Implement storage of plan artifacts in the same storage as state files by christian-calabrese · Pull Request #1425 · pagopa/dx

christian-calabrese · 2026-03-11T10:09:22Z

Add two new TypeScript actions to read/write Terraform plan bundles on Azure Blob Storage and S3. The infra_apply workflow uses them to store the plan next to the state file (same container/bucket, plan-artifacts/ prefix), replacing the previous GitHub Artifact flow.

Compared to the old encrypted-artifact approach, storing the plan on the CSP backend means access is controlled by the same federated identity already trusted for state operations — no encryption key to provision or rotate, and the plan never leaves the CSP security boundary.

The download action includes a post: step that automatically deletes the remote object after a successful apply.

Resolves CES-1727

changeset-bot · 2026-03-11T10:09:30Z

⚠️ No Changeset found

Latest commit: 3410876

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

christian-calabrese · 2026-03-11T13:52:59Z

Here is a full test of the flow: dx-playground

christian-calabrese · 2026-03-11T14:24:32Z

The workflow reads the Terraform backend configuration from the local file .terraform/terraform.tfstate (after terraform init) using jq to extract backend.type and the backend config (e.g. key, storage_account_name/container for Azure or bucket/region for S3).

It then computes the upload path by taking the state key, splitting it into directory and basename, and placing the plan next to the state under a sibling folder: <state-dir>/plan-artifacts/<state-basename>.<GITHUB_RUN_ID> (for flat keys the folder becomes plan-artifacts/<state-basename>.<GITHUB_RUN_ID>).

Finally the plan is uploaded to the same storage provider/container/bucket using the cloud-storage-upload action at that computed path, and the cloud-storage-download action later fetches it from the same location.

After a successful apply, the download action’s post: step (controlled by delete-on-completion: "true") deletes the plan artifact from the remote state storage and also removes the local file from the runner.

+      # Outputs (provider, plan-path, credentials) are passed to the apply job.
+      - name: Upload Terraform Plan
+        id: upload_plan
+        uses: pagopa/dx/actions/terraform-plan-storage-upload@poc-store-plan-artifact-in-csp


+      # Download and extract the plan bundle (plan file + .terraform.lock.hcl + .terraform/modules/).
+      # Storage coordinates come directly from the tf_plan job outputs — no terraform init required.
+      - name: Download Terraform Plan
+        uses: pagopa/dx/actions/terraform-plan-storage-download@poc-store-plan-artifact-in-csp


…e creation (CWE-377)

…creation (CWE-377)

#1425) Add two new TypeScript actions to read/write Terraform plan bundles on Azure Blob Storage and S3. The infra_apply workflow uses them to store the plan next to the state file (same container/bucket, plan-artifacts/ prefix), replacing the previous GitHub Artifact flow. Compared to the old encrypted-artifact approach, storing the plan on the CSP backend means access is controlled by the same federated identity already trusted for state operations — no encryption key to provision or rotate, and the plan never leaves the CSP security boundary. The download action includes a post: step that automatically deletes the remote object after a successful apply. Resolves CES-1727

christian-calabrese changed the title ~~Poc store plan artifact in csp~~ PoC store plan artifact in CSP storage Mar 11, 2026

github-advanced-security AI found potential problems Mar 11, 2026

View reviewed changes

Comment thread .github/workflows/infra_apply.yaml Fixed

Comment thread .github/workflows/infra_apply.yaml Fixed

christian-calabrese changed the title ~~PoC store plan artifact in CSP storage~~ Implement PoC to store plan artifacts in the state storage Mar 11, 2026

gunzip reviewed Mar 11, 2026

View reviewed changes

Comment thread .github/workflows/infra_apply.yaml Outdated

Comment thread actions/cloud-storage-download/src/main.ts Outdated

Comment thread actions/terraform-plan-storage-download/src/post.ts

christian-calabrese marked this pull request as ready for review March 11, 2026 14:07

christian-calabrese requested a review from a team as a code owner March 11, 2026 14:07

