HTTP 425: Too early for this<p>After a solid week of long nights and being overtaken by creating a <a href="https://hachyderm.io/tags/Terraform" class="mention hashtag" rel="tag">#<span>Terraform</span></a> workflow via <a href="https://hachyderm.io/tags/GitHub" class="mention hashtag" rel="tag">#<span>GitHub</span></a> Actions (GHA) with S3 backend and <a href="https://hachyderm.io/tags/Vault" class="mention hashtag" rel="tag">#<span>Vault</span></a> auth via GHA workload identity (i.e., JWT auth), I over-engineered my solution.</p><p>All I need is downloading a version of Terraform CLI, authenticating to Vault with a GHA token, downloading conftest for a TFE Sentinel swap-in, and the usual phases:</p><p>- `terraform init`<br />- `terraform plan -out=./tfplan`<br />- `terraform show -json ./tfplan | conftest --policy ./policies -`<br />- (if on `main` branch) `terraform apply ./tfplan`</p><p>Also shove ^^^ into a workflow yaml in one central repository that I can call from my real repo. Why? To make sure people don't skip <a href="https://hachyderm.io/tags/conftest" class="mention hashtag" rel="tag">#<span>conftest</span></a>. If they try, Vault won't let them authenticate.</p><p>Still not as nice as TFE, where I can trigger from local workstation to troubleshoot, but it's better than the Amazon CodeBuild pipeline they've been using thus far. Plus this one is uses software licenses the client has already purchased (i.e., GitHub Enterprise self-hosted) and actually has a workload identity.</p><p><a href="https://hachyderm.io/tags/TalesFromWork" class="mention hashtag" rel="tag">#<span>TalesFromWork</span></a></p>