Resourcely Documentation
LoginSign Up
  • Get Started
    • 🎱What is Resourcely?
    • 👋Why Resourcely
    • 🏃Quickstart
      • Terraform policies integrated into CI
      • Remediate policy violations in existing infrastructure
      • Templates for generating Terraform
      • Glossary
  • Concepts
    • Foundry
      • Create Blueprints with Foundry
      • Creating Guardrails with Foundry
      • lmport Terraform Modules
    • Guardrails
      • Writing your own Guardrails
      • Editing Guardrails
      • Releasing Guardrails
      • Enabling Inactive Guardrails
      • Guardrails in Action
        • 🐱GitHub Actions
        • 🦊GitLab Pipelines
    • Campaigns
      • Get started with Campaigns
      • Creating Campaigns
      • Remediate Resources
      • Campaign Agent
        • State File Support
          • Amazon Simple Storage Service (S3)
          • Google Cloud Storage (GCS)
          • HCP Terraform
          • Spacelift
        • Running Campaigns with GitHub Actions and a Repo-Hosted State File
        • Running Campaigns Locally
    • Blueprints
      • Authoring Your Own Blueprints
      • Using Built-in Resourcely Blueprints
      • Configuring Global Contexts
      • Deep Linking
    • Resources
      • Provisioning Infrastructure
      • Editing Infrastructure
      • Shopping Cart
      • Config Roots and Environments
    • Other Features and Settings
      • Global Values
      • Global Context
      • Metrics
      • Resourcely-cli
      • Resourcely.yaml
      • VCS Proxy
      • Settings
        • User management
        • Company Information
        • Notification Settings
        • Change Management
          • 🐱Connect to GitHub
          • 🦊Connect to Gitlab
        • Generate API Token
    • ✨Production Setup
      • Single Sign-On (SSO)
        • Auth0
        • AWS Single Sign-On
        • Azure AD
        • Google Workspace
        • JumpCloud
        • Okta
        • Omnissa Workspace ONE (formerly VMware)
        • OneLogin
        • Ping Identity
        • Other SAML / OIDC Providers
      • Source Code Management
        • Page
        • 🐱GitHub
        • 🦊GitLab
        • Atlassian Bitbucket
        • Azure Repos
  • Tutorials and guides
    • Remediation Use Cases
      • Apply tags to resources for automating backups
      • Implement centralized logging
    • Blueprints Use Cases
      • Automate Data Pipeline Creation
      • Encryption for GCP
      • AWS Account Factory
      • Streamline and govern AI
      • IAM Factory
      • Cost optimization for FinOps
      • Guardrails for Terraform Modules
    • Using the Resourcely Terraform Provider
      • Setup Resourcely Provider
      • Blueprints
      • Guardrails
      • Global Context
  • Integrate
    • CI/CD & Terraform Runners
      • Atlantis
      • 🐟AWS CodeBuild
      • Azure Pipelines
      • Buildkite
      • CircleCI
      • CloudBees CI
      • Codefresh
      • Digger
      • Env0
      • 🎏GitHub Actions
        • 🐱Local Plan
          • 🐹AWS with OpenID Connect
        • 🐶Terraform Cloud Integration
      • 🦊GitLab Pipelines
      • Harness
      • 🗻HashiCorp Cloud Platform (formerly Terraform Cloud)
      • Jenkins
      • Octopus Deploy
      • Scalr
      • 🌌Spacelift
      • Terramate
      • 🌎Terrateam
    • Cloud Providers
      • 🌨️Amazon Web Services (AWS)
      • 🤓Google Cloud Platform (GCP)
        • Guardrail Gaunlet at Google Cloud Next 2025
      • 💾Microsoft Azure
      • Alibaba Cloud
      • Huawei Cloud
      • IBM Cloud
      • Oracle Cloud Infrastructure (OCI)
      • Tencent Cloud
      • VMware vSphere
    • Developer Portals
      • Atlassian Compass
      • Backstage
      • Cortex
      • Harness IDP
      • Home grown internal developer portals
      • OpsLevel
      • Port
      • Roadie
    • ITSM
      • Atlassian Jira
      • FreshWorks
      • ServiceNow ITSM
      • ZenDesk
    • CSPM
      • Wiz
    • More Terraform Provider Integrations
      • 🚂ConductorOne Provider
      • Databricks Provider
      • Kubernetes Provider
      • 🐕Datadog Provider
      • ❄️Snowflake Provider
Powered by GitBook
On this page
  • Creating a Personal Access Token (Classic)
  • Adding Required Variables to the Repository
  • Creating the Resourcely Action
  • Terraform Cloud VCS Integration Considerations
  • Resourcely Terraform Cloud Scaffolding
  1. Integrate
  2. CI/CD & Terraform Runners
  3. GitHub Actions

Terraform Cloud Integration

CI/CD Automation

PreviousAWS with OpenID ConnectNextGitLab Pipelines

Last updated 11 months ago

This integration requires Terraform Cloud to be integrated with the GitHub projects you will be using with Resourcely. The first step is to configure environment variables. To set up Resourcely with GitHub Actions using Terraform Cloud, you must perform the following steps:

  • Creating a Personal Access Token

  • Adding Required Variables to the Repository

  • Creating the Resourcely GitHub Action

Creating a Personal Access Token (Classic)

Personal access tokens are an alternative to using passwords for authentication to GitHub. Resourcely uses personal access tokens to access GitHub resources on your behalf using the API.

