A simple Terraform CI setup using GitHub Actions reusable workflows.
This repo is designed for Terraform monorepos and focuses on:
- detecting only the Terraform directories that changed
- running lint and security scans in parallel
- keeping security checks non-blocking when desired
- 🔍 Detects changed
.tffiles in pull requests - 📂 Builds a matrix of affected Terraform directories
- 🧹 Runs lint checks per directory
- 🔐 Runs security scans per directory
- 🔁 Uses a reusable workflow to avoid duplication
.github/workflows/
├── tf-dirs-matrix.yml # Reusable workflow: detect changed Terraform dirs
└── tf-ci.yml # CI workflow: lint + security scans
Pull Request
↓
Detect Terraform changes (reusable workflow)
↓
Matrix per directory
├─ Terraform lint (required)
└─ Security scan (advisory)
Each job runs independently, so a failure in one does not stop the others.
- Reusable workflows keep logic in one place
- Matrix jobs scale well in monorepos
- Separate jobs give better feedback and flexibility
- Non-blocking security surfaces issues without slowing development
- GitHub Actions Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows
- GitHub Actions Matrix Strategy: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
- TFLint: https://github.com/terraform-linters/tflint
- TFLint GitHub Actions: https://github.com/terraform-linters/setup-tflint
- Checkov: https://www.checkov.io
- Checkov GitHub Actions: