We are moving our Genesys Cloud infrastructure to a fully automated CI/CD pipeline using GitHub Actions. The goal is strict separation of concerns. We want terraform plan to run automatically on every Pull Request. The actual terraform apply should only happen when the PR merges to the main branch.
The setup looks standard. We use the hashicorp/terraform-provider-genesyscloud module. We are storing the state remotely in an AWS S3 backend with DynamoDB for locking. The workflow file triggers on pull_request and push to main.
Here is the relevant part of the GitHub Actions workflow:
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: Terraform Init
run: terraform init
- name: Terraform Plan
if: github.event_name == 'pull_request'
run: terraform plan -out=tfplan
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: terraform apply -auto-approve tfplan
The plan step works fine on the PR. It generates the artifact. But when we merge to main, the apply step fails. It complains about a state lock or sometimes just says the plan file is invalid because it was generated in a different working directory context during the PR run.
Is there a way to pass the plan artifact securely from the PR job to the main job? Or should we just run plan again on main? We don’t want to risk drift between the PR plan and the final apply. Any examples of this pattern working with Genesys resources?