Skip to content

Terraform CI Standard

For each Terraform root, CI runs:

Terminal window
terraform fmt -check -recursive
terraform init -backend=false
terraform validate
tflint --recursive
trivy config --severity HIGH,CRITICAL .

terraform plan is optional in generic CI because it may require environment credentials and remote data. Environment-specific plan workflows are separate, use read-only or least-privileged roles, redact sensitive output, and never auto-apply from untrusted PRs.

Trivy Config replaces tfsec/Terrascan in the standard toolchain. TFLint remains because it covers provider-aware correctness and conventions beyond security findings.

The workflow writes a job summary for every root showing format, initialization, validation, lint, and security results. It uploads machine-readable Trivy output when needed for central reporting. Failure in one root does not hide the results of other roots; a matrix or controlled loop records each outcome before the job fails.

Generic CI does not hold apply permissions. Pull requests from forks or untrusted branches never receive cloud credentials. Provider downloads and module sources are pinned or constrained, and the dependency lock file is reviewed when provider selections change.