Terraform CI with GitHub Actions

A simple Terraform CI setup using GitHub Actions reusable workflows.

This repo is designed for Terraform monorepos and focuses on:

• detecting only the Terraform directories that changed
• running lint and security scans in parallel
• keeping security checks non-blocking when desired

---

What this does

• 🔍 Detects changed .tf files in pull requests
• 📂 Builds a matrix of affected Terraform directories
• 🧹 Runs lint checks per directory
• 🔐 Runs security scans per directory
• 🔁 Uses a reusable workflow to avoid duplication

---

📂 Structure

.github/workflows/
├── tf-dirs-matrix.yml   # Reusable workflow: detect changed Terraform dirs
└── tf-ci.yml            # CI workflow: lint + security scans

---

🔄 How it works

Pull Request
   ↓
Detect Terraform changes (reusable workflow)
   ↓
Matrix per directory
   ├─ Terraform lint (required)
   └─ Security scan (advisory)

Each job runs independently, so a failure in one does not stop the others.

---

Why this design

• Reusable workflows keep logic in one place
• Matrix jobs scale well in monorepos
• Separate jobs give better feedback and flexibility
• Non-blocking security surfaces issues without slowing development

---

📚 Documentation & Resources

• GitHub Actions Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows
• GitHub Actions Matrix Strategy: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
• TFLint: https://github.com/terraform-linters/tflint
• TFLint GitHub Actions: https://github.com/terraform-linters/setup-tflint
• Checkov: https://www.checkov.io
• Checkov GitHub Actions:
  • https://github.com/bridgecrewio/checkov-action
  • https://www.checkov.io/4.Integrations/GitHub%20Actions.html