Skip to main content

Upgrade to v2

warning

v2 hasn't been released yet. The content of this page is unstable.

This document describes how to upgrade to v2. The upgrade has some breaking changes.

Upgrade Using AI

Prompt:

Upgrade tfaction to v2 according to the guide.

Prerequisites

tfaction is GitHub Actions for Terraform. It has a configuration file named tfaction-root.yaml. By default, it is located in the root directory of the repository. But if it doesn't found, please check the environment variable TFACTION_CONFIG in workflow files.

Overview

Replace suzuki-shunsuke/tfaction/* with suzuki-shunsuke/tfaction-action and set the input action

Previously, tfaction was composed of many separate actions. As of v2, it has now been fully rewritten as a single JavaScript Action. The action input is used to select functionalities such as plan, apply, and test.

Before:

uses: suzuki-shunsuke/tfaction/plan@v1.20.1

After:

uses: suzuki-shunsuke/tfaction@347350d46b42cfd1b7dfec08385cfb2d196ae657 # v2.0.0-0
with:
  action: plan

The input action supports the following values:

  • apply
  • create-drift-issues
  • create-follow-up-pr
  • create-scaffold-module-pr
  • create-scaffold-pr
  • export-aws-secrets-manager
  • export-secrets
  • generate-config-out
  • get-global-config
  • get-or-create-drift-issue
  • get-target-config
  • list-targets
  • pick-out-drift-issues
  • plan
  • release-module
  • scaffold-module
  • scaffold-tfmigrate
  • scaffold-working-dir
  • set-drift-env
  • setup
  • sync-drift-issue-description
  • terraform-init
  • test
  • test-module
  • update-drift-issue

Modify authentication

  • Run aws-actions/configure-aws-credentials and google-github-actions/auth after setup if necessary
  • Run terraform-init action after setup

setup action doesn't run aws-actions/configure-aws-credentials and google-github-actions/auth, and it doesn't run terraform init.

e.g.

- name: Set up
  uses: suzuki-shunsuke/tfaction@347350d46b42cfd1b7dfec08385cfb2d196ae657 # v2.0.0-0
  id: setup
  with:
    action: setup
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}

- uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
  if: steps.setup.outputs.aws_assume_role_arn != ''
  with:
    role-to-assume: ${{ steps.setup.outputs.aws_assume_role_arn }}
    role-session-name: ${{ steps.setup.outputs.aws_role_session_name }}
    aws-region: ${{ steps.setup.outputs.aws_region }}

- name: Get Secrets from AWS Secrets Manager
  if: steps.setup.outputs.aws_assume_role_arn != ''
  uses: suzuki-shunsuke/tfaction@347350d46b42cfd1b7dfec08385cfb2d196ae657 # v2.0.0-0
  with:
    action: export-aws-secrets-manager

- name: terraform init
  uses: suzuki-shunsuke/tfaction@347350d46b42cfd1b7dfec08385cfb2d196ae657 # v2.0.0-0
  with:
    action: terraform-init

Replace tfaction-go

If you haven't used tfaction-go, you can skip this step.

tfaction-go's sub commands:

  • create-drift-issues
  • get-or-create-drift-issue
  • pick-out-drift-issues

Before:

- run: tfaction create-drift-issues

After:

- uses: suzuki-shunsuke/tfaction@347350d46b42cfd1b7dfec08385cfb2d196ae657 # v2.0.0-0
  with:
    action: create-drift-issues

Change plan_workflow_name from the workflow name to the workflow file name

Before:

plan_workflow_name: test

After:

plan_workflow_name: test.yaml

Remove configuration for tfsec

Remove the setting from tfaction-root.yaml.

tfsec:
  enabled: true

If you want to use trivy instead, you can enable it in tfaction-root.yaml. trivy is enabled by default.

trivy:
  enabled: true

Remove target from label_prefixes

Labels target:<target> were abandoned.

label_prefixes:
  target: "target:" # Remove the key `target`

Replace the setting conftest_policy_directory with conftest

Before:

conftest_policy_directory: policy

After:

conftest:
  policies:
    - policy: policy
      plan: true

Configure conftest explicitly if you want to run Conftest

As of tfaction v2, tfaction doesn't run Conftest implicitly even if the directory policy exists unless Conftest is configured explicitly.

e.g.

conftest:
  policies:
    - policy: policy
      plan: true

Replace .target_groups[].target with the setting replace_target

Before:

target_groups:
  - working_directory: github/services/
    target: github/

After:

replace_target:
  patterns:
    - regexp: /services/
      replace: /

Replace replace with the setting replace_target

replace was renamed to replace_target.

Before:

replace:
  patterns:
    - regexp: /services/
      replace: /

After:

replace_target:
  patterns:
    - regexp: /services/
      replace: /

Modify .follow_up_pr_group_label to .follow_up_pr.group_label

Before:

follow_up_pr_group_label:
  enabled: true
  prefix: "tfaction:follow-up-pr-group/"

After:

follow_up_pr:
  group_label:
    enabled: true
    prefix: "tfaction:follow-up-pr-group/"

Modify template files to use Handlebars

Handlebars

You need to modify placeholders in template files.

  • Change %%...%% to {{...}}
  • Lower cases

Before:

%%MODULE_NAME%%

After:

{{module_name}}

CI doesn't fail anymore even if the pull request is created by Renovate and terraform plan has changes

#3571

Previously, tfaction failed if the pull request was created by Renovate and terraform plan had changes. To pass CI, you need to add the label renovate-change to the pull request.

As of tfaction v2, tfaction doesn't fail anymore. Instead, tfaction disables auto-merge if the pull request is created by Renovate and terraform plan has changes. If accept_change_by_renovate: true is set in tfaction.yaml, auto-merge isn't disabled. Basically, accept_change_by_renovate: true shouldn't be set. This setting is used in test directories to test changes of workflow in pull request CI.