How do you implement a CI/CD pipeline for Terraform?
Answer
A production Terraform CI/CD pipeline: PR checks: terraform fmt --check (formatting), terraform validate (syntax), tflint (linting), checkov (security scan), terraform plan (post plan as PR comment via Atlantis or GitHub Actions). Gate merging on a passing plan review. Merge to main: trigger terraform apply automatically (for lower environments) or with manual approval (for production). Separate pipelines per environment: dev applies automatically; staging requires approval; prod requires approval + change ticket. OIDC authentication: use GitHub Actions OIDC to authenticate to AWS/Azure without long-lived secrets — the pipeline assumes an IAM role via a short-lived token. State isolation: each environment's pipeline uses different backend config and IAM role. Blast radius limiting: use -target only in emergencies; normally apply entire configurations. Notifications: send apply results to Slack with resource counts and changes.
Previous
What are advanced Terraform state management operations?
Next
What is Terraform's approach to secret management with Vault?
More Terraform / IaC Questions
View all →- Advanced What is Terraform's provider development and custom providers?
- Advanced What is Policy as Code with Sentinel in Terraform?
- Advanced How does Terraform handle dependencies between resources?
- Advanced What is the Terraform CDK (CDKTF)?
- Advanced What are advanced Terraform state management operations?