Resourcely requires a Classic Personal Access Token with the repo scope.

  1. , if it hasn't been verified yet.

  2. In the upper-right corner of any page, click your profile photo, then click Settings.

  3. In the left sidebar, click Developer settings.

  4. In the left sidebar, under Personal access tokens, click Tokens (classic).

  5. Select Generate new token, then click Generate new token (classic).

  6. In the "Note" field, give your token a descriptive name.

  7. To give your token an expiration, select Expiration, then choose a default option or click Custom to enter a date.

  8. Select the repo scope

  9. Click Generate token.

Once you have generated a personal access token, store it in a safe place, it will later be added to your GitHub repository as a secret. You can learn more about Personal Access Tokens by checking out the following documentation:

Adding Required Variables to the Repository

Resourcely can be configured using environment variables. Some variables are optional and used for configuration, while others must be defined before the guardrails can be validated.

Key
Description
Secret

RESOURCELY_API_TOKEN

(Required) Token generated from the Resourcely portal. Used to verify infrastructure guardrails.

Yes

GH_ACCESS_TOKEN

(Required) Your GitHub personal access token (classic) with repo scope only.

Yes

TF_DIRECTORY

(Optional) The directory where the terraform files to verify are located.

Default Value: tf-plan-files

No

TF_API_TOKEN

(Optional) Your Terraform Cloud team token with workspace permission set to Manage all workspaces.

This is required only if you are using Terraform Cloud for infrastrucuture provisioning.

Yes

Secret variables allow you to store sensitive information in your organization, repository, or repository environments.

  1. Open the repository you want Resourcely to watch

  2. Click the Settings tab

  3. Under the Security section, select Secrets and variables

  4. Under the Secret section, press the New Repository secret button

  5. Add the following variables and their values one at a time and press the Add secret button

You can learn more about GitHub Secret variables by checking out the following documentation:

Creating the Resourcely Action

Now let's add the Resourcely job to GitHub Actions to perform the following actions:

  • Obtain the resourcely-cli Docker container, which is used to download policies from Resourcely, assess them, and submit the results to Resourcely. As a result, these findings will be displayed on your GitHub pull requests each time a new pull request is submitted.

  1. Open the repository you want to Resourcely to watch

  2. Create a file named resourcely.yml under .github/workflows. If the directory does not exist, create it.

  3. Copy and paste the following code and make configuration changes as needed

name: Resourcely CI

# Trigger conditions for running this action
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

# Permissions for the action
permissions:
  contents: read  # Read repository content
  packages: read  # Read packages from the repository

# Define jobs to be run
jobs:
  # Name of the job
  resourcely-ci:
    runs-on: ubuntu-latest  # The type of machine to run the job on
    steps:
      - uses: Resourcely-Inc/resourcely-action@v1
        with:
          # grab the GitHub access token stored in the repo secrets
          gh_access_token: ${{ secrets.GH_ACCESS_TOKEN }}
          # grab the terraform api token stored in the repo secrets
          tf_api_token: ${{ secrets.TF_API_TOKEN }}
          # grab the resourcely api token stored in the repo secrets
          resourcely_api_token: ${{ secrets.RESOURCELY_API_TOKEN }}
          # set the resourcely api host
          resourcely_api_host: "https://api.resourcely.io"
  1. Commit the change to the main branch

Please note that this setup assumes your GitHub is integrated with Terraform Cloud. If you are using other runners, you will need to modify your script accordingly.

You should now have the Resourcely Action enabled in GitHub, which will run each time a new resource generation PR is created.

Terraform Cloud VCS Integration Considerations

If you are using Terraform Cloud to provision your infrastructure resources and have performed the following actions:

  • Linked your GitHub repository with Terraform Cloud using VCS

  • Set the TF_API_TOKEN variable within GitHub

Then the applied Resourcely action will run the wait-for-terraform-plan job which performs the following before verifying the configured guardrails:

  • Searches for the Terraform Cloud job run in the Resourcely generated pull-request

  • Continuously checks the status of the Terraform Cloud Job until completion

  • Downloads the Terraform plans once the Terraform Cloud Job has been completed successfully

Once the plan has been downloaded, Resourcely will validate the plans against the implemented guardrails.

Resourcely Terraform Cloud Scaffolding

Note: Theis imported from the GitHub Actions Marketplace

This helps to integrate Resourcely into repository that uses Terraform Cloud as the Terraform runner.

It contains a that waits for terraform plan and then uses the to evaluate guardrails on that plan.

🎏
🐶
Verify your email address
Resourcely CI Action
repository
workflow
Resourcely Github Action
LogoManaging your personal access tokens - GitHub DocsGitHub Docs
Personal Access Token documentation
GitHub Secret Variable Documentation
LogoEncrypted secrets - GitHub DocsGitHub Docs
Personal Access Token Generation