Require a `git pull` before a `terraform apply`

[amyipdev]

Is there a way to add a hook into Terraform that requires the current branch be up-to-date before running terraform apply? If so, should we add that? It doesn't stop emergency applys - just git commit -m "temp" and undo it after, which doesn't make the branch out-of-date locally - but it does prevent situations liking accidentally taking down March Madness for a few minutes...

[diamondburned]

Related issue: https://github.com/hashicorp/terraform/issues/32930

Since we have the Nix shell at our disposal, it would be really easy for us to completely hide terraform from the user and enforce deploying via our shell scripts instead.

[amyipdev]

Related issue

That would definitely be a great help...

Since we have the Nix shell at our disposal, it would be really easy for us to completely hide terraform from the user and enforce deploying via our shell scripts instead.

Which scripts?

[diamondburned]

Which scripts?

We'll just make them:

writeShellScriptBin "deploy" ''
  # source the scripts/lib thing
  if [[ $(git branch --show-current) != main ]]; then
    fatal "You're not in the main branch. Deployments are allowed from that branch only."
  fi

  originHEAD=$(git rev-parse origin/main)
  behind=$(git rev-list --count HEAD..${originHEAD})
  if (( behind > 0 )); then
    log "Your local repository is behind upstream by $behind commits."
    log 'Ensure you ran `git pull` before proceeding.'
    exit 1
  fi

  # Run a Nix-imported Terraform here.
  # This way, we don't need Terraform in our $PATH.
  ${lib.getBin pkgs.terraform} apply "$@"
''