Apply a previous plan with run-all

[cdelgehier]

Short

After preparing a plan with terragrunt run-all plan -out tgplan, I would like apply exactly the plan generated previously withterragrunt run-all apply tgplan.

Detailed

I prepare a pipeline generates a plan and waits for the validation of some key users to apply this plan. Previously I did a similar thing with terraform:

• generation of the plan
• archive on the master (jenkins)
• waiting for validation
• application of this plan exactly (retrieved from the jenkins master)

> find . -name "tgplan" -ls
106120854       72 -rw-r--r--    1 cedricd          staff               34878 23 mar 16:10 ./app1/pre/alerting/ec2_state/.terragrunt-cache/pc4ZjhNwDk51ZyFTI-yEtTRxILY/0EBcnr9vNvW7JCOrbk1fKGPsL1I/tgplan
106121049       48 -rw-r--r--    1 cedricd          staff               23301 23 mar 16:10 ./app1/pre/security/kms_key/testing-app1-pre/.terragrunt-cache/hMC4CNlaUR10bgr8FEARBrrYVog/4q57KfNLVX1iMhjvMRtuG0bZLmk/tgplan
106120818       32 -rw-r--r--    1 cedricd          staff               14762 23 mar 16:10 ./app1/pre/security/iam_role/testing-noprd-iam-ec2-001/.terragrunt-cache/GAiquq0V_pk1T7r6sSyNT6GTUXg/ujiMEjZvBSqofi5KSR6wGO9quzU/tgplan
106120794       32 -rw-r--r--    1 cedricd          staff               13799 23 mar 16:10 ./app1/pre/network/security_group/app1-pre-SG-main-endpoint/.terragrunt-cache/SmQQeXv-qEaAekDP3M_pO6b-KUo/20BMX8TS24vfVUsq5HXh8IkQ0cA/tgplan
106120800       32 -rw-r--r--    1 cedricd          staff               15695 23 mar 16:10 ./app1/pre/network/security_group/testing-noprd-sgr-001/.terragrunt-cache/Fcc8mcc6o7sw94O4Jb1r3OI0y2U/20BMX8TS24vfVUsq5HXh8IkQ0cA/tgplan
106120835       48 -rw-r--r--    1 cedricd          staff               22602 23 mar 16:10 ./app1/pre/compute/AWSRW00240/.terragrunt-cache/FZUxMvvbWHz3dDrqnp97jyve4O0/LZT4UnsArFmBooxK-qcZowhfptI/tgplan
106120832       48 -rw-r--r--    1 cedricd          staff               22279 23 mar 16:10 ./app1/pre/compute/AWSRL00404/.terragrunt-cache/Rl1k6ZhUGV5uXMeM-s5UTzlevks/LZT4UnsArFmBooxK-qcZowhfptI/tgplan
106120827       48 -rw-r--r--    1 cedricd          staff               22233 23 mar 16:10 ./app1/pre/compute/AWSRL00403/.terragrunt-cache/3I8w7XvwtY3UH5kmmnZrDUTKTyg/LZT4UnsArFmBooxK-qcZowhfptI/tgplan

> file ./app1/pre/alerting/ec2_state/.terragrunt-cache/pc4ZjhNwDk51ZyFTI-yEtTRxILY/0EBcnr9vNvW7JCOrbk1fKGPsL1I/tgplan
./app1/pre/alerting/ec2_state/.terragrunt-cache/pc4ZjhNwDk51ZyFTI-yEtTRxILY/0EBcnr9vNvW7JCOrbk1fKGPsL1I/tgplan: Zip archive data, at least v2.0 to extract, compression method=deflate

# terragrunt run-all plan -out tgplan
INFO[0000] The stack at /path/to/app1/infra/account1 will be processed in the following order for command plan:
Group 1
- Module /path/to/alerting/ec2_state
- Module /path/to/compute/EC201
- Module /path/to/compute/EC202
- Module /path/to/compute/EC203
- Module /path/to/network/security_group/app1-pre-SG-main-endpoint
- Module /path/to/network/security_group/account1-sgr-001
- Module /path/to/security/iam_role/account1-iam-ec2-001

