required by approving your changes by yourself.
To solve the problem, we consider to create only branch and skip creating pull request.

Problem to solve

Currently, when you migrate state across multiple state with tfmigrate,
you have to set the pull request label ignore:*.
When this label is set, tfmigrate-plan and terraform-plan jobs aren't run against the working directory,
then tfsec and tflint aren't run.

https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment

https://github.com/accurics/terrascan

#40 is required.

Hello, thank you for creating awesome tool.

This is minor misprint I noticed when I read source code.

ACTUAL

• export-secrets
  The secrets parameter is required while nothing is required in README.

EXPECTED BEHAVIOR

The secrets parameter is required also in README.

I will create PR against this issue. Thank you.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

• GitHub Actions timeout:
  • step
  • job
• GitHub Actions OIDC:
  • AWS
    • 1 Hour by default
    • You can extend until 24 Hours
  • GCP
• GitHub App token: 1 Hour
• GitHub Actions token: 24 hours

Terraform itself doesn't support timeout.
https://discuss.hashicorp.com/t/timeout-setting-for-terraform-binary/29627/2

• Support sending the signal
• Support changing the timeout (By default 1 Hour)

• tflint
• tfsec

tfaction.yaml

tflint: false
tfsec: false

renovate_follow_up_mentions:
- suzuki-shunsuke
- <org name>/<team name>

Problem to solve

When Renovate Pull Request was merged automatically and apply failed,
follow up pull request is created but no mention is set and no one is assigned.

How to solve

If pull request author is Renovate and GITHUB_ACTOR is bot, renovate_follow_up_mentions are mentioned and assigned.

• terraform-plan and tfmigrate-plan
• terraform-apply and tfmigrate-apply

Make the workflow simpler

• https://suzuki-shunsuke.github.io/tfaction/docs/feature/module
• https://blog.studysapuri.jp/entry/2022/03/30/080000

Hi, This is my proposal.

I want to try to make pipeline with tfaction faster adding the -parallelism=n option to terraform plan / apply.
What if terraform-plan and terraform-apply actions support adding any terraform options to realize this? What do you think of this.

If it seems good idea, I will create the PR.

gcloud is required. https://cloud.google.com/sdk/gcloud

https://github.com/actions/virtual-environments

https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md#cli-tools

Google Cloud SDK 368.0.0 (apt source repository: https://packages.cloud.google.com/apt)

e.g.

  terraform_plan_config:
    aws_secrets_manager:
    - secret_id: foo
      version_id:
      version_stage:
      aws_region: ap-northeast-1
      envs:
      - env_name: ATLAS_API_KEY
        secret_key: atlas_api_key
    - secret_id: bar
      version_id:
      version_stage:
      aws_region: ap-northeast-1
      envs:
      - env_name: BAR

Hi, I found kind of like a bug.

ACTUAL

https://suzuki-shunsuke.github.io/tfaction/docs/config/tfaction-yaml

In above document, It seems that tfaction.yaml in working directory overwrites tfaction-root.yaml.

You can override the configuration of tfaction-root.yaml by tfaction.yaml.

On the other hand, in the action get-target-config it seems that tfaction-root.yaml overwrites tfaction.yaml in working directory.

As far as I read the codes, each variables mean like following.

• jobConfig: terraform_(plan|apply)_config in tfaction.yaml
• wdConfig: tfaction.yaml
• rootJobConfig: terraform_(plan|apply)_config in matched target in tfaction-root.yaml
• targetConfig: matched target in tfaction-root.yaml
• config: tfaction-root.yaml

So the order of list in arguments to setOutputs seems incorrect.

EXPECTED

The order like following is correct?

    lib.setOutputs([
      's3_bucket_name_plan_file',
      's3_bucket_name_tfmigrate_history',
      'gcs_bucket_name_plan_file',
      'providers_lock_opts',
    ], [config, targetConfig, wdConfig]);
    lib.setOutputs([
      'aws_region',
      'aws_assume_role_arn',
      'gcp_service_account',
      'gcp_workload_identity_provider',
    ], [config, targetConfig, rootJobConfig, wdConfig, jobConfig]);

If it's correct I send the PR! Thank you for reading in advance.

• List and test changed Modules
• Create tag and release by GitHub Actions dispatch_workflow event
• Scaffold Module

Module Location

Add a file tfaction_module.yaml in Module's root directory.

Test Module

• terraform fmt
• terraform validate
• tflint
• tfsec
• terraform-docs: https://terraform-docs.io/

Module Source

GitHub: https://www.terraform.io/language/modules/sources#github

Tag Format

module_<module name>_<version>

⚠️ Unfortunately, slash / seems to be unavailable in Terraform Modules Ref.

Create tag and release by GitHub Actions dispatch_workflow event

Inputs

• module_path
• version

Auto update

It is difficult to update Modules by Renovate.

We'll consider to create feature branches or pull requests to update Modules by GitHub Actions.

https://gha-trigger.github.io/

GITHUB_TOKEN

tfmigrate-plan

• GITHUB_REPOSITORY
• GITHUB_HEAD_REF

test-module

• GITHUB_REPOSITORY
• GITHUB_HEAD_REF
• GITHUB_EVENT_NAME

create-follow-up-pr

• GITHUB_REPOSITORY
• GITHUB_ACTOR

https://github.com/suzuki-shunsuke/tfaction/blob/7951fa5ed7fa452a5921d5c44e059c3490fbca4f/list-targets-with-changed-files/src/index.ts

Hi, this is feature request for tfaction!

We are managing a lot of working directories, and I'm facing a problem like hashicorp/terraform-provider-aws#5171 .
To prevent this problem, I want to pass [--parallelism](https://www.terraform.io/docs/commands/plan.html#parallelism-n) flag to the terraform command, but currently it's not possible.

I'm thinking about adding configuration item to tfaction.yaml like:

terraform-option: --parallelism 10

And this is passed to

Thanks in advance!

• https://github.com/suzuki-shunsuke/github-action-tfsec
  • https://aquasecurity.github.io/tfsec/v1.28.4/
• https://github.com/suzuki-shunsuke/github-action-tflint
  • https://github.com/terraform-linters/tflint
• https://github.com/suzuki-shunsuke/trivy-config-action
  • https://aquasecurity.github.io/trivy/v0.47/docs/references/configuration/cli/trivy_config/
  • https://aquasecurity.github.io/trivy/v0.47/docs/references/configuration/config-file/
  • https://aquasecurity.github.io/trivy/v0.47/docs/configuration/filtering/#trivyignoreyaml

Hi, I found a thing like a bag.

ACTUAL

Even if the skip_create_pr option (default: false) is set both false or true in tfaction-root.yaml, skip_create_pr.sh is always executed when terraform apply fails.

EXPECTED

When skip_create_pr option is set as false, main.sh is executed not but skip_create_pr.sh.

MY RESEARCH

This bug is caused by the following wrong condition.

According to this document, output is always dealt as string so it can't compare to boolean.

In above case, as long as steps.global-config.outputs.skip_create_pr is not null, the result of condition is always true.

Refference: GitHub Actions で真偽値を正しく扱う

I'm going to send PR!

https://github.com/google-github-actions/auth
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform