Open amyipdev opened 3 months ago
Related issue: https://github.com/hashicorp/terraform/issues/32930
Since we have the Nix shell at our disposal, it would be really easy for us to completely hide terraform
from the user and enforce deploying via our shell scripts instead.
Related issue
That would definitely be a great help...
Since we have the Nix shell at our disposal, it would be really easy for us to completely hide terraform from the user and enforce deploying via our shell scripts instead.
Which scripts?
Which scripts?
We'll just make them:
writeShellScriptBin "deploy" ''
# source the scripts/lib thing
if [[ $(git branch --show-current) != main ]]; then
fatal "You're not in the main branch. Deployments are allowed from that branch only."
fi
originHEAD=$(git rev-parse origin/main)
behind=$(git rev-list --count HEAD..${originHEAD})
if (( behind > 0 )); then
log "Your local repository is behind upstream by $behind commits."
log 'Ensure you ran `git pull` before proceeding.'
exit 1
fi
# Run a Nix-imported Terraform here.
# This way, we don't need Terraform in our $PATH.
${lib.getBin pkgs.terraform} apply "$@"
''
Is there a way to add a hook into Terraform that requires the current branch be up-to-date before running
terraform apply
? If so, should we add that? It doesn't stop emergencyapply
s - justgit commit -m "temp"
and undo it after, which doesn't make the branch out-of-date locally - but it does prevent situations liking accidentally taking down March Madness for a few minutes...