tf-plan-gcp is a GitHub Action that runs terraform plan inside a containerized environment. It helps execute Terraform plan operations with structured and collapsible output formatting, ensuring seamless integration with Google Cloud workflows.
- Containerized Execution → Runs inside a prebuilt Docker container with Terraform installed.
- Automatic Directory Handling → Works within your Terraform directory without manual setup.
- Collapsible Terraform Output → Groups resource changes for better readability in GitHub logs.
- Google Cloud Credentials & Secrets Handling → Reads authentication and Terraform secrets securely from GitHub Secrets.
- Flexible Secret Passing → Pass multiple secrets as an object and access them dynamically in Terraform.
- Works on Any GitHub Runner → No dependency issues—run Terraform anywhere.
- name: Run Terraform Plan
uses: gusvega-dev/[email protected]
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}"}'- Runs
terraform planinside the./terraformdirectory. - Uses Google Cloud credentials from GitHub Secrets.
- Passes Terraform secrets dynamically as an object.
- Displays structured Terraform logs inside GitHub Actions.
| Name | Required | Default | Description |
|---|---|---|---|
workdir |
No | . |
Working directory for Terraform execution. |
secrets |
No | {} |
JSON object containing Terraform secrets. |
- name: Run Terraform Plan
uses: gusvega-dev/[email protected]
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}", "api_key":"${{ secrets.API_KEY }}"}'The secrets passed to the action are automatically available in Terraform as environment variables prefixed with TF_VAR_ - for example :
Create a variables.tf file to define the secrets:
variable "secrets" {
type = map(string)
}The secrets can be accessed in Terraform using:
provider "google" {
project = var.secrets["project_id"]
}
resource "some_resource" "example" {
api_key = var.secrets["api_key"]
}You can also output specific secrets for debugging purposes:
output "project_id" {
value = var.secrets["project_id"]
sensitive = true
}This allows Terraform to use the secrets securely without exposing them in the configuration files.
| Name | Description |
|---|---|
plan_status |
The status of the Terraform Plan execution. |
GitHub Actions automatically mounts the repository into /github/workspace inside the container. Any files created there persist between different steps in the workflow.
- Inside the container, the Terraform directory is set as:
/github/workspace/terraform
- The action automatically switches to this directory, so Terraform commands run in the expected location.
Below is a recommended structure for using this action within a repository:
repo-root/
│── .github/
│ ├── workflows/
│ │ ├── terraform-plan.yml # GitHub Action Workflow
│── terraform/
│ ├── main.tf # Terraform Configuration
│ ├── variables.tf # Variables File
│ ├── outputs.tf # Outputs File
│ ├── provider.tf # Provider Configuration
│── README.md # Documentation
This is a complete Terraform CI/CD pipeline using tf-plan-gcp:
name: Terraform CI
on:
push:
branches:
- main
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
jobs:
terraform-plan:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Run Terraform Plan
uses: gusvega-dev/[email protected]
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}", "api_key":"${{ secrets.API_KEY }}"}'- Automatically runs Terraform Plan when pushing to
main. - Ensures the Terraform directory is set correctly.
- Uses Google Cloud credentials for authentication.
- Passes secrets from GitHub Workflows to be used within Terraform.
| Feature | tf-plan-gcp (This Action) |
HashiCorp Action |
|---|---|---|
| Requires Terraform Install | No (Containerized) | Yes |
| Native GCP Support | Yes | No |
| Flexible Secret Handling | Yes (JSON object) | No |
| Structured Terraform Logs | Yes | No |
| Works on Any GitHub Runner | Yes | No (Requires Terraform Installed) |
Check the logs for errors:
- Check for syntax issues in your Terraform files.
- Verify Google Cloud credentials are correctly set in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Make sure:
- The
workdirinput is set to the correct path inside your repository. - Your Terraform configuration exists in the specified directory.
If Terraform is failing due to missing secrets:
- Check if the secret is missing in GitHub Actions.
- Print secret values before running Terraform:
- name: Debug Secrets run: echo "Project ID: ${{ secrets.PROJECT_ID }}"
- Ensure secrets are passed as a JSON object to the action.
As part of a broader Terraform automation suite, additional actions will be developed, including:
- Terraform Lint & Format
- Security Scan
- Cost Estimation
- Plan Validation
- Apply Execution
- Plan + Apply
- State Backup
- Post-Deployment Tests
- Change Management Logging
- Drift Detection
- Auto-Remediation
- Compliance Check
- Manual Approval for Remediation
- Validate Changes
- Deploy to Dev
- Integration Tests
- Manual Approval for Staging
- Deploy to Staging
- Security Scan Before Prod
- Deploy to Production
- Secrets Detection
- Secrets Rotation
- IAM Policy Review
- Dynamic Secrets Management
Stay tuned for updates as these become available.
This project is licensed under the MIT License.
Maintained by Gus Vega: @gusvega
For feature requests and issues, please open a GitHub Issue.
Use tf-plan-gcp in your Terraform pipelines today. Star this repository if you find it useful.