Reputation: 14756
Track Terraform Plan Output Files in Source Control?
The motivation for writing out a terraform plan to a file is kind of vague. So I'm asking if anyone else is clued in as to the motivation behind this. To me it seems like there's a workflow which involves using these plan files, but that workflow isn't clear at all. There's this statement at the end of the documentation for the plan command: "Future versions of Terraform will make plan files more secure." So clearly Hashicorp finds a lot of value in using these plan files, but why?
Upvotes: 0
Views: 851
Answers (1)
Reputation: 3759
Applying a pre-computed plan file is predictable, whereas running directly terraform apply is not.
Imagine you run terraform plan and everything looks alright. Now something unpredictable has changed in your infrastructure without you noticing until you run terraform apply, which might lead then to different results than what you expected.
With terraform apply <plan-file>, any unexpected change between plan and apply phase would be caught. Especially if you consider building a terraform CI/CD pipeline, using plan files is a great way to add predictability to your automation.
UPDATE
As mentioned in the comments, an example workflow for automation with plan files can be found in the official documentation:
When running Terraform in automation, the focus is usually on the core plan/apply cycle. The main path, then, is the broadly same as for CLI usage:
- Initialize the Terraform working directory.
- Produce a plan for changing resources to match the current configuration.
- Have a human operator review that plan, to ensure it is acceptable.
- Apply the changes described by the plan.
FURTHER UPDATE
Currently, I am still running terraform 0.10.8, but thanks to the comments of cm92 and Matt Schuchard I became aware of the following:
Recently terraform 0.11.0 has been released and the changelog mentions interesting modifications to the behavior of terraform apply. By default it will now first generate a plan and wait for confirmation before applying it:
The command terraform apply with no explicit plan argument is now interactive by default. Specifically, it will show the generated plan and wait for confirmation before applying it, similar to the existing behavior of terraform destroy. The behavior is unchanged when a plan file argument is provided, and the previous behavior can be obtained without a plan file by using the -auto-approve option
Depending on your companies review process, a distinct shareable plan file might still be an interesting option though.
Upvotes: 4
Related Questions
- Terraform plan/apply into a readable file?
- Terraform plan human readable output in automation
- Capture Terraform provisioner output?
- How to detect changes made outside of Terraform?
- Nice way to display Terraform Plan output in Jenkins
- How do I specify a plan file when doing terraform plan output to show the contents of a plan file?
- terraform plan output redirection to file does not capture error messages
- How to output terraform output file in Azure DevOps in release pipeline
- Add terraform plan output as PR comment in Azure Devops Build Pipeline
- Tracking version of Terraform templates