The first workflow Terraform Plan runs as expected. Terraform Apply is skipped even when I create the merge request.
I'm wanting for terraform apply to request an approval before running. I want a chance to review the changes before the changes are applied.
name: Terraform CI
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
terraform-plan:
runs-on: self-hosted
env:
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_ENVIRONMENT: "usgovernment"
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Add Git Bash to PATH
run: |
echo "C:\\Program Files\\Git\\bin" >> $GITHUB_PATH
shell: powershell
- name: Disable SSL verification
run: |
echo "export NODE_TLS_REJECT_UNAUTHORIZED=0" >> $GITHUB_ENV
shell: powershell
- name: List files for debugging
run: ls -R
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
terraform_version: 1.10.4
- name: Disable SSL Verification
run: echo "AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1" >> $GITHUB_ENV
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: AzureUSGovernment
audience: api://AzureADTokenExchangeUSGov
auth-type: SERVICE_PRINCIPAL
- name: Set environment variables
run: |
echo "ARM_CLIENT_ID=${{ secrets.ARM_CLIENT_ID }}" >> $GITHUB_ENV
echo "ARM_CLIENT_SECRET=${{ secrets.ARM_CLIENT_SECRET }}" >> $GITHUB_ENV
echo "ARM_TENANT_ID=${{ secrets.ARM_TENANT_ID }}" >> $GITHUB_ENV
echo "ARM_SUBSCRIPTION_ID=${{ secrets.ARM_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
- name: Initialize Terraform
working-directory: ./Terraform
run: terraform init
- name: Plan Terraform
working-directory: ./Terraform
run: terraform plan -out=tfplan
- name: Save Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: ./Terraform/tfplan
terraform-apply:
runs-on: self-hosted
needs: terraform-plan
if: github.event.pull_request.merged
environment: production
env:
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_ENVIRONMENT: "usgovernment"
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Add Git Bash to PATH
run: |
echo "C:\\Program Files\\Git\\bin" >> $GITHUB_PATH
shell: powershell
- name: Disable SSL verification
run: |
echo "export NODE_TLS_REJECT_UNAUTHORIZED=0" >> $GITHUB_ENV
shell: powershell
- name: List files for debugging
run: ls -R
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
terraform_version: 1.10.4
- name: Disable SSL Verification
run: echo "AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1" >> $GITHUB_ENV
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: AzureUSGovernment
audience: api://AzureADTokenExchangeUSGov
auth-type: SERVICE_PRINCIPAL
- name: Set environment variables
run: |
echo "ARM_CLIENT_ID=${{ secrets.ARM_CLIENT_ID }}" >> $GITHUB_ENV
echo "ARM_CLIENT_SECRET=${{ secrets.ARM_CLIENT_SECRET }}" >> $GITHUB_ENV
echo "ARM_TENANT_ID=${{ secrets.ARM_TENANT_ID }}" >> $GITHUB_ENV
echo "ARM_SUBSCRIPTION_ID=${{ secrets.ARM_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
- name: Download Plan
uses: actions/download-artifact@v4
with:
name: tfplan
#path: ./Terraform
- name: Apply Terraform
working-directory: ./Terraform
run: terraform apply -input=false -auto-approve tfplan
The first workflow Terraform Plan runs as expected. Terraform Apply is skipped even when I create the merge request.
I'm wanting for terraform apply to request an approval before running. I want a chance to review the changes before the changes are applied.
name: Terraform CI
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
terraform-plan:
runs-on: self-hosted
env:
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_ENVIRONMENT: "usgovernment"
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Add Git Bash to PATH
run: |
echo "C:\\Program Files\\Git\\bin" >> $GITHUB_PATH
shell: powershell
- name: Disable SSL verification
run: |
echo "export NODE_TLS_REJECT_UNAUTHORIZED=0" >> $GITHUB_ENV
shell: powershell
- name: List files for debugging
run: ls -R
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
terraform_version: 1.10.4
- name: Disable SSL Verification
run: echo "AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1" >> $GITHUB_ENV
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: AzureUSGovernment
audience: api://AzureADTokenExchangeUSGov
auth-type: SERVICE_PRINCIPAL
- name: Set environment variables
run: |
echo "ARM_CLIENT_ID=${{ secrets.ARM_CLIENT_ID }}" >> $GITHUB_ENV
echo "ARM_CLIENT_SECRET=${{ secrets.ARM_CLIENT_SECRET }}" >> $GITHUB_ENV
echo "ARM_TENANT_ID=${{ secrets.ARM_TENANT_ID }}" >> $GITHUB_ENV
echo "ARM_SUBSCRIPTION_ID=${{ secrets.ARM_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
- name: Initialize Terraform
working-directory: ./Terraform
run: terraform init
- name: Plan Terraform
working-directory: ./Terraform
run: terraform plan -out=tfplan
- name: Save Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: ./Terraform/tfplan
terraform-apply:
runs-on: self-hosted
needs: terraform-plan
if: github.event.pull_request.merged
environment: production
env:
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_ENVIRONMENT: "usgovernment"
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Add Git Bash to PATH
run: |
echo "C:\\Program Files\\Git\\bin" >> $GITHUB_PATH
shell: powershell
- name: Disable SSL verification
run: |
echo "export NODE_TLS_REJECT_UNAUTHORIZED=0" >> $GITHUB_ENV
shell: powershell
- name: List files for debugging
run: ls -R
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
terraform_version: 1.10.4
- name: Disable SSL Verification
run: echo "AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1" >> $GITHUB_ENV
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: AzureUSGovernment
audience: api://AzureADTokenExchangeUSGov
auth-type: SERVICE_PRINCIPAL
- name: Set environment variables
run: |
echo "ARM_CLIENT_ID=${{ secrets.ARM_CLIENT_ID }}" >> $GITHUB_ENV
echo "ARM_CLIENT_SECRET=${{ secrets.ARM_CLIENT_SECRET }}" >> $GITHUB_ENV
echo "ARM_TENANT_ID=${{ secrets.ARM_TENANT_ID }}" >> $GITHUB_ENV
echo "ARM_SUBSCRIPTION_ID=${{ secrets.ARM_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
- name: Download Plan
uses: actions/download-artifact@v4
with:
name: tfplan
#path: ./Terraform
- name: Apply Terraform
working-directory: ./Terraform
run: terraform apply -input=false -auto-approve tfplan
- have you checked GA logs? – Marcin Orlowski Commented Jan 20 at 16:53
- Are there any terraform related errors? – Marko E Commented Jan 20 at 17:02
- No errors in the job it just says skipped. – user770022 Commented Jan 20 at 17:09
1 Answer
Reset to default 0You missed this:
pull_request:
types:
- closed
Docs:
Running your pull_request workflow when a pull request merges
When a pull request merges, the pull request is automatically closed. To run a workflow when a pull request merges, use the pull_request closed event type along with a conditional that checks the merged value of the event.
For example, the following workflow will run whenever a pull request closes. The if_merged job will only run if the pull request was also merged.
on:
pull_request:
types:
- closed
jobs:
if_merged:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
- run: |
echo The PR was merged