Skip to content
Terraform Workflow with OIDC, S3 Logging, and Email Notification

Create test.yaml #1

Sign in to view logs

Create test.yaml

Create test.yaml #1

Workflow file for this run

.github/workflows/test.yaml at 6002ad7
name: Terraform Workflow with OIDC, S3 Logging, and Email Notification
on:
push:
branches:
- main
jobs:
terraform:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read # Required to access repository contents
steps:
# Step 1: Checkout the repository
- name: Checkout Code
uses: actions/checkout@v3
# Step 2: Setup Terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.6
# Step 3: Configure AWS Credentials using OIDC
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.ROLE_NAME }}
aws-region: ${{ secrets.AWS_REGION }}
# Step 4: Initialize Terraform (INFO logging)
- name: Terraform Init
env:
TF_LOG: INFO # Set Terraform logging to INFO for general info messages
run: terraform init
# Step 5: Terraform Validate (DEBUG logging)
- name: Terraform Validate
env:
TF_LOG: DEBUG # Set Terraform logging to DEBUG for detailed logs
TF_LOG_PATH: terraform_validate.log
FAILURE_FLAG: false
run: |
terraform validate || echo "FAILURE_FLAG=true" >> $GITHUB_ENV
true # Always continue execution
# Step 6: Terraform Plan (INFO logging)
- name: Terraform Plan
env:
TF_LOG: INFO # Set Terraform logging to INFO for plan-related logs
TF_LOG_PATH: terraform_plan.log
FAILURE_FLAG: false
run: |
terraform plan -out=tfplan || echo "FAILURE_FLAG=true" >> $GITHUB_ENV
true # Always continue execution
# Step 7: Terraform Apply (TRACE logging)
- name: Terraform Apply
env:
TF_LOG: TRACE # Set Terraform logging to TRACE for detailed logs
TF_LOG_PATH: terraform_apply.log
FAILURE_FLAG: false
run: |
terraform apply -auto-approve tfplan || echo "FAILURE_FLAG=true" >> $GITHUB_ENV
true # Always continue execution
# Step 8: Ensure Logs Directory Exists (DEBUG logging)
- name: Ensure Logs Directory Exists
env:
TF_LOG: DEBUG # Set Terraform logging to DEBUG for detailed process steps
run: mkdir -p $GITHUB_WORKSPACE/logs
# Step 9: Copy Logs to Logs Directory (WARN logging)
- name: Copy Logs to Logs Directory
env:
TF_LOG: WARN # Set Terraform logging to WARN to capture potential issues
run: |
cp terraform_validate.log $GITHUB_WORKSPACE/logs/ || true
cp terraform_plan.log $GITHUB_WORKSPACE/logs/ || true
cp terraform_apply.log $GITHUB_WORKSPACE/logs/ || true
echo "Files in logs directory:"
ls -alh $GITHUB_WORKSPACE/logs/
# Step 10: Upload Logs to S3 (Both Success and Failure)
- name: Upload Logs to S3
if: always() # Ensure this runs even if the workflow fails
run: |
aws s3 cp $GITHUB_WORKSPACE/logs/ s3://${{ secrets.S3_BUCKET_NAME }}/logs/ --recursive
# Step 11: Print Logs on Failure (ERROR logging)
- name: Print Logs on Failure
if: failure() # Only print logs if failure occurs
env:
TF_LOG: ERROR # Set Terraform logging to ERROR to capture critical failure messages
run: |
echo "Terraform failed. Logs are as follows:"
cat $GITHUB_WORKSPACE/logs/terraform_validate.log || true
cat $GITHUB_WORKSPACE/logs/terraform_plan.log || true
cat $GITHUB_WORKSPACE/logs/terraform_apply.log || true
# Step 12: Send Email Notification (Success or Failure)
- name: Send Email Notification
if: always() # Ensure this runs even if the workflow fails
run: |
SUBJECT="Terraform Workflow Status - ${{ job.status }}"
BODY="The Terraform workflow has completed with status: ${{ job.status }}. Please check the logs for details."
aws ses send-email \
--from ${{ secrets.SENDER_EMAIL }} \
--destination "ToAddresses=${{ secrets.RECIPIENT_EMAIL }}" \
--message "Subject={Data=$SUBJECT},Body={Text={Data=$BODY}}"
# Step 13: Force Workflow Failure if Any Step Failed
- name: Fail Workflow if Any Step Failed
if: ${{ env.FAILURE_FLAG == 'true' }}
run: |
echo "One or more Terraform steps failed. Marking workflow as failed."
exit 1 # Exit with failure status