├── .github
└── FUNDING.yml
├── README.md
├── action.yaml
└── validate.png
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github:
2 | - dflook
3 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # terraform-validate action
2 |
3 | This is one of a suite of Terraform related actions - find them at [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions).
4 |
5 | This action uses the `terraform validate` command to check that a Terraform configuration is valid.
6 | This can be used to check that a configuration is valid before creating a plan.
7 |
8 | Failing GitHub checks will be added for any problems found.
9 |
10 |
11 |
12 |
13 |
14 | If the Terraform configuration is not valid, the build is failed.
15 |
16 | ## Inputs
17 |
18 | * `path`
19 |
20 | The path to the Terraform module to validate
21 |
22 | - Type: string
23 | - Optional
24 | - Default: The action workspace
25 |
26 | * `workspace`
27 |
28 | Terraform workspace to use for the `terraform.workspace` value while validating. Note that for remote operations in a cloud backend, this is always `default`.
29 |
30 | Also used for discovering the Terraform version to use, if not otherwise specified.
31 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
32 |
33 | - Type: string
34 | - Optional
35 | - Default: `default`
36 |
37 | * `backend_config`
38 |
39 | List of Terraform backend config values, one per line.
40 | This is used for discovering the Terraform version to use, if not otherwise specified.
41 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
42 |
43 | ```yaml
44 | with:
45 | backend_config: token=${{ secrets.BACKEND_TOKEN }}
46 | ```
47 |
48 | - Type: string
49 | - Optional
50 |
51 | * `backend_config_file`
52 |
53 | List of Terraform backend config files to use, one per line.
54 | Paths should be relative to the GitHub Actions workspace
55 | This is used for discovering the Terraform version to use, if not otherwise specified.
56 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
57 |
58 | ```yaml
59 | with:
60 | backend_config_file: prod.backend.tfvars
61 | ```
62 |
63 | - Type: string
64 | - Optional
65 |
66 | ## Outputs
67 |
68 | * `failure-reason`
69 |
70 | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'.
71 | If the job fails for any other reason this will not be set.
72 | This can be used with the Actions expression syntax to conditionally run a step when the validate fails.
73 |
74 | - Type: string
75 |
76 | ## Environment Variables
77 |
78 | * `GITHUB_DOT_COM_TOKEN`
79 |
80 | This is used to specify a token for GitHub.com when the action is running on a GitHub Enterprise instance.
81 | This is only used for downloading OpenTofu binaries from GitHub.com.
82 | If this is not set, an unauthenticated request will be made to GitHub.com to download the binary, which may be rate limited.
83 |
84 | - Type: string
85 | - Optional
86 |
87 | * `TERRAFORM_CLOUD_TOKENS`
88 |
89 | API tokens for cloud hosts, of the form `=`. Multiple tokens may be specified, one per line.
90 | These tokens may be used with the `remote` backend and for fetching required modules from the registry.
91 |
92 | e.g:
93 |
94 | ```yaml
95 | env:
96 | TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}
97 | ```
98 |
99 | With other registries:
100 |
101 | ```yaml
102 | env:
103 | TERRAFORM_CLOUD_TOKENS: |
104 | app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}
105 | terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}
106 | ```
107 |
108 | - Type: string
109 | - Optional
110 |
111 | * `TERRAFORM_SSH_KEY`
112 |
113 | A SSH private key that Terraform will use to fetch git/mercurial module sources.
114 |
115 | This should be in PEM format.
116 |
117 | For example:
118 |
119 | ```yaml
120 | env:
121 | TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}
122 | ```
123 |
124 | - Type: string
125 | - Optional
126 |
127 | * `TERRAFORM_HTTP_CREDENTIALS`
128 |
129 | Credentials that will be used for fetching modules sources with `git::http://`, `git::https://`, `http://` & `https://` schemes.
130 |
131 | Credentials have the format `=:`. Multiple credentials may be specified, one per line.
132 |
133 | Each credential is evaluated in order, and the first matching credentials are used.
134 |
135 | Credentials that are used by git (`git::http://`, `git::https://`) allow a path after the hostname.
136 | Paths are ignored by `http://` & `https://` schemes.
137 | For git module sources, a credential matches if each mentioned path segment is an exact match.
