Looking for advice on wiring up a CI/CD pipeline that runs terraform plan on PR and apply on merge without bleeding state across environments.
i’ve got a multi-org setup using the genesys cloud terraform provider. the issue is handling the state lock and credentials in github actions. when a pr comes in, i need to run terraform plan against a temporary state or a specific workspace, but i don’t want to touch the prod state file. currently, the action fails on the pr step because it tries to acquire a lock on the s3 backend that’s already held by the main branch or another run.
name: terraform-plan
on:
pull_request:
paths:
- '**.tf'
jobs:
plan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- run: terraform init
- run: terraform plan -out=tfplan
the apply job only triggers on push to main.
jobs:
apply:
runs-on: ubuntu-latest
needs: plan
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v3
- run: terraform apply tfplan
how are you guys handling the state isolation? are you using separate s3 keys per pr or just ignoring the lock for the plan step? the provider version is 1.8.5. i’m seeing weird timeouts when the plan step tries to read the remote state if the apply step is running concurrently in a different workflow run.