v8.0.0: OpenTofu Support, Format and Validate

Highlights

• Implemented OpenTofu GitHub Action to deliver first-class support for tofu, while maintaining backwards-compatibility with terraform.
• Optional TF fmt and validate steps available by default.

Added

• TVP_CLI_USES=tofu or TVP_CLI_USES=terraform for users to choose between opentofu/setup-opentofu or hashicorp/setup-terraform.
• TVP_FMT_ENABLE and TVP_VALIDATE_ENABLE to toggle TF fmt and validate commands, respectively.
• Diff of TF fmt command as a separate collapsible section in the PR comment.
• paths: ['**/*.tf*'] to on: pull_request so that the workflow is only triggered when a PR contains changes to Terraform files.
• TVP_BACKEND_CONFIG_FROM_WORKSPACE, TVP_BACKEND_CONFIG_PREFIX, and TVP_BACKEND_CONFIG_SUFFIX for consistency with TVP_VAR_FILE_ counterparts.

Changed

• References to "TF" from "Terraform", to be vendor-neutral with HashiCorp's and OpenTofu's offerings.
• PR labels prefix from terraform: to tf:, and change colour depending on tofu (#FFDA18) or terraform (#5C4EE5) usage.
• Documentation to reflect changes to inputs.

Deprecated

• CONFIG_TF_ prefixed variables to TVP_ prefix instead, to be consistent with Terraform/OpenTofu-Via-PR (TVP).

Secured

• Version support v8.0.0 and above.
• peter-evans/find-comment dependency by replacing with actions/github-script.
• xt0rted/pull-request-comment-branch dependency by replacing with actions/github-script.
• myrotvorets/set-commit-status-action dependency by replacing with actions/github-script.

Commits changelog: v7.1.0...v8.0.0

v7.1.0: Flag to check for PR review approval

Added

• Feature to check if CONFIG_TF_REQUIRE_APPROVAL is set to "true".
  • Verify that the PR review state is approved, otherwise exit the workflow with a failure.

Changed

• Reduce the PR comment limit to 64,800 characters from 131,056 stack size limitation.

Fixed

• Links to GitHub workflows from Readme documentation.
• Parsing of filtered Terraform comment output, including special characters.

Commits changelog: v7.0.0...v7.1.0

v7.0.0: Workflow Parameters and Security Enhancements

Highlights

• Added workflow parameters to customize the entry point of Terraform commands and minimize the need to type out the same arguments repeatedly.
• Dedicated workflow example to demonstrate AWS authentication with temporary/OIDC credentials passed in from the caller workflow.
• Improved handling of environment variables and masking of sensitive values.
• Improved documentation and inline comments to clarify the "why" as well as the "how".
• Amended Terraform output verbosity to account for lengthy plans in the context of GitHub's stack size limitation.

Added

• Parameter outputs of the workflow, including: COMMENT_SHA, PARSED_COMMENT, PROMPT_MATRIX, TF_PLAN_ID, and WORKING_DIRECTORY.
• Parameter input documentation, including: CONFIG_TF_CHDIR_PREFIX, CONFIG_TF_VAR_FILE_PREFIX, CONFIG_TF_VAR_FILE_SUFFIX, CONFIG_TF_WORKSPACE_AS_VAR_FILE, TF_CLI_HOSTNAME, TF_CLI_TOKEN, and TF_CLI_VERSION.
• Example caller_aws.yml to demonstrate passing temporary/OIDC credentials or secrets to the reusable workflow in the context of AWS authentication.
• Inline comments and README.md documentation to better clarify the purpose and intent of the workflow and its parameters to lower the barrier to entry for prospective users/contributors.
• Dynamic setting of -var-file arguments, to take into account CONFIG_TF_VAR_FILE_PREFIX, CONFIG_TF_VAR_FILE_SUFFIX, and CONFIG_TF_WORKSPACE_AS_VAR_FILE configuration variables.

Changed

• Prefix of workflow-related configuration variables from CONFIGURE_TF_ to CONFIG_TF_.
• Rename workflow without "(Multiple AWS)" in the title.
• Increase retry count of "actions/github-script" steps from 0 to 3.
• Filter Terraform output's verbosity in Bash instead of with "actions/github-script". This is to workaround GitHub's stack size limitation of 128 – 16 bytes for passing environment variables, resulting in "Argument list too long" error for lengthy plans. As a result, the output is truncated above the last 131056 characters to capture the final change summary of the Terraform command.

Removed

• Drop id-token: write permission scope by removing "aws-actions/configure-aws-credentials" GitHub Action.

Fixed

• Split the argument on the first equals sign, instead of the last, to assign key-value pairs.
• Populate environment variables only if supplied, instead of always.
• Mask environment variables only if they're not prefixed with CONFIG_TF_, instead of all of them, to avoid masking non-sensitive configuration values of the reusable workflow.

Secured

• Support v7.0.0 onwards.
• Bring required permissions inline with default access (permissive) for GITHUB_TOKEN (per documentation).
• Conceive original method to pass any number of secrets from the caller workflow to the reusable workflow security as masked, encrypted environment variables without requiring external artifacts or secrets store (per documentation): demonstrated with caller_aws.yml.
• Environment variables with the prefix BASE64_ are decoded from Base64 twice to account for security hardening of GitHub Actions. As a result, Base64 values passed from the caller workflow have to be encoded twice with | base64 -w0 | base64 -w0 before output.

Commits changelog: v6.0.0...v7.0.0

v6.0.0: Support Multiple Arguments with the Same Key

Highlights

Added support for passing comma-separated values, enabling multiple arguments to be generated with the same key. Use-cases include -target and -replace of multiple resources addresses.

