CLI Tool and GitHub Action to patch your Terraform Code
InfraPatch is a CLI tool and GitHub Action to patch the Provider and Module dependencies in your Terraform Code. The CLI works by scanning your .tf files for versioned providers and modules and then updating the version to the latest available version.
This repository contains a Github Action. The Action can for example be run on a schedule to automatically update your code and open a PR with the changes to the head branch.
The following example workflow runs once a day:
name: "InfraPatch"
permissions:
contents: write
pull-requests: write
on:
schedule:
- cron: '0 23 * * *'
workflow_dispatch:
jobs:
infrapatch:
name: "Check Terraform Code for Updates"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run in update mode
uses: Noahnc/infrapatch@main
with:
report_only: false
NOTE: It's important to set the
fetch-depth: 0in the Checkout step, otherwise rebases performed by InfraPatch will not work correctly.
InfraPatch will create a new branch with the changes and open a PR to the branch for which the Action was triggered. The PR body contains a list for every enabled provider with the current and newest version.
InfraPatch supports individual providers to detect and patch versions. Currently, the following providers are available:
| Name | Description |
|---|---|
| terraform_modules | Provider to patch Terraform Modules. |
| terraform_providers | Provider to patch Terraform Providers. |
Per default, all providers are enabled. You can only enable specific providers by specifying the provider names as comma separated list in the input enabled_providers:
- name: Run in update mode
uses: Noahnc/infrapatch@main
with:
enabled_providers: terraform_modules,terraform_providersBy default, the Action will create a Branch with all the changes and opens a PR to Branch for which the Action was triggered.
When setting the input report_only to true, the Action will only report available updates in the Action output.
If you use private registries in your Terraform project, you can specify credentials for the Action with the Input terraform_registry_secrets:
- name: Run in update mode
uses: Noahnc/infrapatch@main
with:
terraform_registry_secrets: |
spacelift.io=${{ secrets.SPACELIFT_API_TOKEN }}
<second_registry>=<registry_token>Each secret must be specified in a new line with the following format: <registry_name>=<registry_token>
By default, the Action will run in the root directory of the repository. If you want to only scan a subdirectory, you can specify a subdirectory with the working_directory_relative input:
- name: Run in update mode
uses: Noahnc/infrapatch@main
with:
working_directory: "path/to/terraform/code"InfraPatch is also available as CLI to run locally. See the Installation section for more information on how to install the CLI.
Currently, the CLI supports only MacOS and Linux, since the terraform parser used has no version available for Windows.
Before installing the CLI, make sure you have Python 3.11 or higher installed. The InfraPatch CLI can be installed via pip:
git clone "https://github.com/Noahnc/infrapatch.git"
cd infrapatch
pip install .After the installation, InfraPatch can be run with the following command:
infrapatch --help
Currently, InfraPatch supports two main commands: report and update.
The report command will scan your Terraform code and report the current and newest version of all providers and modules.
infrapatch report
The update command will scan your Terraform code and ask you for confirmation to update the listed modules and providers to the newest version.
infrapatch update
If you use private registries for your providers or modules, you can specify credentials for the CLI to use. There are two ways to do so:
InfraPatch will automatically look for a .terraformrc file in the users home folder and use the credentials specified there.
For more information about the .terraformrc file, see the Terraform documentation.
You can also specify the credentials in a infrapatch_credentials.json file in the current working directory.
The file must have the following structure:
{
"spacelift.io": "<your_api_token>",
"<second_registry>": "<your_api_token>"
}You can also specify the path to the credentials file with the --credentials-file-path flag.
infrapatch --credentials-file-path "path/to/credentials/file" updateThe following section describes configurations and behaviors that are applicable to the Github Action and the CLI.
InfraPatch supports individual resource options to change the behavior for a specific resource. Resource options can be specified one line obove your resource definition with the following syntax:
# infrapatch_options: <option_name1>=<option_value1>, <option_name2>=<option_value2>
module "example" {
source = "terraform-aws-modules/example"
name: "demo"
}
terraform {
required_providers {
# infrapatch_options: <option_name1>=<option_value1>,<option_name2>=<option_value2>
aws = {
source = "hashicorp/aws"
}
}
}Currently, the following options are available:
| Option Name | Description | Default Value |
|---|---|---|
ignore_resource |
If set to true, the resource will be ignored by InfraPatch. |
false |
The following example shows how to ignore a terraform module and a terraform provider:
# infrapatch_options: ignore_resource=true
module "example" {
source = "terraform-aws-modules/example"
name: "demo"
}
terraform {
required_providers {
# infrapatch_options: ignore_resource=true
aws = {
source = "hashicorp/aws"
}
}
}This repository contains a devcontainer configuration for VSCode. To use it, you need to install the following tools:
- "Dev Containers VSCode Extension" for VSCode.
- A local Docker installation like Docker Desktop.
After installation, you can open the repository in the devcontainer by clicking on the green "Open in Container" button in the bottom left corner of VSCode. During the first start, the devcontainer will build the container image and install all dependencies.
If you have any ideas for improvements or find any bugs, feel free to open an issue or create a pull request.