TL;DR

Our current Terraform IaC implementation enables deployment of multiple environments via GitHub Actions, allowing directory-based environment isolation and management of multiple backends/workspaces from a single repository.

We'd like to extend this to allow for management of multiple environments spanning different regions and/or AWS accounts to support the tiered needs of various sized clients with greater flexibility.

Specific Problems

Workflow

• Our existing method relies on pull request labels to trigger the appropriate workflow for the environment(s) being deployed. While straightforward, this is too simple to target provisioning of specific resources.
• It's also limited in terms of allowing CLI-based inputs, including: var-file, backend-config, and auto-approve to name a few.
• By default, IaC is only provisioned on merge of the PR. Not ideal for validating changes since some plans can pass review but fail to apply due to unforeseen constraints (e.g., lack of subnet availability).

Multi-Region/Account

• Separated backend.tfvars is finicky for local Terraform usage as we have to specify chdir and backend-config each time since Terraform does not support variable interpolation in backend configuration.
• Directory naming convention, or lack thereof, is not conducive to provisioning of resources across regions or accounts without a structured approach.
• Provisioning is tied to a single account by long-lived credentials to authenticate AWS access via access and secret keys.

Proposed Solution

Instead of labels, use pull request comments to trigger workflows.

• Allows for more granular control over the provisioning of IaC, similar to local CLI usage or Atlantis runner.
• Addresses validation of IaC before merge by applying a plan during the pull request workflow.
• Create deployment markers automatically when a terraform plan is applied.