This is the changelog for dflook/terraform-github-actions All notable changes to this project will be documented in this file.
For more information see the README.md.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
The actions are versioned as a suite. Some actions may have no change in behaviour between versions.
When using an action you can specify the version as:
@v1.46.1
to use an exact release@v1.46
to use the latest patch release for the specific minor version@v1
to use the latest patch release for the specific major version
1.46.1 - 2025-01-24
-
Reading of the
required_version
constraint from.tf
files has been made more robust.Previously this could fail if the file was particularly complex, using newer Terraform/OpenTofu features, or was malformed.
1.46.0 - 2025-01-14
-
Support for Terraform 1.10 ephemeral input variables.
Terraform 1.10 introduced ephemeral values, which are not stored in the plan or state file. Ephemeral variables now work correctly with dflook/terraform-apply. These can be set normally using the
variables
input.
1.45.0 - 2024-12-24
dflook/tofu-*
actions can now read the OpenTofu version from a tofuenv.opentofu-version
file in the module path. See dflook/tofu-version for details.
1.44.0 - 2024-08-04
- Outdated comments are now minimised in the GitHub UI, making it easier to find the most recent plan.
1.43.0 - 2024-06-01
-
New dflook/terraform-test and dflook/tofu-test actions.
These can be used to run automated tests on Terraform/OpenTofu modules using the built-in
test
command.
1.42.1 - 2024-05-28
-
required_version
constraints that prefix the version number withv
now work correctly.Previously a
required_version
constraint like>=v1.0.0
would not be recognised as a valid constraint. This does not appear to be documented anywhere, but Terraform does accept them.
1.42.0 - 2024-03-01
-
A new
GITHUB_DOT_COM_TOKEN
environment variable may be set to an authentication token to use for GitHub.com API requests.This is only useful to avoid rate limiting when using the actions with GitHub Enterprise together with OpenTofu.
Normally the
GITHUB_TOKEN
environment variable is used for API requests. When using GitHub Enterprise, theGITHUB_TOKEN
is the token for the GitHub Enterprise instance, and not the GitHub.com API. OpenTofu requires the GitHub.com API to fetch release information.
1.41.2 - 2024-02-11
-
Integration with Terraform cloud workspaces using Terraform >=1.6.
Previously applying a plan to a Terraform cloud workspace that used Terraform >=1.6 would fail.
1.41.1 - 2024-01-17
- Reading the terraform version from a .tool-versions file in the workspace root. Previously this was only working when the .tool-versions file was in a subdirectory of the workspace.
1.41.0 - 2024-01-12
- Downloaded OpenTofu checksum files are now verified using the OpenTofu public gpg key, beginning with OpenTofu v1.6.0.
1.40.0 - 2024-01-10
-
An optional
plan_path
input for dflook/terraform-apply, and matchingplan_path
output for dflook/terraform-plan.This allows passing the generated plan from the plan step to the apply step, if you have a secure place to store it.
The default behaviour when this is not set is unchanged - the apply step will generate a fresh plan and compare it to the plan from the PR comment. By passing the plan from the plan step to the apply step, the apply step will skip generating a plan and use the passed plan instead. It must still match the plan in the PR comment.
This can be much faster than planning the same change twice, but is not necessarily a better choice. See the dflook/terraform-apply docs for details.
-
A new
to_import
output for dflook/terraform-plan, which is the number of resources that would be imported by the plan.This joins the existing
to_add
,to_change
,to_destroy
andto_move
outputs.
1.39.0 - 2023-12-24
-
Coloured highlighting for the plan in PR comments.
The plan shown in PR comments now uses diff syntax highlighting, making it easier to see the effect of the plan.
-
Some workarounds were added for defective self-hosted runners that run docker based actions in broken environments.
This includes Actions Runner Controller with containerMode: "kubernetes".
1.38.0 - 2023-12-08
-
Terraform outputs are added to the PR comment after the plan is applied.
