Workflow Infra Apply
This document describes the GitHub workflow that automates Terraform apply operations.
Overview
The infra_apply workflow is part of the Infrastructure as Code (IaC) solution
and is responsible for executing a terraform apply to implement infrastructure
changes.
It uses the OIDC authentication provider for Azure and is configured to manage the application of changes across different environments.
Use Cases
- Implement infrastructure changes in specific environments
- Deploy resources after approval
- Automate infrastructure provisioning
Input
env_vars | List of environment variables to set up, given in env=value format | string | N/A | |
|---|---|---|---|---|
environment | Environment where the resources will be deployed | string | ✓ | |
base_path | Base path where to look for Terraform projects | string | ✓ | |
env_vars | List of environment variables to set up, given in env=value format | string | ||
use_private_agent | Use a private agent to run the Terraform plan | boolean | false | |
override_github_environment | Set a value if GitHub Environment name is different from the TF environment folder | string | '' | |
use_labels | Use labels to start the right environment's GitHub runner | boolean | false | |
override_labels | Needed for special cases where the environment alone is not sufficient as a distinguishing label | string | '' |
How it Works
The workflow executes the following steps:
- Determines the Terraform version to use from the
.terraform-versionfile - Checks the validity of terraform modules locks
- Configures the environment and Azure credentials
- Executes a Terraform plan and saves it as an artifact
- Asks for approval to proceed with the apply operation
- If approved, applies the previously generated Terraform plan
Usage Example
jobs:
apply_infra:
uses: pagopa/dx/.github/workflows/infra_apply.yaml@main
secrets: inherit
with:
environment: prod
base_path: infra/resources
# Optional parameters
env_vars: ""
use_private_agent: true
override_github_environment: pe-prod
use_labels: true
override_labels: ""
Special configurations (multi environment/multi cloud)
When working with complex infrastructure setups across multiple environments, you may need to customize how the workflow runs:
- Use
override_github_environmentwhen your GitHub environments have different naming conventions than your Terraform directory structure, like mapping aprodterraform directory to ape-prodGitHub environment. - Enable
use_labelsalong withuse_private_agent: truewhen you need to target specific self-hosted runners within specific cloud environments. Particularly useful for multi environment projects. - Set
override_labelswhen you need more granular runner selection beyond the environment name, such as for region-specific or cloud-specific runners (e.g., "codebuild-prod-project").
These options are particularly useful for projects with complex deployment strategies across multiple cloud providers or subscriptions.
Complete Workflow
The typical execution flow in a CI/CD process includes:
- Pull Request: the
infra_planworkflow is triggered to verify the proposed changes - Review & Approval: reviewers examine the plan and approve the changes
- Merge: after approval, the PR is merged into the main branch
- Deploy: this
infra_applyworkflow is triggered to implement the changes in the desired environment