freundcloud

Terraform with GitHub Actions

Automate your Terraform deployments using GitHub Actions for secure, repeatable, and cloud-agnostic workflows. This guide covers best practices for Azure, but the pattern applies to AWS and GCP as well.

Prerequisites

  • Remote Terraform state (e.g., Azure Storage Account, AWS S3, or GCP Cloud Storage)
  • Service Principal (Azure) or equivalent credentials for AWS/GCP
  • Store credentials as GitHub Secrets (never commit credentials to code)

Step-by-Step: GitHub Actions Workflow for Terraform (Azure Example)

  1. Add the following workflow to .github/workflows/terraform.yml in your repo:
name: 'Terraform CI/CD'

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest
    environment: production
    env:
      ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
      ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v3
      - name: Terraform Format
        run: terraform fmt -check
        working-directory: ./terraform
      - name: Terraform Init
        run: terraform init
        working-directory: ./terraform
      - name: Terraform Validate
        run: terraform validate
        working-directory: ./terraform
      - name: Terraform Plan
        run: terraform plan
        working-directory: ./terraform
      - name: Terraform Apply
        if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve
        working-directory: ./terraform
  1. Add GitHub Secrets under your repository settings:
    • AZURE_AD_CLIENT_IDclientId from your Service Principal
    • AZURE_AD_CLIENT_SECRETclientSecret
    • AZURE_AD_TENANT_IDtenantId
    • AZURE_SUBSCRIPTION_IDsubscriptionId
    • (Optional) AZURE_CREDENTIALS → full JSON output for some modules

Best Practices

  • Use remote state for collaboration and disaster recovery
  • Store credentials only in GitHub Secrets or a secure vault
  • Use separate Service Principals for dev, staging, and prod
  • Rotate credentials regularly
  • Use the latest stable GitHub Actions and Terraform versions

References

Tip: For AWS and GCP, use the respective provider environment variables and credentials in the same workflow pattern.

Add to SUMMARY.md

- [Terraform with GitHub Actions](pages/terraform/terraform-with-github-actions.md)