Group 2
- Module /path/to/security/kms_key/testing-app1-pre

WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-alerting.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/alerting/ec2_state]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-iam-instance-role.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/security/iam_role/account1-iam-ec2-001]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-security-group.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/network/security_group/app1-pre-SG-main-endpoint]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/security/iam_role/account1-iam-ec2-001/.terragrunt-cache/GAiquq0V_pk1T7r6sSyNT6GTUXg/ujiMEjZvBSqofi5KSR6wGO9quzU prefix=[/path/to/security/iam_role/account1-iam-ec2-001]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-ec2.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/compute/EC201]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/alerting/ec2_state/.terragrunt-cache/pc4ZjhNwDk51ZyFTI-yEtTRxILY/0EBcnr9vNvW7JCOrbk1fKGPsL1I prefix=[/path/to/alerting/ec2_state]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-ec2.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/compute/EC203]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-ec2.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/compute/EC202]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/network/security_group/app1-pre-SG-main-endpoint/.terragrunt-cache/SmQQeXv-qEaAekDP3M_pO6b-KUo/20BMX8TS24vfVUsq5HXh8IkQ0cA prefix=[/path/to/network/security_group/app1-pre-SG-main-endpoint]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC201/.terragrunt-cache/3I8w7XvwtY3UH5kmmnZrDUTKTyg/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC201]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC202/.terragrunt-cache/Rl1k6ZhUGV5uXMeM-s5UTzlevks/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC202]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC203/.terragrunt-cache/FZUxMvvbWHz3dDrqnp97jyve4O0/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC203]
WARN[0000] No double-slash (//) found in source URL /repo/terraform-aws-security-group.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/network/security_group/account1-sgr-001]
time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/network/security_group/account1-sgr-001/.terragrunt-cache/Fcc8mcc6o7sw94O4Jb1r3OI0y2U/20BMX8TS24vfVUsq5HXh8IkQ0cA prefix=[/path/to/network/security_group/account1-sgr-001]