Added

• Dynamically pass comma-separated values as multiple arguments to the same key.

Changed

• Optional chaining to parse argument values, when they exist.
• Instead of GitHub expressions with ternary operators, iterate of terraform variables with bash logic to account for: boolean flags, comma-separated and standard arguments.

Removed

• -target and -replace parameters from the uniquely identifying name of the terraform plan file.

Fixed

• Remove quotation marks outside of square brackets from argument value to account for -target/-replace with quotation marks in the resource address.

Security

• Only support v6 onwards.

Commits changelog: v5.2.0...v6.0.0

v5.2.0: Improve Terraform Output

Fixed

• Select the latest terraform output summary for the collapsible content's header (e.g., terraform apply -auto-approve where both plan and apply summaries are present in the output).

Commits changelog: v5.1.0...v5.2.0

v5.1.0: Fix Terraform Output and Variable Interpolations

Fixed

• Start terraform output on newline in collapsible content body.
• Reorder priority in which collapsible content title is determined.
• Interpolate -var-file accordingly, in context of: terraform plan, apply and -auto-approve commands/flags.
• Filter out lines relating to reading or refreshing state from terraform apply -auto-approve.
• Add PR label only if it isn't there already.

Commits changelog: v5.0.0...v5.1.0

v5.0.0: Native Terraform CLI with Improved PR Comment Output

Highlights

Replaced slower "dflook/terraform-*" actions with "hashicorp/setup-terraform", resulting in the workflow finishing 51% faster, saving 37 seconds on average, compared to the previous version. Terraform commands are run in parallel resulting in exponential time gains, compared the previously sequential approach, though your backend will have to handle concurrency.

Added

• "hashicorp/setup-terraform" action to setup Terraform on the runner, for direct CLI interoperability, instead of slower "dflook/terraform-*" actions.
• Explicitly populate every single Terraform CLI input option into environment variables for reuse throughout commands.
• Explicitly pass Terraform environment variables for executing CLI via automation.
• Custom PR comment script for any and all Terraform stdout/stderr output. Include command trigger and authorship for improved audit trail.
• CONFIGURE_TF_CHDIR_PREFIX to avoid unnecessarily long and repetitive commands.
• Upload uniquely-identifiable terraform plan output using "actions/upload-artifact" for download (and unzip) on subsequent terraform apply run (with actions: read permission).
• Document workflow trigger on pull_request synchronize event for automated terraform plan runs on PR updates.
• Collapsible sections for definitions in README.
• [!IMPORTANT], [!NOTE] and [!WARNING] callouts in README.
• "hashicorp.hcl" extension to .devcontainer.

Changed

• PR label format from tf:<directory> to terraform:<command>.
• PR label color from #7B42BC to #5C4EE5 to match GitHub's Terraform label.
• issue_comment-triggered commit status is applied in "pre" job and updated accordingly (since pull_request-triggered workflow does not need it).
• Rename "parse" job to "pre".

Removed

• Concurrency is scrapped, since that should be handled by Terraform's backend.
• Max-parallel is no longer limited, since Terraform runs in CI/CD are preferred in parallel rather than sequentially.
• Deployment status is no longer attached to terraform apply.
• Terraform CLI options documentation, since they are all available now.

Fixed

• Split-string-on-spaces logic supports both single and double quotation marks.
• Empty lines within multi-line comments are discarded.

Security

• Only support v5 onwards.

Commits changelog: v4.1.0...v5.0.0

v4.1.0: Terraform plan automation on pull request synchronize

Highlights

Instead of manually triggering terraform plan with every change on a pull request, the workflow should now find the last PR comment starting with -terraform=plan and run it automatically.

Added

• Pull request synchronize trigger to automatically run the latest -terraform=plan comment on every pull request change.

Changed

• Rename CONFIGURE_AWS_ROLE_TO_ASSUME boolean condition to use CONFIGURE_AWS_ROLE instead to simplify AWS authentication.
• Color the "tf:" label to match Terraform's brand color.
• Enforce synchronous execution instead of parallel concurrency for consistently repeatable runs.

Commits changelog: v4.0.0...v4.1.0

v4.0.0: Terraform via PR Comments

Highlights

Per discussion#64, the original labels-driven workflow was limited in how many arguments could be passed in. This release overhauls the workflow to be triggered by PR comments instead, enabling the full breadth of Terraform CLI arguments to be run.

Added

• Tailored Terraform dev container for remote development on GitHub Codespaces.
• Catered for AWS accounts with multiple concurrent environments.
• Straightforward usage examples with functional sample Terraform configuration stacks.

Changed

• Organization ownership aligned with @DevSecTop, along with associated boilerplate .github configuration files.
• Adopted more permissive Apache 2.0 license.

Deprecated

• Labels-driven workflow.

New Contributors

• @dependabot made their first contribution in #68

Commits changelog: v3.0.0...v4.0.0

v3.0.0: Reusable terraform workflow

Highlights

Introduced a reusable workflow which can be referenced directly from your own repository, while still benefiting from future updates.

Added

• Reusable workflow in terraform.yml.
• Example runner in terraform-runner.yml.
• Automate initial environment-labelling of pull requests.
• Feature modes to replicate Terraform CLI: tf_destroy and tf_auto_approve.
• Boilerplate files for security, contributing, conduct, pull request template and issue templates.

Updated

• Merge 'plan' and 'apply' jobs into a single job with conditional logic.

Commits changelog: v2.0.0...v3.0.0