How do I decrypt an encrypted plan file from TF-via-PR?

Use the OpenSSL command provided in the README: 'openssl enc -d -aes-256-ctr -pbkdf2 -salt -in tfplan.encrypted -out tfplan.decrypted -pass pass: '. This allows you to view the decrypted plan locally for verification.

TF-via-PR vs Atlantis: which should I use?

TF-via-PR is deeply integrated with GitHub Actions and offers built-in encryption and matrix support. Atlantis is more flexible across CI platforms with a dedicated UI. Choose TF-via-PR if your team is all-in on GitHub and values security features.

Can TF-via-PR run on self-hosted GitHub runners?

Yes, it supports self-hosted runners, as demonstrated in example #5 for GitHub Enterprise, making it suitable for environments with compliance or network restrictions.

How to set up TF-via-PR for multiple environments?

Leverage GitHub Actions matrix strategies, shown in example #2, to run parallel workflows across different workspaces or variable files, enabling efficient multi-environment deployments.

What permissions does TF-via-PR need in GitHub?

It requires specific permissions like 'pull-requests: write' to post comments and 'checks: write' for summaries, as outlined in the usage example to ensure seamless integration.

Does TF-via-PR support OpenTofu?

Yes, it fully supports OpenTofu through the 'tool' input parameter, allowing teams to switch between Terraform and OpenTofu without changing their automation setup.

TF-via-PR — Terraform PR Automation Action

What is TF-via-PR?

TF-via-PR is a GitHub Action that automates Terraform and OpenTofu workflows through pull request-based automation. It solves the problem of manual, error-prone infrastructure deployments by integrating plan and apply operations directly into the GitHub CI/CD pipeline, ensuring changes are reviewed, secure, and consistent. It provides encrypted plan artifacts, detailed PR comments with diffs, and supports various triggers for flexible workflow design.

Target Audience

DevOps engineers, platform engineers, and infrastructure teams who manage cloud resources with Terraform/OpenTofu and want to implement secure, scalable GitOps practices. It's also for maintainers seeking to empower development teams with self-service infrastructure provisioning while maintaining security controls.

Value Proposition

Developers choose TF-via-PR because it offers a secure, out-of-the-box solution for IaC automation that emphasizes encryption, drift prevention, and seamless GitHub integration. Unlike generic CI/CD scripts, it provides built-in features like plan encryption, PR comment updates, and support for complex workflows (e.g., matrix strategies, manual triggers), reducing custom scripting and security risks.

Overview

Plan and apply Terraform/OpenTofu via PR automation, using best practices for secure and scalable IaC workflows.

Use Cases

Best For

Implementing GitOps workflows for Terraform/OpenTofu in GitHub repositories
Securing infrastructure pipelines with encrypted plan artifacts and OIDC integration
Automating multi-environment deployments using GitHub Actions matrix strategies
Enabling self-service infrastructure changes for development teams via PR reviews
Detecting and alerting on configuration drift with scheduled refresh-only runs
Running Terraform plans/applies on self-hosted GitHub runners for compliance

Not Ideal For

Teams using CI/CD platforms other than GitHub Actions, such as GitLab CI or Jenkins
Projects requiring rapid, direct infrastructure changes without pull request reviews for agility
Complex deployments needing custom artifact management between plan and apply stages

Pros & Cons

Pros

Automated PR Workflows

Integrates Terraform plan and apply directly into pull requests, automatically posting detailed comments with diffs and logs, as shown in the usage examples.

Secure Plan Encryption

Encrypts Terraform plan artifacts at rest using AES-256-CTR encryption to protect sensitive data, with decryption instructions provided in the README.

Flexible Event Support

Supports multiple GitHub events like pull_request, push, merge_group, and scheduled cron jobs, enabling diverse workflow triggers as detailed in the examples.

Comprehensive CLI Integration

Passes through all standard Terraform/OpenTofu CLI arguments, including -var, -target, and -backend-config, ensuring full command-line functionality.

Cons

Input Parsing Limitations

The README admits issues with handling inputs containing spaces or commas, requiring workarounds like using TF_CLI_ARGS environment variables.

Artifact Management Gaps

Incomplete handling of interim artifacts between plan and apply commands, with a workaround that forces auto-approve, as noted in the To-Do section.

GitHub-Only Dependency

Tightly coupled with GitHub Actions, making it unsuitable for teams using other CI/CD systems or requiring platform-agnostic solutions.

TF-via-PR

What is TF-via-PR?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

TF-via-PR

What is TF-via-PR?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?