Terraform CI Standard
For each Terraform root, CI runs:
terraform fmt -check -recursiveterraform init -backend=falseterraform validatetflint --recursivetrivy config --severity HIGH,CRITICAL .terraform plan is optional in generic CI because it may require environment credentials and remote data. Environment-specific plan workflows are separate, use read-only or least-privileged roles, redact sensitive output, and never auto-apply from untrusted PRs.
Trivy Config replaces tfsec/Terrascan in the standard toolchain. TFLint remains because it covers provider-aware correctness and conventions beyond security findings.
Reports and change visibility
Section titled “Reports and change visibility”The workflow writes a job summary for every root showing format, initialization, validation, lint, and security results. It uploads machine-readable Trivy output when needed for central reporting. Failure in one root does not hide the results of other roots; a matrix or controlled loop records each outcome before the job fails.
Security boundary
Section titled “Security boundary”Generic CI does not hold apply permissions. Pull requests from forks or untrusted branches never receive cloud credentials. Provider downloads and module sources are pinned or constrained, and the dependency lock file is reviewed when provider selections change.