Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plan can never be applied because we always have different plans #254

Open
y-chen opened this issue Mar 27, 2023 · 2 comments
Open

Plan can never be applied because we always have different plans #254

y-chen opened this issue Mar 27, 2023 · 2 comments
Labels
problem

Comments

@y-chen
Copy link

y-chen commented Mar 27, 2023
edited

Problem description

Hello,

I am trying to use terraform-apply once the PR is merged in develop. I am getting the error below, because the two plan are different. The one generated in the PR says Plan: 2 to add, 1 to change, 2 to destroy, instead the one after the merge says Plan: 5 to add, 2 to change, 5 to destroy.

This is kind of normal for us because when a deployment has to happen some variable change and then also the resource that will be modified. For example the git short sha will be attached to the docker image name and that will always make terraform generate a different plan.

I would prefer to run apply without -auto-approve, I remember when I was working with Jenkins that we were receiving a notification in case of infrastructure changes, we could then review the plan and confirm it by clicking a link in the console.

Is it possible to do something similar with GitHub actions too?

Thank you

Terraform version

1.3.7

Backend

s3

Workflow YAML

- name: Terraform pull request apply
        if: github.event_name == 'push' && env.TF_VAR_ACTION_BRANCH_NAME == 'develop'
        uses: dflook/terraform-apply@v1
        with:
          path: terraform
          backend_config: |
            region=${{ env.TF_VAR_AWS_REGION }}
            bucket=${{ env.TF_VAR_TERRAFORM_BACKEND_BUCKET }}
          var_file: terraform/${{ env.ENVIRONMENT_NAME }}.tfvars

Workflow log

> (and one more similar warning elsewhere)
\ No newline at end of file
Performing diff between the pull request plan and the plan generated at execution time.
> are lines from the plan in the pull request
< are lines from the plan generated at execution
Plan differences:

Compare with the plan generated by the dflook/terraform-plan action in Job *** #151 at https://github.com/***-io/***/actions/runs/4528954848
@y-chen y-chen added the problem label Mar 27, 2023
@dflook
Copy link
Owner

dflook commented Mar 28, 2023

I think you can have a manual approval of deployments if you use the Environments feature of GitHub. It's not something I've used.

You can run the dflook/terraform-plan action again on push to the main branch and run dflook/terraform-apply after it, but that's essentially the same as using auto_approve: true. You could insert some step between them that somehow waits for approval, but that ties up a runner.

I use the PR itself as the approval gate. If something isn't ready to be deployed, it doesn't get merged.

@mraspberry
Copy link

I have this same issue with ECS task definitions because the image is tagged with the short-sha.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
problem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dflook @mraspberry @y-chen