Terraform Cloud backend requires manual "Confirm & Apply" for Terraform >= 1.6.0

[spencerfong-iceye]

Problem description

When running the terraform-apply action while using a Terraform version of 1.6.0 or above and cloud backend, it seems like the Terraform Cloud agent runs the included plan and apply as part of a "saved plan run". This results in the terraform-apply action hanging during the actual apply stage, as it requires someone to manually go to the run within Terraform Cloud and click the "Confirm & Apply" button.

Note that this isn't an issue with Terraform versions below 1.6.0, as saved plans were only introduced starting in this version.

Terraform version

1.6.6

Backend

cloud

Workflow YAML

name: Terraform Apply

on:
  push:
    branches:
      - gha-workflow-test-apply

jobs: 
  changed-dirs:
    name: Get Changed Directories
    runs-on: ubuntu-latest
    outputs:
      parent_module_dirs: ${{ steps.filter-modules.outputs.parent_module_dirs }}

    steps:
      - name: Checkout Repository
        id: checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Get Changed Directories
        id: changed-dirs
        uses: tj-actions/changed-files@v41
        with:
          json: true
          escape_json: false
          dir_names: true
          files: |
            **.tf

      - name: Filter Out Child Module Paths
        id: filter-modules
        run: |
          input_list=${{ steps.changed-dirs.outputs.all_changed_files }}
          # Convert input list to an array
          IFS=',' read -r -a items <<< "${input_list:1:-1}"
          # Filter out items containing "modules" in directory names
          filtered_items=()
          for item in "${items[@]}"; do
            if [[ $item != *"modules"* && $item != "terraform_cloud/workspaces" ]]; then
              filtered_items+=("\"$item\"")
            fi
          done
          # Convert filtered items into a JSON-formatted array
          filtered_list="[$(IFS=','; echo "${filtered_items[*]}")]"
          echo "parent_module_dirs=$filtered_list" >> $GITHUB_OUTPUT

  terraform-apply:
    name: Terraform Apply
    runs-on: ubuntu-latest
    needs: [changed-dirs]
    if: ${{ needs.changed-dirs.outputs.parent_module_dirs != '[]' && needs.changed-dirs.outputs.parent_module_dirs != '' }}
    permissions:
      contents: read
      pull-requests: write
    strategy:
      fail-fast: false
      matrix:
        dirs: ${{ fromJSON(needs.changed-dirs.outputs.parent_module_dirs) }}
      max-parallel: 4

    steps:
      - name: Checkout Repository
        id: checkout
        uses: actions/checkout@v4

      - name: Determine Workspace
        id: workspace
        run: |
          GOBIN=/usr/local/bin/ go install github.com/hashicorp/terraform-config-inspect@latest
          terraform-config-inspect --json "$GITHUB_WORKSPACE"/terraform_cloud/workspaces >> workspaces.json

          echo "Target directory: ${{ matrix.dirs }}"
          # Assign the key variable based on the matched working_directory
          key=""
          while IFS= read -r working_directory; do
            if [[ "${{ matrix.dirs }}" == *"$working_directory"* ]]; then
              echo "Match found: $working_directory is contained within ${{ matrix.dirs }}"
              key=$(jq -r --arg working_directory "$working_directory" '.variables.workspaces.default | to_entries[] | select(.value.working_directory == $working_directory) | .key' workspaces.json)
              break
            fi
          done < <(jq -r '.variables.workspaces.default | to_entries[] | .value.working_directory' workspaces.json)

          echo "Workspace value: $key"
          echo "WORKSPACE=$key" >> "$GITHUB_OUTPUT"

      - name: Run Terraform Apply
        id: apply
        uses: dflook/terraform-apply@v1
        with:
          path: ${{ matrix.dirs }}
          workspace: ${{ steps.workspace.outputs.WORKSPACE }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_API_TOKEN }}
          TERRAFORM_SSH_KEY: ${{ secrets.OY_TF_SSH_KEY }}

Workflow log

https://gist.github.com/spencerfong-iceye/9576577d4b3e56f269fb6884a400bc47

Has debug logging been enabled?

• [X] Yes, the ACTIONS_STEP_DEBUG secret was set to true when capturing the workflow log above.

[spencerfong-iceye]

For reference, this is what shows up when viewing the run in Terraform Cloud:

[dflook]

Hello @spencerfong-iceye, I can reproduce the problem. It's a bug in Terraform, but I think I can work around it.

Terraform Cloud is increasingly a completely separate product to Terraform, crammed into the same cli. I don't particularly care to support it better than Hashicorp themselves.

[spencerfong-iceye]

Hello @spencerfong-iceye, I can reproduce the problem. It's a bug in Terraform, but I think I can work around it.

Terraform Cloud is increasingly a completely separate product to Terraform, crammed into the same cli. I don't particularly care to support it better than Hashicorp themselves.

Thanks very much for addressing this! Would you be willing to create a possible fix or workaround for this bug in the Action if you have ideas in mind already? If not then I understand completely; I will probably just change my workflow to setup and run Terraform manually in that case. Regardless I appreciate all your work on these actions so far, they've definitely saved me a lot of time and headache!

[spencerfong-iceye]

Also I just want to mention this seems to be happening with workspaces below 1.6.0 as well, I just ran into the exact same issue in a workspace running 1.5.7. The earliest version I've noticed doesn't have this problem is a workspace running 1.1.9, but I'm not sure what the latest version is that wouldn't have this problem; I haven't done extensive testing in that regard.

[dflook]

I think this is fixed in v1.41.2.

[spencerfong-iceye]

Hi @dflook, thank you for the update! I can confirm using v1.41.2 fixes the issue, apply runs are now confirmed automatically for workspaces using 1.6.0 and above. I appreciate your help!