Add plan workflow
Add the CI/CD foundation and a Terraform plan workflow to your infrastructure repository.
Step 1: Create a branch
Step 2: Set up CI/CD common
The cicd-common stack creates the IAM roles and resources needed for GitHub Actions to run Terraform in your AWS accounts. You need it in every environment that you want to run GitHub Actions workflows against.
Note
The examples below use a dev environment. Adapt the directory paths to match your own environment and directory structure.
Install the stack in your environment directory:
Update config_override.tf:
locals {
trusted_repositories = [
{
name = "<repo-name>"
type = "infra"
},
]
}
| Field | Description | Example |
|---|---|---|
<repo-name> |
Name of your IaC repository | pirates-iac |
Apply the stack locally so the IAM roles are available before the workflow runs:
Repeat for each environment (e.g., prod).
Step 3: Add configuration files
Step 3.1: Add .gp.cicd.json
Download .gp.cicd.json to the repository root:
gh api repos/oslokommune/golden-path-templates/contents/templates/gh-terraform-iac/.gp.cicd.json \
--jq '.content' | base64 -d > .gp.cicd.json
Update these values (you can find them in common-config.yml in each of your environment directories):
| Field | Description | Example |
|---|---|---|
<team-name> |
Your team name | pirates |
<dev-aws-account-id> |
AWS account ID for dev | 123456789012 |
<dev-environment-name> |
Name of your dev environment | pirates-dev |
<prod-aws-account-id> |
AWS account ID for prod | 987654321098 |
<prod-environment-name> |
Name of your prod environment | pirates-prod |
<aws-region> |
Your AWS region | eu-west-1 |
Step 3.2: Add CODEOWNERS
Add a CODEOWNERS file to define who owns the repository and approves PRs:
| Field | Description | Example |
|---|---|---|
<github-team-name> |
The name of your GitHub team | utviklerflyt |
Step 3.3: Add Renovate configuration
Download renovate.json5 to the repository root:
gh api repos/oslokommune/golden-path-templates/contents/templates/gh-terraform-iac/renovate.json5 \
--jq '.content' | base64 -d > renovate.json5
This overwrites any existing renovate.json5. If you have custom Renovate configuration, merge it into the downloaded file.
What is Renovate?
Renovate automatically creates pull requests to keep your dependencies up to date. Think of it as a better Dependabot. You can learn more about it here.
Step 4: Add the plan workflow
Download terraform-pr.yml to .github/workflows/terraform-pr.yml:
mkdir -p .github/workflows
gh api repos/oslokommune/golden-path-templates/contents/templates/gh-terraform-iac/.github/workflows/terraform-pr.yml \
--jq '.content' | base64 -d > .github/workflows/terraform-pr.yml
Update these values:
| Field | Description | Example |
|---|---|---|
<dev-iac-directory> |
The directory containing IaC for your dev environment | stacks/dev |
Step 5: Create a pull request
Push the branch and create a pull request.
Step 6: Verify the plan workflow in the PR
The plan workflow should run automatically in the PR. Verify that the Plan / Summarize check appears and completes successfully.
Step 7: Merge the pull request
Merge the pull request.
Step 8: Verify the plan workflow against all stacks
Manually trigger the plan workflow against all stacks to detect any issues:
- Go to Actions → Terraform PR → Run workflow
- Input
**as the stack pattern - Run the workflow
Once the run finishes, you'll get a summary of running terraform plan against all stacks in your repository. Review the results. Ideally all plans report No changes.
If any stacks have issues or unexpected drift, either fix them before continuing, or make a note of which stacks are affected — you will add them to an ignore list in the next guide.
Tip
See the terraform-pr.yml reference for available configuration options, including ignored-stacks.
Next steps
- Add the apply workflow to enable automated Terraform apply on pushes to your default branch.