Skip to main content

Atmos Terraform Apply

The Cloud Posse GitHub Action for "Atmos Terraform Apply" simplifies provisioning Terraform entirely within GitHub Action workflows. It makes it very easy to understand exactly what happened directly within the GitHub UI.

Given any component and stack in an Atmos supported infrastructure environment, github-action-atmos-terraform-apply will retrieve an existing Terraform planfile from a given S3 bucket using metadata stored inside a DynamoDB table, run atmos terraform apply with that planfile, and format the Terraform Apply result as part of a GitHub Workflow Job Summary.

This action is intended to be used together with Atmos Terraform Plan, as well as integrated into drift detection with Atmos Terraform Detection and Remediation GitHub Actions.

Features

This GitHub Action incorporates superior GitOps support for Terraform by utilizing the capabilities of Atmos, enabling efficient management of large enterprise-scale environments.

  • Implements Native GitOps with Atmos and Terraform tightly integrated with GitHub UI
  • No hardcoded credentials. Use GitHub OIDC to assume roles.
  • Compatible with GitHub Cloud & Self-hosted Runners for maximum flexibility.
  • Beautiful Job Summaries don't clutter up pull requests with noisy GitHub comments
  • 100% Open Source with Permissive APACHE2 License means there are no expensive subscriptions or long-term commitments.

Screenshots

In the following screenshot, we see a successful "apply" Job Summary report. The report utilizes badges to clearly indicate success or failure. Unnecessary details are neatly hidden behind a collapsible <details/> block, providing a streamlined view. Additionally, a direct link is provided to view the job run, eliminating the need for developers to search for information about any potential issues.

Example Image

Usage Example

In this example, the action is triggered when certain events occur, such as a manual workflow dispatch or the opening, synchronization, or reopening of a pull request, specifically on the main branch. It specifies specific permissions related to assuming roles in AWS. Within the "apply" job, the "component" and "stack" are hardcoded (foobar and plat-ue2-sandbox). In practice, these are usually derived from another action.

Passing Affected Stacks

We recommend combining this action with the affected-stacks GitHub Action inside a matrix to plan all affected stacks in parallel.

.github/workflows/atmos-terraform-apply.yaml

name: "atmos-terraform-apply"

on:
workflow_dispatch:
pull_request:
types:
- closed
branches:
- main

# These permissions are required for GitHub to assume roles in AWS
permissions:
id-token: write
contents: read

jobs:
apply:
runs-on: ubuntu-latest
steps:
- name: Terraform Apply
uses: cloudposse/github-action-atmos-terraform-apply@v2
with:
component: "foobar"
stack: "plat-ue2-sandbox"
sha: ${{ github.sha }}
atmos-config-path: ./rootfs/usr/local/etc/atmos/
atmos-version: 1.63.0

Requirements

This action has the requirements as Github Actions. Use the same S3 Bucket, DynamoDB table, IAM Roles and config described there.