S3 cache (#2111)

breardon2011 · web-flow · commit f1bed6685f9b · 2025-08-27T20:33:59.000+01:00
* s3 cache
diff --git a/action.yml b/action.yml
@@ -211,6 +211,19 @@ inputs:
     description: "allows overriding of the terraform cache dir which defaults to ${github.workspace}/cache"
     required: false
     default: ''
+  cache-dependencies-s3:
+    description: "Use S3 for caching terraform/terragrunt dependencies"
+    required: false
+    default: 'false'
+  cache-dependencies-s3-bucket:
+    description: "S3 bucket URL for caching (e.g., s3://mybucket/cache)"
+    required: false
+    default: ''
+  cache-dependencies-s3-region:
+    description: "AWS region for S3 cache bucket"
+    required: false
+    default: 'us-east-1'
+
 
   digger-spec:
     description: "(orchestrator only) the spec to pass onto digger cli"
@@ -316,6 +329,24 @@ runs:
           digger-cache
       if: ${{ inputs.cache-dependencies == 'true' }}
 
+    - name: restore-s3-cache
+      shell: bash
+      run: |
+        BUCKET=$(echo "${{ inputs.cache-dependencies-s3-bucket }}" | sed 's|^s3://||')
+        REGION="${{ inputs.cache-dependencies-s3-region }}"
+        
+        SCRIPT_PATH="${{ github.action_path }}/scripts/s3-cache-download.bash"
+        if [ ! -f "$SCRIPT_PATH" ]; then
+          echo "::error::S3 cache download script not found at $SCRIPT_PATH"
+          echo "Please make sure the script exists and is properly installed."
+          exit 1
+        fi
+        
+        chmod +x "$SCRIPT_PATH"
+        "$SCRIPT_PATH" "$BUCKET" "$REGION" "$TF_PLUGIN_CACHE_DIR"
+      if: ${{ inputs.cache-dependencies-s3 == 'true' }}
+
+    # Then terraform setup happens...
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
@@ -429,8 +460,11 @@ runs:
 
         NO_BACKEND: ${{ inputs.no-backend }}
         DEBUG: 'true'
-        TG_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
-        TERRAGRUNT_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
+        TG_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TERRAGRUNT_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TF_PLUGIN_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
         DIGGER_RUN_SPEC: ${{inputs.digger-spec}}
       run: |
           if [[ ${{ inputs.ee }} == "true" ]]; then
@@ -476,8 +510,11 @@ runs:
         INPUT_DRIFT_DETECTION_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-slack-notification-url }}
         INPUT_DRIFT_DETECTION_ADVANCED_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-advanced-slack-notification-url }}
         NO_BACKEND: ${{ inputs.no-backend }}
-        TG_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
-        TERRAGRUNT_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
+        TG_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TERRAGRUNT_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TF_PLUGIN_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
         DIGGER_RUN_SPEC: ${{inputs.digger-spec}}
       id: digger
       shell: bash
@@ -524,8 +561,11 @@ runs:
         INPUT_DRIFT_DETECTION_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-slack-notification-url }}
         INPUT_DRIFT_DETECTION_ADVANCED_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-advanced-slack-notification-url }}
         NO_BACKEND: ${{ inputs.no-backend }}
-        TG_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
-        TERRAGRUNT_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
+        TG_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TERRAGRUNT_PROVIDER_CACHE: ${{ (inputs.cache-dependencies == 'true' || inputs.cache-dependencies-s3 == 'true') && 1 || 0 }}
+        TF_PLUGIN_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
+        TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }}
         DIGGER_RUN_SPEC: ${{inputs.digger-spec}}
       id: digger-local-run
       shell: bash
@@ -567,6 +607,23 @@ runs:
         path: ${{ env.TF_PLUGIN_CACHE_DIR }}
         key: digger-cache-${{ hashFiles('**/cache') }}
 
+    - name: save-s3-cache
+      shell: bash
+      run: |
+        BUCKET=$(echo "${{ inputs.cache-dependencies-s3-bucket }}" | sed 's|^s3://||')
+        REGION="${{ inputs.cache-dependencies-s3-region }}"
+        
+        SCRIPT_PATH="${{ github.action_path }}/scripts/s3-cache-upload.bash"
+        if [ ! -f "$SCRIPT_PATH" ]; then
+          echo "::error::S3 cache upload script not found at $SCRIPT_PATH"
+          echo "Please make sure the script exists and is properly installed."
+          exit 1
+        fi
+        
+        chmod +x "$SCRIPT_PATH"
+        "$SCRIPT_PATH" "$BUCKET" "$REGION" "$TF_PLUGIN_CACHE_DIR"
+      if: ${{ always() && inputs.cache-dependencies-s3 == 'true' }}
+
 branding:
   icon: globe
   color: purple
diff --git a/docs/ce/howto/caching-strategies.mdx b/docs/ce/howto/caching-strategies.mdx
@@ -21,6 +21,17 @@ The hashing of directories ensures that the cache is only saved if the contents
 cache is immutable so new caches will be new entries in the cache. Digger currently does not prune older caches so you may need
 to clean up older caches using a certain cycle.
 
