Overmind Impact Analysis with GitHub Actions

https://overmind.tech
For the first time you don't have to wait for the worst when you push a change. Discover and detect the risks you can't see. Overmind gives you the insight of a post-mortem without the fallout of broken infra.

🎥 Watch a demo | 📖 Documentation | 🚀 Sign up | 🙌 Follow us

This example repo shows how to run terraform on GitHub Actions and automatically submit each PR's changes to Overmind, reporting back the blast radius as a comment on the PR. You can see that in action in this PR.

Please note: You are unable to view the change in Overmind as it is a change tied to our personal account.

Demo Branches

This repository contains multiple demo branches, each configured to demonstrate Overmind's integration with different Terraform execution platforms. To demo a specific platform, open a pull request against the corresponding branch:

• main - Demonstrates Overmind integration with GitHub Actions. This is the default branch and shows how Overmind analyzes Terraform changes in GitHub Actions workflows.

• demo/spacelift - Demonstrates Overmind integration with Spacelift. Open a PR against this branch to see how Overmind works with Spacelift's Terraform execution environment.

• demo/env0 - Demonstrates Overmind integration with env0 (formerly Zero). Open a PR against this branch to see how Overmind analyzes changes executed through env0.

• demo/tfc - Demonstrates Overmind integration with Terraform Cloud. Open a PR against this branch to see how Overmind works with Terraform Cloud's execution environment.

Each branch is configured with the appropriate CI/CD setup for its respective platform, allowing you to see how Overmind provides impact analysis and blast radius reporting regardless of which tool executes your Terraform code.

Forking this repo

If you would like to use this repo as an example. Follow these steps:

1. Fork the repo
2. Comment out the S3 section:

terraform {
  # backend "s3" {
  #   bucket         = "replaceme-with-a-unique-bucket-name"
  #   dynamodb_table = "overmind-tf-example-state"
  #   key            = "terraform-example.tfstate"

  #   region = "eu-west-2"
  # }
}

1. Replace all instances of replaceme-with-a-unique-bucket-name in terraform.tf with a unique bucket name for your environment
2. Replace repo:overmindtech/terraform-example:* with repo:[YOUR USERNAME]/terraform-example:*, replacing [YOUR USERNAME] with your Github username
3. Run terraform init
4. Run terraform plan to see what resources need to be set up
5. Run terraform apply. This will set up the resources required for storing state and locks
6. Un-comment the backend "s3" section from terraform.tf and run terraform init -migrate-state. This will migrate your state from your local device to S3
7. Run terraform plan which should show no changes

Developer Notes

Some notes to get started with replicating this on your own setup.

• Create AWS account

• Configure AWS cli to access account

  • aws configure sso; docs

• Setup the AWS_PROFILE environment variable to point at your local profile.

  • Note that because of this issue in terraform, the created ~/.aws/config needs to be adjusted (see especially this comment for details)
  • If you use VSCode Dev Containers, .devcontainer/devcontainer.json has guidance on how to permanently configure AWS_PROFILE and import your user's AWS config

• Setup S3 and DynamoDB for remote state storage docs

  • follow the comments on the terraform{} block to bootstrap this in a new account

• Configure OIDC access for github actions docs

• Supply the ARN of the created role (terraform output terraform_deploy_role) as TERRAFORM_DEPLOY_ROLE and an Overmind API as OVM_API_KEY through the "Actions secrets and variables" page in the repo settings.

• For the "Create Demo PR" workflow to trigger other workflows (like the automatic Terraform analysis), you need to create a Personal Access Token (PAT) with repo scope and add it as a secret named GH_PAT. This is required because GitHub prevents workflows from triggering other workflows when using GITHUB_TOKEN to avoid infinite loops.

  • Create a PAT: GitHub Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic)
  • Required scopes: repo (full control of private repositories)
  • Add it as a repository secret named GH_PAT