138 |
139 | For example:
140 |
141 | ```yaml
142 | env:
143 | TERRAFORM_HTTP_CREDENTIALS: |
144 | example.com=dflook:${{ secrets.HTTPS_PASSWORD }}
145 | github.com/dflook/terraform-github-actions.git=dflook-actions:${{ secrets.ACTIONS_PAT }}
146 | github.com/dflook=dflook:${{ secrets.DFLOOK_PAT }}
147 | github.com=graham:${{ secrets.GITHUB_PAT }}
148 | ```
149 |
150 | - Type: string
151 | - Optional
152 |
153 | * `TERRAFORM_PRE_RUN`
154 |
155 | A set of commands that will be ran prior to `terraform init`. This can be used to customise the environment before running Terraform.
156 |
157 | The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use.
158 |
159 | The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`.
160 |
161 | For example:
162 |
163 | ```yaml
164 | env:
165 | TERRAFORM_PRE_RUN: |
166 | # Install latest Azure CLI
167 | curl -skL https://aka.ms/InstallAzureCLIDeb | bash
168 |
169 | # Install postgres client
170 | apt-get install -y --no-install-recommends postgresql-client
171 | ```
172 |
173 | - Type: string
174 | - Optional
175 |
176 | ## Example usage
177 |
178 | This example workflow runs on every push and fails if the Terraform
179 | configuration is invalid.
180 |
181 | ```yaml
182 | on: [push]
183 |
184 | jobs:
185 | validate:
186 | runs-on: ubuntu-latest
187 | name: Validate Terraform module
188 | steps:
189 | - name: Checkout
190 | uses: actions/checkout@v4
191 |
192 | - name: terraform validate
193 | uses: dflook/terraform-validate@v2
194 | with:
195 | path: my-terraform-config
196 | ```
197 |
198 | This example executes a run step only if the validation failed.
199 |
200 | ```yaml
201 | on: [push]
202 |
203 | jobs:
204 | validate:
205 | runs-on: ubuntu-latest
206 | name: Validate Terraform module
207 | steps:
208 | - name: Checkout
209 | uses: actions/checkout@v4
210 |
211 | - name: terraform validate
212 | uses: dflook/terraform-validate@v2
213 | id: validate
214 | with:
215 | path: my-terraform-config
216 |
217 | - name: Validate failed
218 | if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }}
219 | run: echo "terraform validate failed"
220 | ```
221 |
--------------------------------------------------------------------------------
/action.yaml:
--------------------------------------------------------------------------------
1 | name: terraform-validate
2 | description: Validate a Terraform configuration directory
3 | author: Daniel Flook
4 |
5 | inputs:
6 | path:
7 | description: The path to the Terraform module to validate
8 | required: false
9 | default: "."
10 | workspace:
11 | description: |
12 | Terraform workspace to use for the `terraform.workspace` value while validating. Note that for remote operations in a cloud backend, this is always `default`.
13 |
14 | Also used for discovering the Terraform version to use, if not otherwise specified.
15 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
16 | required: false
17 | default: "default"
18 | backend_config:
19 | description: |
20 | List of Terraform backend config values, one per line.
21 | This is used for discovering the Terraform version to use, if not otherwise specified.
22 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
23 | required: false
24 | default: ""
25 | backend_config_file:
26 | description: |
27 | List of Terraform backend config files to use, one per line.
28 | Paths should be relative to the GitHub Actions workspace
29 | This is used for discovering the Terraform version to use, if not otherwise specified.
30 | See [dflook/terraform-version](https://github.com/dflook/terraform-github-actions/tree/main/terraform-version#terraform-version-action) for details.
31 | required: false
32 | default: ""
33 |
34 | outputs:
35 | failure-reason:
36 | description: |
37 | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'.
38 | If the job fails for any other reason this will not be set.
39 | This can be used with the Actions expression syntax to conditionally run a step when the validate fails.
40 |
41 | runs:
42 | using: docker
43 | image: docker://danielflook/terraform-github-actions@sha256:290d578d413241ec6245a906ee9a6812f15e6caf6e3fd70b9e7098fc47dc9a60
44 | entrypoint: /entrypoints/validate.sh
45 |
46 | branding:
47 | icon: globe
48 | color: purple
49 |
--------------------------------------------------------------------------------
/validate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dflook/terraform-validate/17dd9f24a2e9085562f32bcc8d2afc7a14c32c04/validate.png
--------------------------------------------------------------------------------