» Terraform Plan Action

Runs terraform plan and comments back on the pull request with the plan output.

» Success Criteria

This action succeeds if terraform plan runs without error.

» Usage

To use the plan action, add it to your workflow file.

action "terraform plan" {
  # Replace <latest tag> with the latest tag from
  # https://github.com/hashicorp/terraform-github-actions/releases.
  uses = "hashicorp/terraform-github-actions/plan@<latest tag>"

  # `terraform plan` will always fail unless `terraform init` is run first.
  needs = "terraform init"

  # See Environment Variables below for details.
  env = {
    TF_ACTION_WORKING_DIR = "."
    TF_ACTION_WORKSPACE   = "default"
  }

  # If you need to specify additional arguments to terraform plan, add them here.
  # Otherwise, delete this line or leave the array empty.
  args = ["-var", "foo=bar"]

  # We need the GitHub token to be able to comment back on the pull request.
  secrets = ["GITHUB_TOKEN"]
}

action "terraform init" {
  uses = "hashicorp/terraform-github-actions/init@<latest tag>"
  secrets = ["GITHUB_TOKEN"]
}

» Environment Variables

Name	Default	Description
`TF_ACTION_WORKING_DIR`	`"."`	Which directory `plan` runs in. Relative to the root of the repo.
`TF_ACTION_COMMENT`	`"true"`	Set to `"false"` to disable commenting back on pull request.
`TF_ACTION_WORKSPACE`	`"default"`	Which Terraform workspace to run in.
`TF_ACTION_TFE_HOSTNAME`	`"app.terraform.io"`	If using Private Terraform Enterprise set this to its hostname.

» Workspaces

The plan action only supports running in a single Terraform workspace defined by the TF_ACTION_WORKSPACE environment variable.

If you need to run plan in multiple workspaces, see Workspaces.

» Secrets

Name	Description
`GITHUB_TOKEN`	Required for posting comments to the pull request unless `TF_ACTION_COMMENT = "false"`.
`TF_ACTION_TFE_TOKEN`	If using the Terraform Enterprise remote backend set this secret to a user API token.

You'll also likely need to add secrets for your providers, like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or GOOGLE_CREDENTIALS.

⚠️ WARNING ⚠️ These secrets could be exposed if the plan action is run on a malicious Terraform file. To avoid this, we recommend you do not use this action on public repos or repos where untrusted users can submit pull requests.

» Arguments

Arguments to plan will be appended to the terraform plan command:

action "terraform plan" {
  ...
  args = ["-var", "foo=bar", "-var-file=foo"]
}