github-advanced-security AI found potential problems Mar 11, 2026

View reviewed changes

Comment thread .github/workflows/infra_apply.yaml Fixed

Comment thread .github/workflows/infra_apply.yaml Fixed

christian-calabrese added the don't merge label Mar 11, 2026

christian-calabrese changed the title ~~Implement PoC to store plan artifacts in the state storage~~ Implement storage of plan artifacts in the same storage as state files Mar 11, 2026

lucacavallaro reviewed Mar 11, 2026

View reviewed changes

Comment thread actions/terraform-plan-storage-download/tsup.config.ts

lucacavallaro reviewed Mar 11, 2026

View reviewed changes

Comment thread actions/terraform-plan-storage-download/package.json

lucacavallaro reviewed Mar 12, 2026

View reviewed changes

github-advanced-security AI found potential problems Mar 12, 2026

View reviewed changes

Comment thread .github/workflows/infra_apply.yaml Fixed

github-advanced-security AI found potential problems Mar 13, 2026

View reviewed changes

Comment thread .github/workflows/infra_apply.yaml Fixed

Comment thread .github/workflows/infra_apply.yaml Fixed

github-advanced-security AI found potential problems Mar 13, 2026

View reviewed changes

Comment thread actions/terraform-plan-storage-download/src/main.ts Fixed

Comment thread actions/terraform-plan-storage-download/src/main.ts Fixed

christian-calabrese marked this pull request as draft March 13, 2026 13:11

github-advanced-security AI found potential problems Mar 13, 2026

View reviewed changes

Comment thread actions/terraform-plan-storage-download/src/main.ts Fixed

Comment thread actions/terraform-plan-storage-download/src/main.ts Fixed

christian-calabrese marked this pull request as ready for review March 16, 2026 13:32

christian-calabrese removed the don't merge label Mar 16, 2026

christian-calabrese requested review from gunzip and lucacavallaro March 17, 2026 08:34

mamu0 reviewed Mar 18, 2026

View reviewed changes

Comment thread actions/terraform-plan-storage-download/action.yaml

christian-calabrese added 4 commits March 20, 2026 14:20

Make infra apply workflow store artifacts in cloud blob storage

89ee2eb

Remove usage of github artifacts

f600adc

Point to feature branch actiosn

51eecd2

Fix CI format and lint errors

faf8edb

christian-calabrese added 23 commits March 20, 2026 14:20

Upgrade new actions to node22

90bd691

Update to node24

c97cebc

Remove tagging

6a4030f

Remove tagging check from post

2bbb263

Fix edge case with flat key

f23fbf3

Point actions from main

366a4f4

Reduce actions inputs

26ac6d7

Add zod validation

383fb87

Refactor actions

7274be4

Point to feature branch in actions

f9f7ac1

Remove unwanted init

213af24

Refactor plan upload and download actions

1711f3b

Commit dist

5fd82bf

fix: resolve paths against GITHUB_WORKSPACE in plan storage actions

386dc47

debug: add path resolution logs to plan storage upload

8d9c8e2

chore: remove debug logs from plan storage upload

d9def8f

fix(terraform-plan-storage-download): use mkdtemp for secure temp fil…

cc127e5

…e creation (CWE-377)

Update pnpm-lock

36f535b

Lint and format actions

f303b56

Add prettierignore file

c5ff716

fix(terraform-plan-storage-upload): use mkdtemp for secure temp file …

111d996

…creation (CWE-377)

Format upload action

07b7fae

Restrict temp file permissions to owner-only (mode 0o600)

3410876

christian-calabrese force-pushed the poc-store-plan-artifact-in-csp branch from e6e3ce3 to 3410876 Compare March 20, 2026 13:22

Update pnpm lock

1e38bd0

lucacavallaro approved these changes Mar 23, 2026

View reviewed changes

christian-calabrese merged commit f1a1a73 into main Mar 23, 2026
8 checks passed

christian-calabrese deleted the poc-store-plan-artifact-in-csp branch March 23, 2026 08:38

Conversation

christian-calabrese commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

changeset-bot Bot commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ No Changeset found

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

christian-calabrese commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

christian-calabrese commented Mar 11, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

christian-calabrese commented Mar 11, 2026 •

edited

Loading

changeset-bot Bot commented Mar 11, 2026 •

edited

Loading

christian-calabrese commented Mar 11, 2026 •

edited

Loading