Terraform Version
Terraform v1.8.3
on linux_amd64
Use Cases
The idea is to launch terraform plan (-detailed-exitcode) to see if there is any diff between reality and Terraform resource description (which is the case right now), but additionally launching Terraform Checks! So you are able to more elaborately detect any drift of your infrastructure configuration/state.
I've read through some documentation chapters (e.g. Running Terraform in automation), but up to now I see no way to implement my idea:
Drift detection also with Terraform Checks
Attempted Solutions
At the moment terraform plan -detailed-exitcode exits with 0 if there is no difference in Resources, but it exits with 2 (!) it there are some Terraform Checks available, based on Data Sources, which require further read operations, regardless if these Checks would be successful or not:
$ terraform plan -detailed-exitcode; echo EXIT CODE $?
data.gitlab_group.sales: Reading...
data.gitlab_group_membership.owner: Reading...
[...]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
<= read (data resources)
Terraform will perform the following actions:
# data.gitlab_group.parent will be read during apply
# (config will be reloaded to verify a check block)
<= data "gitlab_group" "parent" {
+ default_branch_protection = 2
[...]
# (1 unchanged attribute hidden)
}
# data.gitlab_group_membership.owner will be read during apply
# (config will be reloaded to verify a check block)
<= data "gitlab_group_membership" "owner" {
+ access_level = "owner"
[...]
}
Plan: 0 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply"
now.
EXIT CODE 2Both data blocks are part of Checks, here is one of them (as an example):
check "owner_group_membership" {
data "gitlab_group_membership" "owner" {
group_id = var.gitlab_sales_group_id
access_level = "owner"
inherited = false
}
assert {
[...]
}
}This non-zero exit code voids my goal/idea.
Proposal
So I propose to let terraform plan also read Data Sources which are part of Checks, and make it exit with non-zero code only if there are diffs in Resources (as is already the case) and/or if Checks fail (after they have been executed in the course of terraform plan, too).
References
No response
Terraform Version
Use Cases
The idea is to launch
terraform plan (-detailed-exitcode)to see if there is any diff between reality and Terraform resource description (which is the case right now), but additionally launching Terraform Checks! So you are able to more elaborately detect any drift of your infrastructure configuration/state.I've read through some documentation chapters (e.g. Running Terraform in automation), but up to now I see no way to implement my idea:
Drift detection also with Terraform Checks
Attempted Solutions
At the moment
terraform plan -detailed-exitcodeexits with0if there is no difference in Resources, but it exits with2(!) it there are some Terraform Checks available, based on Data Sources, which require further read operations, regardless if these Checks would be successful or not:Both
datablocks are part of Checks, here is one of them (as an example):This non-zero exit code voids my goal/idea.
Proposal
So I propose to let
terraform planalso read Data Sources which are part of Checks, and make it exit with non-zero code only if there are diffs in Resources (as is already the case) and/or if Checks fail (after they have been executed in the course ofterraform plan, too).References
No response