Another approach, if you are using terraform directly and running in AWS, is to get GitHub Actions to log on to AWS.
While you can do this by embedding an AWS IAM secret as a GitHub secret, it may lead to the secret escaping. Instead, you can configure AWS to trust GitHub actions, And set up passwordless trust between the two.
I wrote up how to do it here at StackOverflow if you’re interested:
As opposed to just running it ad-hoc when a change is made?
People do all sorts of things with terraform, if you need to is down to what you're doing and the context of your problem.
I've even run terraform on a cron like schedule before to ensure configuration of a web service matched what we defined rather than the constant small edits people were making in the console. Eventually the behaviour stopped but no reason not to.
> As opposed to just running it ad-hoc when a change is made?
Yes. I worked at a shop that made a terrible mess (at least IMHO) of things by using Terraform from Jenkins for everything. So build and rollout new Docker image -> `terraform apply` entire infrastructure from Jenkins.
To me use Terraform for Day-0 to build your infrastructure and CI/CD pipeline then occasional updates. CI/CD for the day-to-day, if you can get away with it.
I have read lots of people are doing Terraform from Jenkins. I guess there is a use case, just saying, probably best to think first.
Absolutely does depend on what your use case is. I find for very self contained terraform code it’s fine just to use the VCS-driven workflow, but when you have either a lot of inter-dependency or template driven terraform code using something like API/CLI-driven is ideal.
If everyone is just manually running `terraform init` and `terraform apply` post-PR or pre-PR you never really have a good idea of what the state of your current infra is. Tying it to the CI/CD platform seems logical IMO.
While you can do this by embedding an AWS IAM secret as a GitHub secret, it may lead to the secret escaping. Instead, you can configure AWS to trust GitHub actions, And set up passwordless trust between the two.
I wrote up how to do it here at StackOverflow if you’re interested:
https://stackoverflow.com/a/69243572/130659