Automating Terraform with GitHub - A Perfect Synergy? - DevOpCon Berlin 2025

Transcript

1. Automating Terraform with GitHub – a perfect synergy? PATRICK KOCH

2. Source icons: Microsoft, HashiCorp Patrick Koch Cloud Adoption Engineer at

   AVL he/him Mail: [email protected] GitHub: github.com/patkoch Bluesky: @patkoch.bsky.social Mastodon: @[email protected] LinkedIn: linkedin.com/in/patkoch87

3. What is Terraform? “Terraform creates and manages resources on cloud

   platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API. HashiCorp and the Terraform community have already written thousands of providers to manage many different types of resources and services. You can find all publicly available providers on the Terraform Registry, including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.” Source: https://developer.hashicorp.com/terraform/intro Icon Source: HashiCorp Brand Assets URL: https://www.hashicorp.com/brand Date of accessing: 11.02.2025

4. Terraform - Workflow Source: https://developer.hashicorp.com/terraform/intro

5. https://www.heise.de/en/news/IBM-kauft-den-Terraform-Anbieter-HashiCorp- fuer-6-4-Milliarden-US-Dollar-9698234.html

6. What is GitHub? "GitHub is a web-based platform for version

   control and collaboration that allows developers to manage and share their code repositories. It is built on top of Git, a distributed version control system, and provides additional features to facilitate teamwork, code review, and project management." Source: GitHub Copilot, 11.06.2025 Image generated by Microsoft Copilot using AI (2025). Filename: github_statistics_infographic.png.

7. After acquiring GitHub in 2018, Microsoft introduced several major features

   to enhance functionality and collaboration on the platform. Timeline of Major Feature Introductions  2018: Acquisition and Improvements  June 4: Microsoft acquires GitHub for $7.5 billion.  2019: GitHub Actions  November 2019: GitHub Actions officially launched, allowing developers to automate workflows directly from their GitHub repositories. This feature integrates CI/CD processes, enabling users to build, test, and deploy code seamlessly.  2020: GitHub Codespaces and Packages  2021: GitHub Copilot  2022: Public Repositories and Discussion Features  2023: GitHub Advanced Security Enhancements Source: Microsoft Copilot, 17.06.2025

8. “A GitHub Actions workflow is a way to automate tasks

   in your software development process using GitHub. Think of it like a set of instructions that GitHub follows automatically when certain events happen in your repository.” What is a GitHub Actions Workflow? Source: Generated by Microsoft Copilot – 09th of May 2025

9. Components Source: https://docs.github.com/en/actions/about-github-actions/understanding-github-actions

10. Best Practice and Live Demonstration using an example

11. https://github.com/patkoch/terraform-azure-vm-linux-workflow

12. Live Demonstration

13. Conclusion and derived best practice / findings

14. Secret Management  Use GitHub Secrets to store sensitive data

    o CLIENT_ID o SSH_PUBLIC_KEY o SUBSCRIPTION_ID o TENANT_ID o VIRTUAL_MACHINE_ADMIN_PASSWORD  Validation that the mandatory secrets exists  Disadvantages/Considerations: o Who is able to change the secrets? o Secrets can't be revealed after creating them o Secret Maintenance o Secret values rotation

15. Use Branch protection rules

16. Automated checks for pull requests  Terraform format validation 

    Infrastructure code initialization  Configuration validation  TFLint analysis  Plan generation  Automated PR comments with results

17. Use Terraform Linter  Enforce standards and best practice in

    your Terraform Code

18. Always review Terraform Plans

19. Plan and Apply separately

20. Add approval processes

21. State Management – Secure your State File "Azure Storage Accounts

    encrypt data by default using Storage Service Encryption (SSE) with Microsoft-managed keys." Source: GitHub Copilot (Claude Sonnet 3.5)

22. Maintain the workflow – use latest versions

23. None

24. Use Time outs in the workflow

25. Add a documentation

26. Use Federated Credentials (Azure) Source: https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0 - name: 'Az CLI

    login' uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
27. None

28. Thank you!