├── .github └── FUNDING.yml ├── README.md ├── action.yaml └── validate.png /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: 2 | - dflook 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # terraform-validate action 2 | 3 | This is one of a suite of Terraform related actions - find them at [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions). 4 | 5 | This action uses the `terraform validate` command to check that a Terraform configuration is valid. 6 | This can be used to check that a configuration is valid before creating a plan. 7 | 8 | Failing GitHub checks will be added for any problems found. 9 | 10 |

11 | An example of a failed validation check 12 |

13 | 14 | If the Terraform configuration is not valid, the build is failed. 15 | 16 | ## Inputs 17 | 18 | * `path` 19 | 20 | The path to the Terraform module to validate 21 | 22 | - Type: string 23 | - Optional 24 | - Default: The action workspace 25 | 26 | * `workspace` 27 | 28 | Terraform workspace to use for the `terraform.workspace` value while validating. Note that for remote operations in a cloud backend, this is always `default`. 29 | 30 | Also used for discovering the Terraform version to use, if not otherwise specified. 31 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 32 | 33 | - Type: string 34 | - Optional 35 | - Default: `default` 36 | 37 | * `backend_config` 38 | 39 | List of Terraform backend config values, one per line. 40 | This is used for discovering the Terraform version to use, if not otherwise specified. 41 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 42 | 43 | ```yaml 44 | with: 45 | backend_config: token=${{ secrets.BACKEND_TOKEN }} 46 | ``` 47 | 48 | - Type: string 49 | - Optional 50 | 51 | * `backend_config_file` 52 | 53 | List of Terraform backend config files to use, one per line. 54 | Paths should be relative to the GitHub Actions workspace 55 | This is used for discovering the Terraform version to use, if not otherwise specified. 56 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 57 | 58 | ```yaml 59 | with: 60 | backend_config_file: prod.backend.tfvars 61 | ``` 62 | 63 | - Type: string 64 | - Optional 65 | 66 | ## Outputs 67 | 68 | * `failure-reason` 69 | 70 | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. 71 | If the job fails for any other reason this will not be set. 72 | This can be used with the Actions expression syntax to conditionally run a step when the validate fails. 73 | 74 | - Type: string 75 | 76 | ## Environment Variables 77 | 78 | * `GITHUB_DOT_COM_TOKEN` 79 | 80 | This is used to specify a token for GitHub.com when the action is running on a GitHub Enterprise instance. 81 | This is only used for downloading OpenTofu binaries from GitHub.com. 82 | If this is not set, an unauthenticated request will be made to GitHub.com to download the binary, which may be rate limited. 83 | 84 | - Type: string 85 | - Optional 86 | 87 | * `TERRAFORM_CLOUD_TOKENS` 88 | 89 | API tokens for cloud hosts, of the form `=`. Multiple tokens may be specified, one per line. 90 | These tokens may be used with the `remote` backend and for fetching required modules from the registry. 91 | 92 | e.g: 93 | 94 | ```yaml 95 | env: 96 | TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }} 97 | ``` 98 | 99 | With other registries: 100 | 101 | ```yaml 102 | env: 103 | TERRAFORM_CLOUD_TOKENS: | 104 | app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }} 105 | terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }} 106 | ``` 107 | 108 | - Type: string 109 | - Optional 110 | 111 | * `TERRAFORM_SSH_KEY` 112 | 113 | A SSH private key that Terraform will use to fetch git/mercurial module sources. 114 | 115 | This should be in PEM format. 116 | 117 | For example: 118 | 119 | ```yaml 120 | env: 121 | TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }} 122 | ``` 123 | 124 | - Type: string 125 | - Optional 126 | 127 | * `TERRAFORM_HTTP_CREDENTIALS` 128 | 129 | Credentials that will be used for fetching modules sources with `git::http://`, `git::https://`, `http://` & `https://` schemes. 130 | 131 | Credentials have the format `=:`. Multiple credentials may be specified, one per line. 132 | 133 | Each credential is evaluated in order, and the first matching credentials are used. 134 | 135 | Credentials that are used by git (`git::http://`, `git::https://`) allow a path after the hostname. 136 | Paths are ignored by `http://` & `https://` schemes. 137 | For git module sources, a credential matches if each mentioned path segment is an exact match. 