This is useful for seeing the values of outputs that are only available after apply, e.g. the public IP of a created resource. Previously this was only visible in the workflow log.
-
The new
always-new
option for theadd_github_comment
input of dflook/terraform-plan.This will always add a new comment for each plan that is generated, instead of updating an existing comment if one exists. This can be preferable if you are iterating on a plan and want to see each plan in the correct place in the PR timeline.
The default behaviour is unchanged and will update an existing comment if one exists, hiding outdated plans. The history of the plan is visible in the comment history.
-
PR comments will no longer be updated once a plan has been applied.
When dflook/terraform-apply applies a plan, any PR comment will be updated with the results of the apply, and then no further updates will be made. Any further plans generated by dflook/terraform-plan will result in a new plan in a different PR comment.
This is to avoid the comment being updated after the plan has been applied, which can be confusing. This would only happen if your workflow is to apply changes before merging the PR.
1.37.0 - 2023-10-29
-
Experimental support for OpenTofu.
New tofu actions have been added that are identical to the terraform actions, but use OpenTofu instead of Terraform for versions >= 1.6.0.:
- dflook/tofu-version
- dflook/tofu-remote-state
- dflook/tofu-output
- dflook/tofu-validate
- dflook/tofu-fmt-check
- dflook/tofu-fmt
- dflook/tofu-check
- dflook/tofu-plan
- dflook/tofu-apply
- dflook/tofu-destroy
- dflook/tofu-new-workspace
- dflook/tofu-destroy-workspace
- dflook/tofu-unlock-state
As OpenTofu currently only has pre-release versions, OpenTofu will only be selected by using the exact version number. The easiest way to do this is by setting the
OPENTOFU_VERSION
environment variable, e.g in your workflow:env: OPENTOFU_VERSION: 1.6.0-alpha3
Setting
OPENTOFU_VERSION
with thedflook/terraform-*
actions will cause it to behave as if it was thedflook/tofu-*
action.
1.36.2 - 2023-08-17
- When no terraform version is specified and no state file exists the actions will now use the latest terraform version, instead of incorrectly using Terraform 0.9.
1.36.1 - 2023-07-15
- The selected workspace was not being shown in the workflow log when using a partial cloud block.
1.36.0 - 2023-06-27
-
Support for being triggered by repository_dispatch events.
Previously dflook/terraform-plan and dflook/terraform-apply couldn't work with PR comments when triggered by repository_dispatch events. With this change
repository_dispatch
events that include the PR api url in the client payload will be able to use PR comments.The minimum client payload looks like:
{ "pull_request": { "url": "https://api.github.com/repos/dflook/terraform-github-actions/pulls/1" } }
1.35.0 - 2023-06-18
- Support for partial or empty cloud blocks. This means you can use a placeholder
cloud
block in your terraform, like so:
terraform {
cloud {
}
}
The configuration will be completed with the TF_CLOUD_ORGANIZATION
and TF_CLOUD_HOSTNAME
environment variables - the workspace should be specified using the workspace
input.
As always, any tokens can be supplied in the TERRAFORM_CLOUD_TOKENS
environment variable.
1.34.0 - 2023-03-10
- The action image now also builds for
arm64
, meaning these actions will work on linux/arm64 runners.
- Workaround Terraform 1.4.0 sometimes forgetting to output anything.
1.33.0 - 2023-02-28
-
The dflook/terraform-plan and dflook/terraform-apply actions now have a
destroy
input. When set totrue
terraform will run in destroy mode, planning the destruction of all resources. This allows reviewing the effect of a destroy before applying it.The dflook/terraform-destroy action is unchanged and will still immediately destroy all resources.
1.32.1 - 2023-02-02
- When triggered by
issue_comment
orpull_request_review_comment
events, the action will first add a 👍 reaction to the comment
1.32.0 - 2023-01-28
- A new dflook/terraform-state-unlock action. Thanks patricktalmeida for working on this!
