Skip to main content

AWS Configuration

This page explains the configuration for using the AWS Provider or S3 Backend. If you do not use these, you can skip this page.

When using these, you need to authenticate before running terraform init.

IAM Role Configuration

Configure the IAM Role to assume in tfaction-root.yaml or tfaction.yaml.

target_groups:
  - working_directory: ""
    aws_region: ap-northeast-1
    terraform_plan_config:
      aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_plan
    terraform_apply_config:
      aws_assume_role_arn: arn:aws:iam::000000000000:role/GitHubActions_Terraform_AWS_terraform_apply

You can use different IAM Roles for terraform plan and apply. For example, use a read-only IAM Role for plan and a more privileged IAM Role for apply.

In tfaction v1, the setup action executed aws-actions/configure-aws-credentials internally. Starting from v2, this is no longer done automatically, so you need to call it yourself.

- name: Set up
  uses: suzuki-shunsuke/tfaction@latest
  id: setup
  with:
    action: setup
    github_token: ${{steps.generate_token.outputs.token}}

- uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
  if: steps.setup.outputs.aws_assume_role_arn != ''
  with:
    role-to-assume: ${{ steps.setup.outputs.aws_assume_role_arn }}
    role-session-name: ${{ steps.setup.outputs.aws_role_session_name }}
    aws-region: ${{ steps.setup.outputs.aws_region }}

- name: terraform init
  uses: suzuki-shunsuke/tfaction@latest
  with:
    action: terraform-init

Terraform Module

You can use terraform-aws-tfaction to create IAM Roles with the minimum required permissions. However, using this module is not mandatory.

OIDC

You can assume an IAM Role from GitHub Actions using OIDC. This is not directly related to tfaction, so we will not cover it in detail here.

https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws