ci: terraform composite action — plan/apply/destroy + scaleway lifecycle#36
Merged
Conversation
…ction Extract the boilerplate (setup-terraform + AWS OIDC + init/workspace/plan-apply) into .github/actions/terraform. Both iam_terraform-backend-role and scaleway-plan now call it — the latter keeping its SCW/Infisical env vars and Infisical OIDC token step before the action call. Also fixes a destroy→plan bug in scaleway-plan.yml and adds concurrency guard to iam_terraform-backend-role.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nbrieussel
commented
Jun 19, 2026
Wrap the .github/actions/terraform composite action in a reusable workflow (.github/workflows/terraform.yml) that owns the `secrets:` block — Scaleway keys are no longer passed as plain action inputs. The action declares NO secret inputs; provider creds flow through the job env / the `scaleway` environment. - Support plan | apply | destroy; the reusable workflow derives the command from the event (push→apply, schedule→destroy, else plan), overridable via `command`. - scaleway.yml: PR→plan, push→apply, daily 18h cron→destroy, workflow_dispatch up/down. Consolidates the former scaleway-plan.yml. Adds concurrency + timeout. - Rename the org state role s3-lister → tf-state-access (it grants AmazonS3FullAccess: R/W + lock — the old name was misleading). Wired via vars.AWS_TF_STATE_ROLE_ARN. - Fix stale docs/naming: the Scaleway CI policy (object-storage-ro → cluster-management; it actually grants Kubernetes/VPC/PrivateNetwork access) and the read-only descriptions in CLAUDE.md / 00-remote_state. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ctly The `secrets:` keyword only exists at the workflow level, so a reusable-workflow wrapper added solely to declare it is overengineering for now. Removed terraform.yml; scaleway.yml and iam_terraform-backend-role.yml use the composite action directly again. Secrets are still not passed as action inputs: the composite action declares no secret inputs and reads provider creds (SCW_*, INFISICAL_MACHINE_IDENTITY_ID) from the job env, which the calling workflow sets from the `scaleway` environment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The `lock` input only existed for the (mistaken) read-only-role assumption — a role that can't write S3 can't acquire the state lock. The state role is tf-state-access (AmazonS3FullAccess: R/W + lock) and no caller ever set lock=false, so the input was dead. Let Terraform manage the lock by default (the S3 backend has use_lockfile = true). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The role name is read from env/00-remote-state-iam.tfvars (which overrides the variables.tf default), and the rename only touched the default — so an apply still produced `s3-lister`. Set it in the tfvars so it matches the agreed name and vars.AWS_TF_STATE_ROLE_ARN. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactors the Terraform CI so it scales across roots, supports the full lifecycle, and keeps secrets out of action inputs.
Composite action
.github/actions/terraform— setup-terraform + Infisical OIDC mint + AWS assume +init/workspace select/plan|apply|destroy. It declares no secret inputs: provider creds (SCW_*,INFISICAL_MACHINE_IDENTITY_ID) are read from the job env.Workflows use the action directly (no reusable-workflow wrapper — the
secrets:keyword is workflow-only and wrapping just for it was overengineering). The calling job sets the provider creds as jobenv:within thescalewayenvironment, owns the trigger→command mapping,concurrency, andtimeout-minutes.Behaviour:
planon PR,applyon push to main.scaleway: daily 18h cron → destroy (homelab cost control) andworkflow_dispatchup/down (apply = up, destroy = down). Consolidates the oldscaleway-plan.yml.Naming/doc fixes (were misleading):
s3-lister→tf-state-access(grantsAmazonS3FullAccess= R/W + lock). Wired viavars.AWS_TF_STATE_ROLE_ARN.object-storage-ro→cluster-management(actually grants Kubernetes/VPC/PrivateNetwork access).CLAUDE.mdupdated.vars.AWS_TF_STATE_ROLE_ARNis already set to the predicted ARN (…/tf-state-access). On merge to main,iam_terraform-backend-roleapplies00-remote_state/1-iamand recreates the role at that ARN; afterwardsvars.AWS_S3_LISTER_ROLE_ARNcan be deleted. Thescalewaycheck on this PR may stay red until the role exists at the new ARN.Notes
0 16 * * *UTC = 18h Paris in summer (17h in winter — GitHub cron ignores DST).scalewayenvironment must keep no required-reviewer rule (currently none), or the cron destroy would block.Test plan
actionlint+zizmor(default severity) pass locally.lint-workflowsgreen in CI.workflow_dispatchapply/destroy, cron destroy.🤖 Generated with Claude Code