How to Deploy GCP Infrastructure With Terraform in GitHub Actions
With WIF auth, the Terraform Google provider reads short-lived credentials from the environment, so terraform apply runs key-free.
Authenticate via WIF (which exports GOOGLE_APPLICATION_CREDENTIALS), set up Terraform, then terraform init/plan/apply. Gate apply behind the main branch.
Steps
- Authenticate via WIF so the provider uses ADC.
- Set up Terraform with
hashicorp/setup-terraform. - Run init and plan; apply only on main.
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.WIF_PROVIDER }}
service_account: ${{ vars.DEPLOY_SA }}
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform plan -out=plan.tfplan
- if: github.ref == 'refs/heads/main'
run: terraform apply -auto-approve plan.tfplanGotchas
- Store state in a GCS backend bucket; the local default state is lost between runs.
- The service account needs the roles for every resource it manages (e.g.
roles/compute.admin).
Related guides
How to Deploy to GKE With Helm in GitHub ActionsDeploy a Helm release to Google Kubernetes Engine from GitHub Actions by fetching cluster credentials and run…
How to Run a Cloud SQL Migration From GitHub ActionsRun database migrations against Cloud SQL from GitHub Actions using the Cloud SQL Auth Proxy and Workload Ide…