+## S3 caching
+
+You can cache in AWS s3 rather than artefacts. This requires a bucket for caching and setting similar settings:
+
+``` - uses: diggerhq/digger@vLatest
+        with:
+            cache-dependencies-s3: true
+            cache-dependencies-s3-bucket: s3://terraform-cache-1756322349465/cache
+            cache-dependencies-s3-region: us-east-1
+```
+
 ## Self-hosted runners and volumes caching
 
 If you are using self-hosted runners with github it might be overkill on your bandwidth to load and restore from cache. In this case it might be better to mount
diff --git a/scripts/s3-cache-download.bash b/scripts/s3-cache-download.bash
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -e
+
+# S3 Cache Download Script
+# Downloads terraform/terragrunt provider cache from S3
+
+BUCKET="$1"
+REGION="$2"
+CACHE_DIR="$3"
+
+# Validation
+if [ -z "$BUCKET" ]; then
+  echo "Error: S3 bucket name is required"
+  exit 1
+fi
+
+if [ -z "$REGION" ]; then
+  echo "Error: AWS region is required"
+  exit 1
+fi
+
+if [ -z "$CACHE_DIR" ]; then
+  echo "Error: Cache directory path is required"
+  exit 1
+fi
+
+# Ensure cache directory exists
+mkdir -p "$CACHE_DIR"
+echo "Ensuring cache directory exists: $CACHE_DIR"
+
+# Download cache from S3
+echo "Restoring cache from S3 bucket: $BUCKET (region: $REGION)"
+if aws s3 sync "s3://$BUCKET" "$CACHE_DIR" --region "$REGION" --quiet 2>/dev/null; then
+  CACHED_FILES=$(find "$CACHE_DIR" -type f 2>/dev/null | wc -l)
+  echo "Cache restored successfully ($CACHED_FILES files)"
+  
+  if [ "$CACHED_FILES" -gt 0 ]; then
+    echo "Sample cached artifacts:"
+    find "$CACHE_DIR" -type f 2>/dev/null | head -3
+  fi
+else
+  echo "No existing cache found or failed to restore (this is normal for first run)"
+fi
+
+echo "Cache download completed"
diff --git a/scripts/s3-cache-upload.bash b/scripts/s3-cache-upload.bash
@@ -0,0 +1,66 @@
+#!/bin/bash
+set -e
+
+# S3 Cache Upload Script
+# Uploads terraform/terragrunt provider cache to S3
+
+BUCKET="$1"
+REGION="$2"
+CACHE_DIR="$3"
+
+# Validation
+if [ -z "$BUCKET" ]; then
+  echo "Error: S3 bucket name is required"
+  exit 1
+fi
+
+if [ -z "$REGION" ]; then
+  echo "Error: AWS region is required"
+  exit 1
+fi
+
+if [ -z "$CACHE_DIR" ]; then
+  echo "Error: Cache directory path is required"
+  exit 1
+fi
+
+# Check if cache directory exists and has files
+if [ ! -d "$CACHE_DIR" ]; then
+  echo "No cache directory found at: $CACHE_DIR"
+  echo "Nothing to upload"
+  exit 0
+fi
+
+ARTIFACT_COUNT=$(find "$CACHE_DIR" -type f 2>/dev/null | wc -l)
+
+if [ "$ARTIFACT_COUNT" -eq 0 ]; then
+  echo "No files to cache - cache directory is empty"
+  echo "Nothing to upload"
+  exit 0
+fi
+
+# Check if AWS CLI is available and credentials are configured
+if ! command -v aws &> /dev/null; then
+  echo "Error: AWS CLI is not installed or not in PATH"
+  exit 1
+fi
+
+# Verify AWS credentials are available
+if ! aws sts get-caller-identity --region "$REGION" &> /dev/null; then
+  echo "Error: AWS credentials are not properly configured or are invalid"
+  echo "Please ensure AWS credentials are set up correctly before running this script"
+  exit 1
+fi
+
+# Upload cache to S3
+echo "Saving cache to S3 bucket: $BUCKET (region: $REGION)"
+echo "Uploading $ARTIFACT_COUNT files"
+
+if aws s3 sync "$CACHE_DIR" "s3://$BUCKET" --region "$REGION" --quiet 2>/dev/null; then
+  echo "Cache saved successfully"
+else
+  echo "Warning: Failed to save cache (this won't fail the build)"
+  exit 0  # Don't fail the build on cache upload failure
+fi
+
+echo "Cache upload completed"