- Actions that fail because the state was locked will now have the
failure-reason
output set tostate-locked
. They also have a newlock-info
output which is a json object with any available lock information. This affects dflook/terraform-apply, dflook/terraform-destroy, and dflook/terraform-destroy-worksapce.
- If a terraform operation fails because the state is locked the
failure-reason
output will now be set tostate-locked
, where before it may have beenapply-failed
ordestroy-failed
.
1.31.1 - 2022-12-01
- Failing to read backend config files for the purpose of identifying the backend state. This meant multiple plans with only different backend config files would overwrite each others PR comments.
1.31.0 - 2022-11-22
- Values in the
variables
input of dflook/terraform-plan will be masked in the PR comment if the Terraform variable is marked 'sensitive'. Previously alabel
was required to avoid revealing sensitive values.
1.30.0 - 2022-11-19
-
The
TERRAFORM_ACTIONS_GITHUB_TOKEN
environment variable can be set to the github token for the actions to use instead of usingGITHUB_TOKEN
. This is useful if using the terraform GitHub provider which also uses theGITHUB_TOKEN
variable, allowing the github actions and terraform provider to use separate tokens. -
The
GITHUB_TOKEN
/TERRAFORM_ACTIONS_GITHUB_TOKEN
can now be a github app token or fine grained personal access token. As before, it can also be a classic PAT or use the token provided by github actions.
1.29.1 - 2022-10-24
- Multiline string terraform outputs are now properly set as action outputs, and properly masked in the workflow log.
1.29.0 - 2022-10-17
- Terraform executables are integrity checked using Hashicorp signed checksums before use.
1.28.1 - 2022-10-17
GITHUB_OUTPUT: unbound variable
errors with v1.28.0 on self-hosted runners with older runner versions.
1.28.0 - 2022-10-12
- Terraform version detection rules updated to include information about backends removed in Terraform 1.3.
- Deprecation warnings about the
set-output
actions workflow command.
1.27.0 - 2022-08-07
-
dflook/terraform-plan and dflook/terraform-apply now work with plans that are too large to fit in a PR comment.
If plan is too large it will be truncated in the comment, with the full plan viewable in the workflow log. When dflook/terraform-apply aborts the apply because the plan is outdated, a partial diff will be shown in the workflow log with a link to the full plan for direct comparison.
- Warnings are ignored when deciding if a plan has changed and should no longer cause aborted applies if the order of the warnings changes.
- The unchanged resource attribute count is ignored when deciding if a plan has changed and should no longer cause aborted applies with harmless provider version changes.
1.26.0 - 2022-05-29
- The number of moved resources in a plan is summarised in the PR comment.
- The plan was not being correctly extracted when it contained only resource moves, which resulted in noisy PR comments and may have caused apply operations to be aborted - Thanks to merykozlowska!
1.25.1 - 2022-05-10
- Failure to install terraform after change in the download page - Thanks kylewlacy
1.25.0 - 2022-05-06
- New
run_id
output for dflook/terraform-plan and dflook/terraform-apply which are set when using Terraform Cloud/Enterprise. It is the remote run-id of the plan or apply operation. - The
json_plan_path
output of dflook/terraform-plan now works when using Terraform Cloud/Enterprise.
1.24.0 - 2022-05-03
-
New
to_add
,to_change
andto_destroy
outputs for the dflook/terraform-plan action that contain the number of resources that would be added, changed or deleted by the plan.These can be used in an if expression in a workflow to conditionally run steps, e.g. when the plan would destroy something.
1.23.0 - 2022-05-02
-
Input variables no longer help identify the plan comment. Each PR comment is still identified by it's configured terraform backend state file. This is a very subtle change but enables better reporting of why an apply operation is aborted, e.g. "plan has changed" vs "plan not found".
This means that if you have more than one dflook/terraform-plan action for the same
path
and backend but with different variables, you should ensure they use differentlabel
s. -
The workflow output when an apply has been aborted because of changes in the plan has been clarified - thanks toast-gear!
