[Question]: Best practice for "terraform apply -auto-approve" in CI/CD

[reza-mirjahanian]

Using terraform apply -auto-approve in a CI/CD pipeline is generally not recommended as a best practice. The -auto-approve flag bypasses the interactive approval of the plan before applying it. This means that changes to your infrastructure could be made without manual review, which could potentially lead to unintended modifications or even destructive actions.

However, in the continuous integration and continuous deployment (CI/CD) process (like Github Actions) we make everything automatic, which is a key part of CI/CD. There is no opportunity for interactive questions or human reviews. Could you guide me on how I should combine these concepts? Ideally, could you provide a sample code snippet in Github Actions or something similar as an example?

      - name: Terraform Apply
        run: terraform apply -auto-approve
        env:
          TF_VAR_aws_s3_bucket: ${{ secrets.AWS_S3_BUCKET }}
          TF_VAR_aws_region: ${{ secrets.AWS_REGION }}
          TF_VAR_jwtSecret: ${{ secrets.JWT_SECRET }}