How to add a working directory
- Create S3 Buckets or Google Cloud Storage Buckets
- For tfmigrate History files
- If you use AWS, Create AWS IAM Roles: https://github.com/suzuki-shunsuke/terraform-aws-tfaction
- If you use GCP, Create GCP Service Accounts
- Update tfaction-root.yaml if it is needed
- Scaffold the working directory
info
Since tfaction v0.7.0, the storage for Terraform Plan files have been migrated from S3 or GCS to GitHub Actions Artifacts. So you don't have to create buckets and set permissions for them.
Please see here for the detail.
AWS IAM Role
To access AWS, tfaction uses aws-actions/configure-aws-credentials. tfaction supports configuring Assume Role per working directory type and build type.
e.g.
- working_directory: github/services/
# ...
terraform_plan_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_plan
tfmigrate_plan_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_plan
terraform_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_apply
tfmigrate_apply_config:
aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_tfmigrate_apply
- tfmigrate_plan: Assume Role for tfmigrate-plan
- tfmigrate_apply: Assume Role for tfmigrate-apply
- terraform_plan: Assume Role for terraform-plan
- terraform_apply: Assume Role for terraform-apply
We provide a Terraform Module to create these IAM Roles.
https://github.com/suzuki-shunsuke/terraform-aws-tfaction
Required Permission
terraform_plan
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<S3 Bucket for Plan File>/*"
}
]
}
terraform_apply
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<S3 Bucket for Plan File>/*"
}
]
}
tfmigrate_plan
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::<S3 Bucket for tfmigrate history>/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<S3 Bucket for tfmigrate history>"
}
]
}
tfmigrate_apply
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<S3 Bucket for tfmigrate history>/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<S3 Bucket for tfmigrate history>"
}
]
}
GCP
To access GCP, tfaction uses google-github-actions/auth. tfaction supports configuring Service Accounts per working directory type and build type.
e.g.
- working_directory: github/services/
# ...
terraform_plan_config:
gcp_service_account: terraform-plan@my-project.iam.gserviceaccount.com
gcp_workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
tfmigrate_plan_config:
gcp_service_account: tfmigrate-plan@my-project.iam.gserviceaccount.com
gcp_workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
terraform_apply_config:
gcp_service_account: terraform-apply@my-project.iam.gserviceaccount.com
gcp_workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
tfmigrate_apply_config:
gcp_service_account: tfmigrate-apply@my-project.iam.gserviceaccount.com
gcp_workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'