chore(ci): enhance Terraform CI workflow with caching and PR plan comments

bcdady · bcdady · commit 6caa67102cb0 · 2025-12-31T10:10:45.000-07:00
Signed-off-by: Bryan Dady &lt;bryan@dady.us&gt;
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   terraform:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     env:
       TF_VAR_cf_api_token: ${{ secrets.TF_VAR_CF_API_TOKEN }}
       TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
@@ -19,6 +22,14 @@ jobs:
         with:
           terraform_version: ~1.0
 
+      - name: Cache Terraform plugins
+        uses: actions/cache@v4
+        with:
+          path: ~/.terraform.d/plugin-cache
+          key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
+          restore-keys: |
+            ${{ runner.os }}-terraform-
+
       - name: Terraform Format
         run: terraform fmt -check -recursive
 
@@ -28,6 +39,38 @@ jobs:
       - name: Terraform Validate
         run: terraform validate
 
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color
+        continue-on-error: true
+
+      - name: Comment PR with Plan
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        env:
+          PLAN: "${{ steps.plan.outputs.stdout }}"
+        with:
+          script: |
+            const output = `#### Terraform Plan 📖
+            
+            <details><summary>Show Plan</summary>
+            
+            \`\`\`terraform
+            ${process.env.PLAN}
+            \`\`\`
+            
+            </details>
+            
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
       - name: Setup TFLint
         uses: terraform-linters/setup-tflint@v4
 
@@ -38,9 +81,11 @@ jobs:
 
       - name: TFSec Security Scan
         uses: aquasecurity/tfsec-action@v1.0.3
+        continue-on-error: true
 
       - name: Checkov Security Scan
         uses: bridgecrewio/checkov-action@v12
+        continue-on-error: true
         with:
           directory: .
           framework: terraform