138 | 139 | For example: 140 | 141 | ```yaml 142 | env: 143 | TERRAFORM_HTTP_CREDENTIALS: | 144 | example.com=dflook:${{ secrets.HTTPS_PASSWORD }} 145 | github.com/dflook/terraform-github-actions.git=dflook-actions:${{ secrets.ACTIONS_PAT }} 146 | github.com/dflook=dflook:${{ secrets.DFLOOK_PAT }} 147 | github.com=graham:${{ secrets.GITHUB_PAT }} 148 | ``` 149 | 150 | - Type: string 151 | - Optional 152 | 153 | * `TERRAFORM_PRE_RUN` 154 | 155 | A set of commands that will be ran prior to `terraform init`. This can be used to customise the environment before running Terraform. 156 | 157 | The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. 158 | 159 | The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. 160 | 161 | For example: 162 | 163 | ```yaml 164 | env: 165 | TERRAFORM_PRE_RUN: | 166 | # Install latest Azure CLI 167 | curl -skL https://aka.ms/InstallAzureCLIDeb | bash 168 | 169 | # Install postgres client 170 | apt-get install -y --no-install-recommends postgresql-client 171 | ``` 172 | 173 | - Type: string 174 | - Optional 175 | 176 | ## Example usage 177 | 178 | This example workflow runs on every push and fails if the Terraform 179 | configuration is invalid. 180 | 181 | ```yaml 182 | on: [push] 183 | 184 | jobs: 185 | validate: 186 | runs-on: ubuntu-latest 187 | name: Validate Terraform module 188 | steps: 189 | - name: Checkout 190 | uses: actions/checkout@v4 191 | 192 | - name: terraform validate 193 | uses: dflook/terraform-validate@v2 194 | with: 195 | path: my-terraform-config 196 | ``` 197 | 198 | This example executes a run step only if the validation failed. 199 | 200 | ```yaml 201 | on: [push] 202 | 203 | jobs: 204 | validate: 205 | runs-on: ubuntu-latest 206 | name: Validate Terraform module 207 | steps: 208 | - name: Checkout 209 | uses: actions/checkout@v4 210 | 211 | - name: terraform validate 212 | uses: dflook/terraform-validate@v2 213 | id: validate 214 | with: 215 | path: my-terraform-config 216 | 217 | - name: Validate failed 218 | if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }} 219 | run: echo "terraform validate failed" 220 | ``` 221 | -------------------------------------------------------------------------------- /action.yaml: -------------------------------------------------------------------------------- 1 | name: terraform-validate 2 | description: Validate a Terraform configuration directory 3 | author: Daniel Flook 4 | 5 | inputs: 6 | path: 7 | description: The path to the Terraform module to validate 8 | required: false 9 | default: "." 10 | workspace: 11 | description: | 12 | Terraform workspace to use for the `terraform.workspace` value while validating. Note that for remote operations in a cloud backend, this is always `default`. 13 | 14 | Also used for discovering the Terraform version to use, if not otherwise specified. 15 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 16 | required: false 17 | default: "default" 18 | backend_config: 19 | description: | 20 | List of Terraform backend config values, one per line. 21 | This is used for discovering the Terraform version to use, if not otherwise specified. 22 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 23 | required: false 24 | default: "" 25 | backend_config_file: 26 | description: | 27 | List of Terraform backend config files to use, one per line. 28 | Paths should be relative to the GitHub Actions workspace 29 | This is used for discovering the Terraform version to use, if not otherwise specified. 30 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details. 31 | required: false 32 | default: "" 33 | 34 | outputs: 35 | failure-reason: 36 | description: | 37 | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. 38 | If the job fails for any other reason this will not be set. 39 | This can be used with the Actions expression syntax to conditionally run a step when the validate fails. 40 | 41 | runs: 42 | using: docker 43 | image: docker://danielflook/terraform-github-actions@sha256:290d578d413241ec6245a906ee9a6812f15e6caf6e3fd70b9e7098fc47dc9a60 44 | entrypoint: /entrypoints/validate.sh 45 | 46 | branding: 47 | icon: globe 48 | color: purple 49 | -------------------------------------------------------------------------------- /validate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dflook/terraform-validate/17dd9f24a2e9085562f32bcc8d2afc7a14c32c04/validate.png --------------------------------------------------------------------------------