Skip to main content

Atmos Terraform Apply

Simplify provisioning Terraform entirely from within GitHub Action workflows. This action makes it very easy to apply that changes from a terraform plan from directly within the GitHub UI. Use this action in your workflows to apply changes to your infrastructure.

Given any component and stack in an Atmos supported infrastructure environment, github-action-atmos-terraform-apply will retrieve an existing Terraform planfile from a given S3 bucket using metadata stored inside a DynamoDB table, run atmos terraform apply with that planfile, and format the Terraform Apply result as part of a GitHub Workflow Job Summary.

This action is intended to be used together with Atmos Terraform Plan, as well as integrated into drift detection with Atmos Terraform Detection and Remediation GitHub Actions.

Features​

This GitHub Action incorporates superior GitOps support for Terraform by utilizing the capabilities of Atmos, enabling efficient management of large enterprise-scale environments.

  • Implements Native GitOps with Atmos and Terraform tightly integrated with GitHub UI
  • No hardcoded credentials. Use GitHub OIDC to assume roles.
  • Compatible with GitHub Cloud & Self-hosted Runners for maximum flexibility.
  • Beautiful Job Summaries don't clutter up pull requests with noisy GitHub comments
  • 100% Open Source with Permissive APACHE2 License means there are no expensive subscriptions or long-term commitments.

Screenshots​

In the following screenshot, we see a successful "apply" Job Summary report. The report utilizes badges to clearly indicate success or failure. Unnecessary details are neatly hidden behind a collapsible <details/> block, providing a streamlined view. Additionally, a direct link is provided to view the job run, eliminating the need for developers to search for information about any potential issues.

Example Image

Usage Example​

In this example, the action is triggered when certain events occur, such as a manual workflow dispatch or the opening, synchronization, or reopening of a pull request, specifically on the main branch. It specifies specific permissions related to assuming roles in AWS. Within the "apply" job, the "component" and "stack" are hardcoded (foobar and plat-ue2-sandbox). In practice, these are usually derived from another action.

Passing Affected Stacks

We recommend combining this action with the affected-stacks GitHub Action inside a matrix to plan all affected stacks in parallel.

.github/workflows/atmos-terraform-apply.yaml

name: "atmos-terraform-apply"

on:
  workflow_dispatch:
  pull_request:
    types:
      - closed
    branches:
      - main

# These permissions are required for GitHub to assume roles in AWS
permissions:
  id-token: write
  contents: read

jobs:
  apply:
    runs-on: ubuntu-latest
    steps:
      - name: Terraform Apply
        uses: cloudposse/github-action-atmos-terraform-apply@v2
        with:
          component: "foobar"
          stack: "plat-ue2-sandbox"
          sha: ${{ github.sha }}          
          atmos-config-path: ./rootfs/usr/local/etc/atmos/
          atmos-version: 1.63.0

Requirements​

This action has the requirements as Github Actions. Use the same S3 Bucket, DynamoDB table, IAM Roles and config described there.