Skip to main content

Infrastructure as Code Steps

Last updated on

Harness 3.0 provides native IaCM steps for Terraform and OpenTofu, enabling infrastructure provisioning directly within pipelines. These steps support the full lifecycle of infrastructure management — from planning and validation to deployment and teardown.

Available IaCM Steps

StepTemplate IDDescription
TerraformterraformStep@1.0.0Execute Terraform commands (init, plan, apply, destroy, and more)
OpenTofuopenTofuStep@1.0.0Execute OpenTofu commands with full Terraform compatibility
TFLinttfLintStep@1.0.0Lint Terraform configurations for errors and best practice violations
Tofu Module TesttofuModuleTestStep@1.0.0Test OpenTofu modules for expected outputs and behavior

Terraform Step

Template: terraformStep@1.0.0 · Module: IaCM

Execute Terraform commands within your pipeline. Supports the full Terraform lifecycle including init, plan, apply, destroy, and more. Runs in the plugins/harness_terraform_vm container image.

Supported Commands

CommandDescription
initInitialize Terraform working directory
planCreate execution plan
applyApply changes to infrastructure
destroyDestroy managed infrastructure
plan-destroyPlan infrastructure destruction
plan-refresh-onlyPlan with refresh only (no changes)
apply-refresh-onlyApply refresh only
detect-driftDetect configuration drift
validateValidate configuration files
migrate-stateMigrate state between backends
importImport existing infrastructure

Inputs

InputTypeRequiredDescription
commandselectYesTerraform command to execute
targetarrayNoTarget resources (visible when command=plan)
replacearrayNoResources to replace (visible when command=plan)
importlist (grid)NoImport resources with ID and Address (visible when command=import)
imagestringNoPlugin image (default: plugins/harness_terraform_vm)

Provider Authentication

The Terraform step automatically handles authentication for major cloud providers:

ProviderSupported Methods
AWSAccess key, secret key, session token, assume role, OIDC
GCPOIDC token, project ID, workload pool, service account
AzureClient ID, tenant ID, client secret, client certificate
Git RepositoryHTTP/SSH for remote state and modules
Automatic Credential Injection

The Terraform step automatically inherits cloud provider credentials from connectors configured in your IaCM workspace. You don't need to manually pass AWS keys or GCP service accounts — they are injected as environment variables at runtime.

Examples

terraform-plan.yaml
steps:
- name: Terraform Plan
uses: terraformStep@1.0.0
with:
command: plan
target:
- aws_instance.web
terraform-apply.yaml
steps:
- name: Terraform Apply
uses: terraformStep@1.0.0
with:
command: apply
terraform-import.yaml
steps:
- name: Import Resources
uses: terraformStep@1.0.0
with:
command: import
import:
- id: i-1234567890abcdef0
address: aws_instance.web
terraform-drift.yaml
steps:
- name: Detect Drift
uses: terraformStep@1.0.0
with:
command: detect-drift

OpenTofu Step

Template: openTofuStep@1.0.0 · Module: IaCM

Execute OpenTofu commands within your pipeline. OpenTofu is the open-source fork of Terraform and is fully compatible with Terraform configurations.

The OpenTofu step mirrors the Terraform step interface — same supported commands, same inputs, same cloud provider authentication. It uses a different plugin image optimized for OpenTofu.

opentofu-plan-apply.yaml
steps:
- name: OpenTofu Plan
uses: openTofuStep@1.0.0
with:
command: plan
- name: OpenTofu Apply
uses: openTofuStep@1.0.0
with:
command: apply
Migrating Between Terraform and OpenTofu

OpenTofu and Terraform steps share the same interface. Migrating between them requires only changing the step template reference — no changes to inputs or configuration.


TFLint Step

Template: tfLintStep@1.0.0 · Module: IaCM

Run TFLint to lint Terraform configurations for potential errors, best practice violations, and deprecated syntax. Best used before plan and apply steps to catch issues early.

tflint.yaml
steps:
- name: Lint Terraform
uses: tfLintStep@1.0.0

Tofu Module Test Step

Template: tofuModuleTestStep@1.0.0 · Module: IaCM

Test OpenTofu modules to verify they produce expected outputs and behavior.

tofu-module-test.yaml
steps:
- name: Test Module
uses: tofuModuleTestStep@1.0.0

Complete IaCM Pipeline Example

A typical IaCM pipeline follows the pattern: Lint → Plan → Approve → Apply. Use the TFLint step first, then Terraform/OpenTofu plan, add an approval gate, and finally apply.

iacm-pipeline.yaml
pipeline:
stages:
- name: Infrastructure
spec:
steps:
- name: Lint
uses: tfLintStep@1.0.0
- name: Plan
uses: terraformStep@1.0.0
with:
command: plan
- name: Approval
type: approval
spec:
type: harness
message: "Review Terraform plan before applying"
- name: Apply
uses: terraformStep@1.0.0
with:
command: apply