Skip to content
Latchkey

How to Deploy GCP Infrastructure With Terraform in GitHub Actions

With WIF auth, the Terraform Google provider reads short-lived credentials from the environment, so terraform apply runs key-free.

Authenticate via WIF (which exports GOOGLE_APPLICATION_CREDENTIALS), set up Terraform, then terraform init/plan/apply. Gate apply behind the main branch.

Steps

  • Authenticate via WIF so the provider uses ADC.
  • Set up Terraform with hashicorp/setup-terraform.
  • Run init and plan; apply only on main.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ vars.WIF_PROVIDER }}
          service_account: ${{ vars.DEPLOY_SA }}
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform plan -out=plan.tfplan
      - if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve plan.tfplan

Gotchas

  • Store state in a GCS backend bucket; the local default state is lost between runs.
  • The service account needs the roles for every resource it manages (e.g. roles/compute.admin).

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →