This blog post demonstrates how to securely deploy infrastructure to Google Cloud Platform (GCP) using reusable GitHub Actions workflows and Terraform. We’ll showcase a demo pipeline leveraging pre-built templates for plan generation and infrastructure application, highlighting key security considerations and reusability benefits.
Target Audience: This post is geared towards developers, DevOps engineers, and security professionals interested in automating infrastructure deployments on GCP with security best practices and code re-use.
Project Goals: Our demo aims to:
- Automate secure infrastructure deployments using Terraform and GitHub Actions.
- Utilize reusable workflows for plan generation and deployment.
- Implement security measures like TFSec scanning and secrets management.
- Demonstrate pipeline reusability for deploying across different environments.
Benefits:
- Streamlined Deployments: Automate infrastructure changes with efficient plan generation and application.
- Improved Security: Leverage TFSec scanning for code quality checks and secrets management for secure credential storage.
- Enhanced Reusability: Reduce code duplication and maintenance with reusable workflows adaptable to various environments.
- Increased Efficiency: Focus on infrastructure logic while GitHub Actions handles the deployment orchestration.
Let’s dive into the code:
Reusable Workflows:
- terraform-plan.yml: This template automates Terraform plan generation with optional TFSec scanning. It accepts inputs like Terraform path, version, variables file, and GCP backend configuration.
- terraform-apply.yml: This template applies a pre-generated Terraform plan. It downloads the plan artifact from GitHub Actions and executes
terraform apply.
Add GCP service account key to secrets in github actions
Setting – > Secrets and variables -> Secrets -> click “New repository secret” -> add name of the secret to use in pipeline we use TF_SA and copy the json file content to the secret
Main Pipeline (pipeline.yml):
YAML
name: 'Infra_build'
on:
push:
branches:
- main
pull_request:
permissions:
contents: read
jobs:
Dev_Plan:
uses: littleworks-inc/gcp_terraform_demo/.github/workflows/terraform-pan.yml@main
with:
path: .
tf_version: latest
gcp_backend_bucket: gcp-gitlab-ci-demo-01
gcp_backend_bucket_prefix: terraform
tf_vars_file: dev.tfvars
enable_TFSEC: true
# environment: dev
secrets:
GOOGLE_CREDENTIALS: ${{ secrets.TF_SA }}
Dev_Deploy:
needs: Dev_Plan
uses: littleworks-inc/gcp_terraform_demo/.github/workflows/terraform-apply.yml@main
with:
path: .
tf_version: latest
gcp_backend_bucket: gcp-gitlab-ci-demo-01
gcp_backend_bucket_prefix: terraform
tf_vars_file: dev.tfvars
# environment: dev
secrets:
GOOGLE_CREDENTIALS: ${{ secrets.TF_SA }}
Explanation of Variables:
path: Path to your Terraform configuration directory.tf_version: Terraform version (optional, defaults to latest).gcp_backend_bucket: GCP Storage bucket for Terraform state files.gcp_backend_bucket_prefix: Folder within the bucket for state files.tf_vars_file: Terraform variables file defining configuration values.enable_TFSEC: Enable TFSec scanning for code quality checks (optional).GOOGLE_CREDENTIALS: GCP service account secret stored in GitHub Actions.
Redeploying Across Environments:
This pipeline’s beauty lies in its reusability. By changing specific inputs, you can adapt it to deploy to different environments:
- Environment-specific variables: Create separate
tf_varsfiles for each environment (e.g.,dev.tfvars,prod.tfvars). Reference the appropriate file based on the environment you’re deploying to. - Secret management: Store environment-specific credentials for GCP accounts using different secrets in GitHub Actions. Reference the relevant secret based on the environment.
- Conditional deploy jobs: Consider using environment variables or labels to trigger specific deploy jobs for different environments.
Remember:
- Securely store GCP credentials using secrets management in GitHub Actions.
- Regularly scan your Terraform code for security vulnerabilities using TFSec.
- Adapt the pipeline and variables to fit your specific infrastructure and environment needs.
Additional Resources:
By leveraging reusable workflows and best practices, you can achieve secure and efficient infrastructure deployments on GCP using GitHub Actions and Terraform.
This is just a starting point. Feel free to customize and expand upon this demo to suit your project’s requirements. And remember, security should always be a top priority!