- Pre-release terraform versions now won't be used when selecting the latest terraform version.
- Invalid terraform files that contained an unterminated string would take an extremely long time to parse before failing the job.
- dflook/terraform-validate now automatically sets
terraform.workspace
todefault
when validating a module that uses aremote
orcloud
backend.
1.22.2 - 2022-02-28
- The PR plan comment was incorrectly including resource refresh lines when there were changes to outputs but not resources, while using Terraform >=0.15.4. As well as being noisy, this could lead to failures to apply due to incorrectly detecting changes in the plan.
- Removed incorrect deprecation warning in dflook/terraform-destroy. Thanks dgrenner!
1.22.1 - 2022-01-24
- Better support for some self-hosted runners that run in containers and don't correctly pass the event payload.
1.22.0 - 2022-01-23
-
Workspace management for Terraform Cloud/Enterprise has been reimplemented to avoid issues with the
terraform workspace
command when using theremote
backend or a cloud config block:- dflook/terraform-new-workspace can now create the first workspace
- dflook/terraform-destroy-workspace can now delete the last remaining workspace
- dflook/terraform-new-workspace and dflook/terraform-destroy-workspace work with a
remote
backend that specifies a workspace byname
-
The terraform version to use will now be detected from additional places:
- The terraform version set in the remote workspace when using Terraform Cloud/Enterprise as the backend
- An asdf
.tool-versions
file - The terraform version that wrote an existing state file
- A
TERRAFORM_VERSION
environment variable
The best way to specify the version is using a
required_version
constraint.See dflook/terraform-version docs for details.
As a result of the above terraform version detection additions, note these changes:
-
Actions always use the terraform version set in the remote workspace when using TFC/E, if it exists. This mostly effects dflook/terraform-fmt, dflook/terraform-fmt-check and dflook/terraform-validate.
-
If the terraform version is not specified anywhere then new workspaces will be created with the latest terraform version. Existing workspaces will use the terraform version that was last used for that workspace.
-
If you want to always use the latest terraform version, instead of not specifying a version you now need to set an open-ended version constraint (e.g.
>1.0.0
) -
All actions now support the inputs and environment variables related to the backend, for discovering the terraform version from a TFC/E workspace or remote state. This add the inputs
workspace
,backend_config
,backend_config_file
, and theTERRAFORM_CLOUD_TOKENS
environment variable to the dflook/terraform-fmt, dflook/terraform-fmt-check and dflook/terraform-validate actions. -
⚠️ Some unused packages were removed from the container image, most notably Python 2.
1.21.1 - 2021-12-12
-
dflook/terraform-new-workspace support for Terraform v1.1.0.
This stopped working after a change in the behaviour of terraform init.
There is an outstanding issue in Terraform v1.1.0 using the
remote
backend that prevents creating a new workspace when no workspaces currently exist. If you are affected by this, you can pin to an earlier version of Terraform using one of methods listed in the dflook/terraform-version docs.
1.21.0 - 2021-12-04
-
A new
workspace
input for dflook/terraform-validate allows validating usage ofterraform.workspace
in the terraform code.Terraform doesn't initialize
terraform.workspace
based on the backend configuration when running a validate operation. This new input allows setting the full name of the workspace to use while validating, even when you wouldn't normally do so for a plan/apply (e.g. when using theremote
backend)
1.20.1 - 2021-12-04
- There was a problem selecting the workspace when using the
remote
backend with a full workspacename
in the backend block.
1.20.0 - 2021-12-03
-
New
text_plan_path
andjson_plan_path
outputs for dflook/terraform-apply to match the outputs for dflook/terraform-plan.These are paths to the generated plan in human-readable and JSON formats.
If the plan generated by dflook/terraform-plan is different from the plan generated by dflook/terraform-apply the apply step will fail with
failure-reason
set toplan-changed
. These new outputs make it easier to inspect the differences.
