Terraform Apply GCP Action
ActionsTags
(2)tf-apply-gcp is a GitHub Action that runs terraform apply inside a containerized environment. It simplifies Terraform execution by securely handling credentials, secrets, and workspace setup while maintaining a clean and structured output.
- Containerized Execution → Runs in a prebuilt Docker container with Terraform installed.
- Automatic Directory Handling → Automatically switches to the specified Terraform directory.
- Collapsible Terraform Output → Uses GitHub Actions' grouping to improve readability.
- Google Cloud Credentials & Secrets Handling → Reads authentication and secrets from GitHub Secrets.
- Flexible Secret Passing → Pass multiple secrets as JSON for use within Terraform.
- Works on Any GitHub Runner → Runs seamlessly on all GitHub-hosted and self-hosted runners.
- name: Run Terraform Apply
uses: gusvega-dev/tf-apply-gcp@v1.0.0
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}"}'- Runs
terraform applyinside the./terraformdirectory. - Uses Google Cloud credentials from GitHub Secrets.
- Passes Terraform secrets dynamically as a JSON object.
- Displays structured Terraform logs in GitHub Actions.
| Name | Required | Default | Description |
|---|---|---|---|
workdir |
No | . |
Directory containing Terraform files. |
secrets |
No | {} |
JSON object containing Terraform secrets. |
- name: Run Terraform Apply
uses: gusvega-dev/tf-apply-gcp@v1.0.0
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}", "api_key":"${{ secrets.API_KEY }}"}'Secrets passed to the action are automatically available in Terraform as environment variables prefixed with TF_VAR_. Example:
variable "secrets" {
type = map(string)
}provider "google" {
project = var.secrets["project_id"]
}
resource "some_resource" "example" {
api_key = var.secrets["api_key"]
}output "project_id" {
value = var.secrets["project_id"]
sensitive = true
}| Name | Description |
|---|---|
apply_status |
The status of the Terraform Apply execution. |
GitHub Actions automatically mounts the repository into /github/workspace inside the container. This means Terraform runs inside:
/github/workspace/terraformThe action automatically switches to this directory, so you don’t need to configure paths manually.
repo-root/
│── .github/
│ ├── workflows/
│ │ ├── terraform-apply.yml # GitHub Action Workflow
│── terraform/
│ ├── main.tf # Terraform Configuration
│ ├── variables.tf # Variables File
│ ├── outputs.tf # Outputs File
│ ├── provider.tf # Provider Configuration
│── README.md # Documentation
This workflow runs terraform apply automatically when changes are pushed to main:
name: Terraform Apply
on:
push:
branches:
- main
env:
GOOGLE_APPLICATION_CREDENTIALS: "${{ secrets.GCP_CREDENTIALS }}"
jobs:
terraform-apply:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Run Terraform Apply
uses: gusvega-dev/tf-apply-gcp@v1.0.0
with:
workdir: "./terraform"
secrets: '{"project_id":"${{ secrets.PROJECT_ID }}", "api_key":"${{ secrets.API_KEY }}"}'✔ Runs Terraform Apply on every push to main.
✔ Ensures the correct Terraform directory is used.
✔ Uses Google Cloud credentials from GitHub Secrets.
✔ Passes environment secrets securely.
| Feature | tf-apply-gcp |
HashiCorp Action |
|---|---|---|
| Requires Terraform Install | No (Containerized) | Yes |
| Supports GCP Authentication | Yes | No |
| Flexible Secret Handling | Yes (JSON object) | No |
| Structured Logs | Yes (Collapsible) | No |
| Runs on Any GitHub Runner | Yes | No (Requires Terraform Installed) |
Check logs for errors:
- Validate your Terraform files for syntax errors.
- Ensure Google Cloud credentials are set in the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable.
- Ensure the
workdirinput is set correctly. - Verify that your Terraform configuration exists in the specified directory.
If Terraform fails due to missing secrets:
- Check if the secret exists in GitHub Secrets.
- Print secret values before running Terraform:
- name: Debug Secrets run: echo "Project ID: ${{ secrets.PROJECT_ID }}"
- Ensure secrets are passed as a JSON object to the action.
As part of a broader Terraform automation suite, additional actions will be developed, including:
- Terraform Lint & Format
- Security Scan
- Cost Estimation
- Plan Validation
- Apply Execution
- Plan + Apply
- State Backup
- Post-Deployment Tests
- Change Management Logging
- Drift Detection
- Auto-Remediation
- Compliance Check
- Manual Approval for Remediation
- Validate Changes
- Deploy to Dev
- Integration Tests
- Manual Approval for Staging
- Deploy to Staging
- Security Scan Before Prod
- Deploy to Production
- Secrets Detection
- Secrets Rotation
- IAM Policy Review
- Dynamic Secrets Management
Stay tuned for updates as these become available.
This project is licensed under the MIT License.
Maintained by Gus Vega: @gusvega
For feature requests and issues, please open a GitHub Issue.
Use tf-apply-gcp in your Terraform pipelines today. Star this repository if you find it useful.
Terraform Apply GCP Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
About
Tags
(2)Terraform Apply GCP Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.