linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
Intro
Lessons
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Knowledge base
  • Cheat sheet
  • Capstone
  • Interview prep
home/terraform/kb/CI/CD

kb/cicd

CI/CD for Terraform: pre-commit, plan-as-artifact, OIDC, drift

CI/CD for Terraform, the pipeline around it: pre-commit with `fmt -check`/`validate`/`tflint`, the plan file as an artifact between the PR job and the apply job, passwordless OIDC to AWS from GitHub Actions, a policy gate on plan.json through OPA, scheduled drift detection. A production workflow that does not break on every merge.

  • tf-fmt-validate-cipre-commit, fmt -check, and validate in CI

    The pre-commit framework (Python) runs hooks on `git commit` locally and the same set in CI. The standard Terraform set: `terraform fmt -check` (no auto-fix, fails on unformatted code), `terraform validate`, and `tflint`. The config file is `.pre-commit-config.yaml` in the repository root. The goal is to catch obvious mistakes before they reach a CI runner that costs money.

Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies