What would you like to see in the documentation regarding variables?

Also, I am unable to reproduce the issue where setting TF_VAR* environment variables fails. When you set an environment variable named TF_VAR_image_tag, your actual Terraform configuration needs to have that variable declared before it can be used.

variable "image_tag" {}

The problem related to TF_VAR environment variables was due to Terraform Cloud not supporting environment variables, I completely forgot it was not supported and I spent a good amount of hours before realizing that was the issue by looking again at the docs. This could be something worth mentioning also in this GitHub Action as it is not the expected behavior.

As for what I would like to see in the documentation is an example of variables passed via CLI and *.tfvars.

The following example works for Terraform Cloud:

    - name: Setup Terraform variables
      working-directory: ./terraform
      id: vars
      run: |-
        cat > pipeline.auto.tfvars <<EOF
        image_tag = "${{ github.sha }}"
        EOF

There is a more elegant way to achieve the same result, but that's what we are working with right now.

I would also be expecting:

terraform apply -var-file="testing.tfvars"

terraform apply -var="image_id=ami-abc123"

A few snippets and samples are more than enough to help newcomers. A disclaimer could also save other people quite some time.

Thanks!

I would also like to know when should the environment variable passed:

• hashicorp/setup-terraform@v1
• terraform init
• terraform apply

I am sure this is not strictly related to the GitHub Action but rather Terraform itself, but some documentation pointing that out would be useful.

Following the suggestion from @christian-roggia does not appear to be working for me either. If anyone has any other tips, it would be greatly appreciated.

@mibeyene It did worked for me. I've done almost what it was suggested by @christian-roggia

Added the following step in my yml file

    - name: Setup Terraform variables
      id: vars
      run: |-
        cat > pipeline.auto.tfvars <<EOF
        environment = "${{ fromJSON('["pr", "main"]')[github.ref == 'refs/heads/main'] }}"
        EOF

Define the variable in variables.tf

variable "environment" {
}

and that's it. I didn't have to specify any arguments. i.e.

Weird. I currently have:

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1.3.2
        with:
          terraform_version: 0.13.2

      - name: Setup Terraform variables
        id: vars
        run: |-
          cat > pipeline.auto.tfvars <<EOF
          account_name = "<SENSITIVE>"
          EOF

      - name: Terraform Init
        id: init
        run: terraform init -get-plugins=false -backend-config=bucket=<SENSITIVE> -backend-config=key=<SENSITIVE> -backend-config=encrypt=true -backend-config=region=<SENSITIVE> -backend-config=dynamodb_table=<SENSITIVE> -backend-config=profile=default

      - name: Terraform Plan
        id: plan
        run: terraform plan -no-color
        continue-on-error: true

My variables.tf file goes one step further (as a temporary WTF-is-happening solution):

variable "account_name" {
  default = "<SENSITIVE>"
}

And it should all come together here:

resource "vault_aws_secret_backend_role" "nomad_s3_snapshot" {
  backend         = "accounts/aws"
  name            = "aws-${terraform.workspace}-${var.account_name}-nomad-s3-snapshot"
  credential_type = "assumed_role"
  role_arns       = [aws_iam_role.nomad_snapshot.arn]
}

But instead of the plan speaking against

"aws-default-SENSITIVE-nomad-s3-snapshot", it looks against "aws-default--nomad-s3-snapshot" ¯_(ツ)_/¯

Error: error checking if "accounts/aws/roles/aws-default--nomad-s3-snapshot" exists: Error making API request.

I'll continue poking at this today, and update this thread accordingly.

@mibeyene The only difference I see is this

    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v1
      with:
        cli_config_credentials_token: ${{ secrets.TF_TOKEN }}

output

Run hashicorp/setup-terraform@v1
  with:
    cli_config_credentials_token: ***
    cli_config_credentials_hostname: app.terraform.io
    terraform_version: latest
    terraform_wrapper: true
Latest version is 0.14.2

The answer was in terraform state. A previous apply created a vault_aws_secret_backend_role resource with the incorrect name. Thank you so much for taking the time to look @adeel41, and apologies to @christian-roggia

If anyone is up for the task, it would be really beneficial to include some examples and an explanation to the docs.

The documentation in #79 assisted me in passing the image version in my github actions workflow to terraform. Appreciate it!