1.19.0 - 2021-11-01
- When triggered by
issue_comment
orpull_request_review_comment
events, the action will first add a 👍 reaction to the comment - PR comment status messages include a single emoji that shows progress at a glance
- Actions that don't write to the terraform state no longer lock it.
1.18.0 - 2021-10-30
-
A new
replace
input for dflook/terraform-plan and dflook/terraform-applyThis instructs terraform to replace the specified resources, and is available with terraform versions that support replace (v0.15.2 onwards).
with: replace: | random_password.database
-
A
target
input for dflook/terraform-plan to match dflook/terraform-applytarget
limits the plan to the specified resources and their dependencies. This change removes the restriction thattarget
can only be used withauto_approve
.with: target: | kubernetes_secret.tls_cert_public kubernetes_secret.tls_cert_private
1.17.2 - 2021-10-13
- Add
terraform plan
output that was missing from the workflow log
1.17.1 - 2021-10-06
-
Fix ownership of files created in runner mounted directories
As the container is run as root, it can cause issues when root owned files are leftover that the runner can't cleanup. This would only affect self-hosted, non-ephemeral, non-root runners.
1.17.0 - 2021-10-04
-
variables
andvar_file
support for remote operations in Terraform Cloud/Enterprise.The Terraform CLI & Terraform Cloud/Enterprise do not support using variables or variable files with remote plans or applies. We can do better.
variables
andvar_file
input variables for the plan, apply & check actions now work, with the expected behavior.
1.16.0 - 2021-10-04
-
dflook/terraform-plan has gained two new outputs:
json_plan_path
is a path to the generated plan in a JSON format filetext_plan_path
is a path to the generated plan in a human-readable text file
These paths are relative to the GitHub Actions workspace and can be read by other steps in the same job.
1.15.0 - 2021-09-20
-
Actions that intentionally cause a build failure now set a
failure-reason
output to enable safely responding to those failures.Possible failure reasons are:
- dflook/terraform-validate: validate-failed
- dflook/terraform-fmt-check: check-failed
- dflook/terraform-check: changes-to-apply
- dflook/terraform-apply: apply-failed, plan-changed
- dflook/terraform-destroy: destroy-failed
- dflook/terraform-destroy-workspace: destroy-failed
- dflook/terraform-validate was sometimes unable to create detailed check failures.
1.14.0 - 2021-09-15
- Support for self-hosted GitHub Enterprise deployments. Thanks f0rkz!
- The
path
input variable is now optional, defaulting to the Action workspace. - Uninteresting workflow log output is now grouped and collapsed by default.
- Applying PR approved plans where the plan comment is not within the first 30 comments.
1.13.0 - 2021-07-24
-
TERRAFORM_PRE_RUN
environment variable for customising the environment before running terraform.It can be set to a command that will be run prior to
terraform init
.The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use.
The runtime image is currently based on
debian:buster
, with the command run usingbash -xeo pipefail
.For example:
env: TERRAFORM_PRE_RUN: | # Install latest Azure CLI curl -skL https://aka.ms/InstallAzureCLIDeb | bash # Install postgres client apt-get install -y --no-install-recommends postgresql-client
Thanks to alec-pinson and GiuseppeChiesa-TomTom for working on this feature.
1.12.0 - 2021-06-08
- terraform-fmt-check now shows a diff in the workflow log when it finds files in non-canonical format
1.11.0 - 2021-06-05
- The
add_github_comment
input for terraform-plan may now be set tochanges-only
. This will only add a PR comment for plans that result in changes to apply - no comment will be added for plans with no changes.
- Improved messaging in the workflow log when terraform-apply is aborted because the plan has changed
- Update documentation for
backend_config
,backend_config_file
,var_file
&target
inputs to use separate lines for multiple values. Multiple values may still be separated by commas if preferred.
1.10.0 - 2021-05-30
-
TERRAFORM_HTTP_CREDENTIALS
environment variable for configuring the username and password to use forgit::https://
&https://
module sources.See action documentation for details, e.g. terraform-plan
1.9.3 - 2021-05-29
- With terraform 0.15.4, terraform-plan jobs that only had changes to outputs would fail when creating a PR comment.
1.9.2 - 2021-05-05
- Slow state locking messages were being considered part of the plan, which could cause apply actions to be aborted.
1.9.1 - 2021-04-21
- Terraform 0.15 plans were not being extracted correctly, causing failures to apply.
1.9.0 - 2021-04-10
-
variables
input for actions that use terraform input variables.This value should be valid terraform syntax - like a variable definition file. Variable values set in
variables
override any given in var_files. See action documentation for details, e.g. terraform-plan.
-
The
var
input has been deprecated due to the following limitations:- Only primitive types can be set with
var
- number, bool and string. - String values may not contain a comma.
- Values set with
var
will be overridden by values contained invar_file
s
variables
is the preferred way to set input variables. - Only primitive types can be set with
1.8.0 - 2021-04-05
-
TERRAFORM_CLOUD_TOKENS
environment variable for use with Terraform Cloud/Enterprise etc when using module registries or aremote
backend. -
TERRAFORM_SSH_KEY
environment variable to configure an SSH private key to use for Git Repository module sources.
See individual actions for details, e.g. terraform-validate.
1.7.0 - 2021-04-02
- Support for the
pull_request_target
event - Support for the
pull_request_review
event
- Terraform 0.15 compatibility
1.6.0 - 2021-02-25
-
PR comments use a one line summary of the terraform output, with the full output in a collapsable pane.
If a plan is short the output is shown by default. This can be controlled with the
TF_PLAN_COLLAPSE_LENGTH
environment variable for the dflook/terraform-plan action.
- Now makes far fewer github api requests to avoid rate limiting.
1.5.2 - 2021-01-16
- Multiple steps in the same job now only download the terraform binary once.
1.5.1 - 2020-12-05
- PR comments had an empty plan with Terraform 0.14
1.5.0 - 2020-09-18
- PR comments use HCL highlighting
1.4.2 - 2020-09-02
- Using a personal access token instead of the Actions provided token now works. This can be used to customise the PR comment author
1.4.1 - 2020-08-11
- Latest Terraform versions with a patch version of '0' are correctly detected. If not otherwise specified the latest terraform version is used. As of now the latest is v0.13.0.
1.4.0 - 2020-07-25
-
Better support for the
issue_comment
andpull_request_review_comment
events in the dflook/terraform-plan and dflook/terraform-apply actionsThis allows using plan PR comments when triggered in reponse to those events, enabling workflows like applying a plan using a comment.
- Plan errors are now correctly added to the workflow log.
1.3.1 - 2020-07-23
backend_config_file
andvar_file
now work correctly. Paths should be relative to the Action workspace.
1.3.0 - 2020-07-22
- Support for the
remote
backend.
1.2.0 - 2020-07-18
- Complex terraform types are now available as action outputs, which results in a json string approximating the type. See dflook/terraform-output for details. This also affects the outputs of dflook/terraform-apply and dflook/terraform-remote-state.
- File path in failing checks is now correct with respect to the repository, and can be clicked through to see the annotation in context. This affects the dflook/terraform-fmt-check and dflook/terraform-validate actions.
1.1.0 - 2020-07-07
- The root-level outputs of a terraform configuration are now exposed directly by the dflook/terraform-apply action, as if the dflook/terraform-output action has been run immediately after.
1.0.0 - 2020-07-06
First release of the GitHub Actions:
- dflook/terraform-version
- dflook/terraform-remote-state
- dflook/terraform-output
- dflook/terraform-validate
- dflook/terraform-fmt-check
- dflook/terraform-fmt
- dflook/terraform-check
- dflook/terraform-plan
- dflook/terraform-apply
- dflook/terraform-destroy
- dflook/terraform-new-workspace
- dflook/terraform-destroy-workspace