Oftentimes organizations need to run more than just a terraform plan and terraform apply. Teams need automated security checks, compliance validations, ways to execute custom scripts integrated into their IaC workflows to satisfy all kinds of different requirements and ensure consistent deployments. Terrateam provides a flexible way to satisfy these requirements directly within GitHub pull requests.

Building Custom Terraform Workflows

Terrateam enhances Terraform operations with customizable workflows defined in the .terrateam/config.yml file. These workflows control how Terraform executes plan and apply changes while also integrating additional steps for validation, automation, and customization.

The workflow configuration follows a hierarchy:

workflows:
  - tag_query: "dir:production"
    plan:
      - type: init
      - type: plan
        extra_args: ["-var-file=production.tfvars"]
    apply:
      - type: init
      - type: apply

Tag queries determine when a specific workflow is triggered. This allows for different configurations for specific environments. Terrateam supports multiple workflows with different tag queries, providing granular control over infrastructure changes.

Terrateam offers many step types for workflow customization:

The run step executes custom commands
The env step manages environment variables
The oidc step implements secure cloud authentication

Implementing Custom Scripts and Validation

Custom workflows in Terrateam allow teams to add security checks, compliance validation, and integrations with external systems.

workflows:
  - tag_query: "dir:prod"
    plan:
      - type: run
        cmd: ['${TERRATEAM_ROOT}/scripts/pre-plan.sh']
      - type: plan
      - type: run
        cmd: ['${TERRATEAM_ROOT}/scripts/post-plan.sh']

Security scanning tools like terrascan integrate directly into a pre-plan workflow step to detect potential misconfigurations:

#!/bin/bash
# pre-plan.sh

terrascan scan -d .

if [ $? -ne 0 ]; then
    echo "Security validation failed"
    exit 1
fi

Automating Pre and Post-Apply Actions

Pre-apply and post-apply steps can automate critical tasks around Terraform apply operations. These custom workflow steps can integrate infrastructure changes with external systems:

workflows:
  - tag_query: "dir:prod"
    apply:
      - type: run
        cmd: ['${TERRATEAM_ROOT}/scripts/pre-apply.sh']
      - type: init
      - type: apply
      - type: run
        cmd: ['${TERRATEAM_ROOT}/scripts/post-apply.sh']

Custom workflows include strong error handling to maintain reliability. When a custom step fails, Terrateam aborts the workflow and provides detailed error messages in pull request comments:

workflows:
  - tag_query: "dir:prod"
    apply:
      - type: apply
      - type: run
        cmd: ['./notify-error.sh']
        run_on: failure

Securing Multi-Cloud Deployments

OpenID Connect (OIDC) integration removes the need for unsafe static credentials by generating temporary authentication tokens. This method supports multiple cloud providers within a single workflow:

workflows:
  - tag_query: "dir:multi-cloud"
    plan:
      - type: oidc
        provider: aws
        role_arn: ${AWS_ROLE_ARN}
      - type: oidc
        provider: gcp
        service_account: ${GCP_SERVICE_ACCOUNT}
        workload_identity_provider: ${GCP_WORKLOAD_IDENTITY_PROVIDER}
      - type: init
      - type: plan

Environment-specific workflow configurations allow teams to define specific permissions and controls through directory-based tag queries:

workflows:
  - tag_query: "dir:aws/production"
    plan:
      - type: oidc
        provider: aws
        role_arn: ${AWS_PRODUCTION_ROLE_ARN}
      - type: init
      - type: plan
  - tag_query: "dir:aws/staging"
    plan:
      - type: oidc
        provider: aws
        role_arn: ${AWS_STAGING_ROLE_ARN}
      - type: init
      - type: plan

Building Better Infrastructure Workflows

Terrateam enables teams to create powerful Terraform workflows. With the Terrateam configuration file, it's easy to implement custom validations, automate notifications, and create sophisticated multi-step workflows. Start improving your infrastructure workflows today by integrating Terrateam with your GitHub repository. Visit the Terrateam documentation for our quickstart guide.

Features

Learn More

Learn

Connect