Customize Your Plan and Apply Workflows in Terraform with Terrateam
Malcolm Matalka
On this page
Oftentimes organizations need to run more than just a terraform plan and terraform apply. Teams need automated security checks, compliance validations, ways to execute custom scripts integrated into their IaC workflows to satisfy all kinds of different requirements and ensure consistent deployments. Terrateam provides a flexible way to satisfy these requirements directly within GitHub pull requests.
Building Custom Terraform Workflows
Terrateam enhances Terraform operations with customizable workflows defined in the .terrateam/config.yml file. These workflows control how Terraform executes plan and apply changes while also integrating additional steps for validation, automation, and customization.
The workflow configuration follows a hierarchy:
workflows: - tag_query: "dir:production" plan: - type: init - type: plan extra_args: ["-var-file=production.tfvars"] apply: - type: init - type: applyTag queries determine when a specific workflow is triggered. This allows for different configurations for specific environments. Terrateam supports multiple workflows with different tag queries, providing granular control over infrastructure changes.
Terrateam offers many step types for workflow customization:
- The
runstep executes custom commands - The
envstep manages environment variables - The
oidcstep implements secure cloud authentication
Implementing Custom Scripts and Validation
Custom workflows in Terrateam allow teams to add security checks, compliance validation, and integrations with external systems.
workflows: - tag_query: "dir:prod" plan: - type: run cmd: ['${TERRATEAM_ROOT}/scripts/pre-plan.sh'] - type: plan - type: run cmd: ['${TERRATEAM_ROOT}/scripts/post-plan.sh']Security scanning tools like terrascan integrate directly into a pre-plan workflow step to detect potential misconfigurations:
#!/bin/bashterrascan scan -d .
if [ $? -ne 0 ]; then echo "Security validation failed" exit 1fiAutomating Pre and Post-Apply Actions
Pre-apply and post-apply steps can automate critical tasks around Terraform apply operations. These custom workflow steps can integrate infrastructure changes with external systems:
workflows: - tag_query: "dir:prod" apply: - type: run cmd: ['${TERRATEAM_ROOT}/scripts/pre-apply.sh'] - type: init - type: apply - type: run cmd: ['${TERRATEAM_ROOT}/scripts/post-apply.sh']Custom workflows include strong error handling to maintain reliability. When a custom step fails, Terrateam aborts the workflow and provides detailed error messages in pull request comments:
workflows: - tag_query: "dir:prod" apply: - type: apply - type: run cmd: ['./notify-error.sh'] run_on: failureSecuring Multi-Cloud Deployments
OpenID Connect (OIDC) integration removes the need for unsafe static credentials by generating temporary authentication tokens. This method supports multiple cloud providers within a single workflow:
workflows: - tag_query: "dir:multi-cloud" plan: - type: oidc provider: aws role_arn: ${AWS_ROLE_ARN} - type: oidc provider: gcp service_account: ${GCP_SERVICE_ACCOUNT} workload_identity_provider: ${GCP_WORKLOAD_IDENTITY_PROVIDER} - type: init - type: planEnvironment-specific workflow configurations allow teams to define specific permissions and controls through directory-based tag queries:
workflows: - tag_query: "dir:aws/production" plan: - type: oidc provider: aws role_arn: ${AWS_PRODUCTION_ROLE_ARN} - type: init - type: plan - tag_query: "dir:aws/staging" plan: - type: oidc provider: aws role_arn: ${AWS_STAGING_ROLE_ARN} - type: init - type: planBuilding Better Infrastructure Workflows
Terrateam enables teams to create powerful Terraform workflows. With the Terrateam configuration file, it’s easy to implement custom validations, automate notifications, and create sophisticated multi-step workflows. Start improving your infrastructure workflows today by integrating Terrateam with your GitHub repository. Visit the Terrateam documentation for our quickstart guide.