data.archive_file.lambdazip[0]: Reading...
data.aws_vpc.primary_vpc: Reading...
data.aws_vpc.primary_vpc: Reading...
aws_ebs_volume.ebs["/dev/sdb"]: Refreshing state... [id=vol-xxxx]
data.aws_vpc.primary_vpc: Reading...
aws_ebs_volume.ebs["/dev/sdb"]: Refreshing state... [id=vol-xxx]
aws_iam_role.this: Refreshing state... [id=account1-iam-ec2-001]
aws_ebs_volume.ebs["/dev/sdb"]: Refreshing state... [id=vol-xxxx]
aws_security_group.this: Refreshing state... [id=sg-00f53ff1f5e755530]
aws_security_group.this: Refreshing state... [id=sg-072d9c3aa1239bf91]
aws_sns_topic.cloudwatch_alert_sns_topic[0]: Refreshing state... [id=arn:aws:sns:eu-west-1:xxxx:CloudWatchAlertsTopic-app1]
aws_iam_policy.lambda-exec-additional-policy[0]: Refreshing state... [id=arn:aws:iam::xxxx:policy/LambdaExecAutoAlarmAdditionalPolicy]
aws_cloudwatch_event_rule.run_autoalarm[0]: Refreshing state... [id=run-autoalarm]
aws_sns_topic.lambda_alert_sns_topic[0]: Refreshing state... [id=arn:aws:sns:eu-west-1:xxxx:LambdaAlertsTopic]
aws_s3_bucket.autoalarm_files_bucket: Refreshing state... [id=autoalarm-files-bucket-account1]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_security_group.this will be updated in-place
  ~ resource "aws_security_group" "this" {
        id                     = "sg-xxxx"
        name                   = "app1-pre-SG-main-endpoint"
      ~ tags                   = {
          - "map-migrated"   = "d-server-xxxx" -> null
            # (13 unchanged elements hidden)
        }
      ~ tags_all               = {
          - "map-migrated"   = "d-server-xxxx" -> null
            # (13 unchanged elements hidden)
        }
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_security_group.this will be updated in-place
  ~ resource "aws_security_group" "this" {
        id                     = "sg-xxxxx"
        name                   = "account1-sgr-001"
      ~ tags                   = {
          - "map-migrated"   = "d-server-xxxx" -> null
            # (13 unchanged elements hidden)
        }
      ~ tags_all               = {
          - "map-migrated"   = "d-server-xxxxx" -> null
            # (13 unchanged elements hidden)
        }
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"
Releasing state lock. This may take a few moments...
aws_sns_topic_subscription.lambda_alert_sns_topic_subscription[0]: Refreshing state... [id=arn:aws:sns:eu-west-1:xxxx:LambdaAlertsTopic:89243b0f-4e8d-404b-899c-f14df4a23775]
aws_cloudwatch_metric_alarm.lambda_failure_metric_alarms["AutoconfigureAlarms-lambda-execution-failure"]: Refreshing state... [id=AutoconfigureAlarms-lambda-execution-failure]
aws_sns_topic_subscription.cloudwatch_alert_sns_topic_subscription[0]: Refreshing state... [id=arn:aws:sns:eu-west-1:xxxx:CloudWatchAlertsTopic-app1:adac71e1-35f3-4a0b-aafa-3194df323586]
aws_cloudwatch_metric_alarm.backup_metric_alarms["INF-aws-backup-job-failed"]: Refreshing state... [id=INF-aws-backup-job-failed]
aws_cloudwatch_metric_alarm.backup_metric_alarms["INF-aws-backup-copy-failed"]: Refreshing state... [id=INF-aws-backup-copy-failed]
Releasing state lock. This may take a few moments...
data.archive_file.lambdazip[0]: Read complete after 3s [id=f4fc1e7e29571d0381a7ad49fa9246ece7973eb5]
module.autoalarm[0].aws_cloudwatch_log_group.lambda: Refreshing state... [id=/aws/lambda/AutoconfigureAlarms]
module.autoalarm[0].data.aws_iam_policy_document.lambda_exec_role_policy: Reading...
module.autoalarm[0].data.aws_iam_policy_document.lambda_cwl_access: Reading...
module.autoalarm[0].data.aws_iam_policy_document.lambda_exec_role_policy: Read complete after 0s [id=410070065]
module.autoalarm[0].data.aws_iam_policy_document.lambda_cwl_access: Read complete after 0s [id=1068499646]
module.autoalarm[0].aws_iam_role.lambda_exec_role: Refreshing state... [id=AutoconfigureAlarmsLambdaExecRole]
data.aws_vpc.primary_vpc: Read complete after 2s [id=vpc-xxxx]
data.aws_vpc.primary_vpc: Read complete after 2s [id=vpc-xxxx]
data.aws_subnet.primary_subnet: Reading...
data.aws_subnet.primary_subnet: Reading...
data.aws_vpc.primary_vpc: Read complete after 2s [id=vpc-xxxx]
data.aws_subnet.primary_subnet: Reading...
data.aws_subnet.primary_subnet: Read complete after 0s [id=subnet-xxxx]
data.aws_subnet.primary_subnet: Read complete after 0s [id=subnet-xxxx]
data.aws_subnet.primary_subnet: Read complete after 0s [id=subnet-xxxx]
aws_instance.this: Refreshing state... [id=i-xxxx]
aws_instance.this: Refreshing state... [id=i-xxxx]
aws_instance.this: Refreshing state... [id=i-xxxx]
aws_iam_role_policy.Move2Run_Script_Checker[0]: Refreshing state... [id=account1-iam-ec2-001:Move2Run_Script_Checker]
aws_iam_role_policy.ec2_tagging[0]: Refreshing state... [id=account1-iam-ec2-001:ec2_tagging]
aws_iam_instance_profile.this[0]: Refreshing state... [id=account1-iam-ec2-001_ec2_instance_profile]
aws_s3_bucket_versioning.autoalarm_bucket_versioning: Refreshing state... [id=autoalarm-files-bucket-account1]
aws_s3_bucket_server_side_encryption_configuration.autoalarm_bucket_encryption: Refreshing state... [id=autoalarm-files-bucket-account1]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-processcount-rsyslog.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-processcount-rsyslog.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-diskfree-C.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-diskfree-C.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkerrorin.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkerrorin.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-diskiotime-C.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-diskiotime-C.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-statuscheckfailed.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-statuscheckfailed.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-processcount-crond.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-processcount-crond.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkerrorin.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkerrorin.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-memoryutilization.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-memoryutilization.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-diskusage-root.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-diskusage-root.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkdropout.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkdropout.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkdropin.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkdropin.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-diskiotime.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-diskiotime.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkdropout.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkdropout.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkdropin.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkdropin.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkout.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkout.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-cpuutilization.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-cpuutilization.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkin.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkin.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkout.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkout.json]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-cpuutilization.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-cpuutilization.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkin.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkin.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-networkerrorout.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-networkerrorout.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-processcount-sshd.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-processcount-sshd.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-statuscheckfailed.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-statuscheckfailed.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-processcount-dsagent.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-processcount-dsagent.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-memoryutilization.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-memoryutilization.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-inodesfree-root.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-inodesfree-root.json]
aws_s3_object.autoalarm_files["LINUX/Default/INF-ec2-swaputilization.json"]: Refreshing state... [id=xxxx/LINUX/Default/INF-ec2-swaputilization.json]
aws_s3_object.autoalarm_files["WINDOWS/Default/INF-ec2-networkerrorout.json"]: Refreshing state... [id=xxxx/WINDOWS/Default/INF-ec2-networkerrorout.json]
module.autoalarm[0].aws_lambda_function.this: Refreshing state... [id=AutoconfigureAlarms]
module.autoalarm[0].aws_iam_role_policy.lambda_cwl_policy: Refreshing state... [id=AutoconfigureAlarmsLambdaExecRole:AutoconfigureAlarmsLambdaCWLogsPolicy]
aws_iam_role_policy_attachment.lambda-exec-additional-policy-attach[0]: Refreshing state... [id=AutoconfigureAlarmsLambdaExecRole-20230320135337388400000001]
Releasing state lock. This may take a few moments...
aws_volume_attachment.attach["/dev/sdb"]: Refreshing state... [id=vai-680908990]
aws_volume_attachment.attach["/dev/sdb"]: Refreshing state... [id=vai-1499865598]
aws_volume_attachment.attach["/dev/sdb"]: Refreshing state... [id=vai-2292498258]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ebs_volume.ebs["/dev/sdb"] will be updated in-place
  ~ resource "aws_ebs_volume" "ebs" {
        id                   = "vol-xxxx"
      ~ tags                 = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (24 unchanged elements hidden)
        }
      ~ tags_all             = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (24 unchanged elements hidden)
        }
        # (11 unchanged attributes hidden)
    }

  # aws_ebs_volume.ebs["/dev/sdb"] will be updated in-place
  ~ resource "aws_ebs_volume" "ebs" {
        id                   = "vol-xxxx"
      ~ tags                 = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (25 unchanged elements hidden)
        }
      ~ tags_all             = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (25 unchanged elements hidden)
        }
        # (11 unchanged attributes hidden)
    }

  # aws_instance.this will be updated in-place
  ~ resource "aws_instance" "this" {
        id                                   = "i-xxxx"
      ~ tags                                 = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (26 unchanged elements hidden)
        }
      ~ tags_all                             = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (26 unchanged elements hidden)
        }
        # (29 unchanged attributes hidden)

      ~ root_block_device {
          ~ tags                  = {
              - "map-migrated"                                 = "d-server-xxxx" -> null
                # (24 unchanged elements hidden)
            }
            # (9 unchanged attributes hidden)
        }

        # (7 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"
  # aws_instance.this will be updated in-place
  ~ resource "aws_instance" "this" {
        id                                   = "i-xxxx"
      ~ tags                                 = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (27 unchanged elements hidden)
        }
      ~ tags_all                             = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (27 unchanged elements hidden)
        }
        # (29 unchanged attributes hidden)

      ~ root_block_device {
          ~ tags                  = {
              - "map-migrated"                                 = "d-server-xxxx" -> null
                # (24 unchanged elements hidden)
            }
            # (9 unchanged attributes hidden)
        }

        # (7 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ebs_volume.ebs["/dev/sdb"] will be updated in-place
  ~ resource "aws_ebs_volume" "ebs" {
        id                   = "vol-xxx"
      ~ tags                 = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (24 unchanged elements hidden)
        }
      ~ tags_all             = {
          - "map-migrated"                                 = "d-server-xxxx" -> null
            # (24 unchanged elements hidden)
        }
        # (11 unchanged attributes hidden)
    }

  # aws_instance.this will be updated in-place
  ~ resource "aws_instance" "this" {
        id                                   = "i-xxxx"
      ~ tags                                 = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (26 unchanged elements hidden)
        }
      ~ tags_all                             = {
          ~ "schedule"                                     = "xxx" -> "running"
            # (26 unchanged elements hidden)
        }
        # (30 unchanged attributes hidden)

      ~ root_block_device {
          ~ tags                  = {
              - "map-migrated"                                 = "d-server-xxxx" -> null
                # (24 unchanged elements hidden)
            }
            # (9 unchanged attributes hidden)
        }

        # (7 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"
time=2023-03-23T16:12:34+01:00 level=warning msg=No double-slash (//) found in source URL /repo/terraform-iam-instance-role.git. Relative paths in downloaded Terraform code may not work. prefix=[/path/to/security/iam_role/account1-iam-ec2-001]
Releasing state lock. This may take a few moments...
Releasing state lock. This may take a few moments...
aws_lambda_permission.allow_EventBridge_to_call_lambda[0]: Refreshing state... [id=AllowExecutionFromEventBridge]
aws_cloudwatch_event_target.AutoAlarms_target[0]: Refreshing state... [id=run-autoalarm-AutoconfigureAlarms-target]
Releasing state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_sns_topic_subscription.cloudwatch_alert_sns_topic_subscription[0] will be created
  + resource "aws_sns_topic_subscription" "cloudwatch_alert_sns_topic_subscription" {
      + arn                             = (known after apply)
      + confirmation_timeout_in_minutes = 1
      + confirmation_was_authenticated  = (known after apply)
      + endpoint                        = "https://events.pagerduty.com/x-ere/"
      + endpoint_auto_confirms          = false
      + filter_policy_scope             = (known after apply)
      + id                              = (known after apply)
      + owner_id                        = (known after apply)
      + pending_confirmation            = (known after apply)
      + protocol                        = "https"
      + raw_message_delivery            = false
      + topic_arn                       = "arn:aws:sns:eu-west-1:xxxx:CloudWatchAlertsTopic-app1"
    }

  # aws_sns_topic_subscription.lambda_alert_sns_topic_subscription[0] will be created
  + resource "aws_sns_topic_subscription" "lambda_alert_sns_topic_subscription" {
      + arn                             = (known after apply)
      + confirmation_timeout_in_minutes = 1
      + confirmation_was_authenticated  = (known after apply)
      + endpoint                        = "xxxxcom@amer.teams.ms"
      + endpoint_auto_confirms          = false
      + filter_policy_scope             = (known after apply)
      + id                              = (known after apply)
      + owner_id                        = (known after apply)
      + pending_confirmation            = (known after apply)
      + protocol                        = "email"
      + raw_message_delivery            = false
      + topic_arn                       = "arn:aws:sns:eu-west-1:xxxx:LambdaAlertsTopic"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"
Releasing state lock. This may take a few moments...
WARN[0016] No double-slash (//) found in source URL /repo/terraform-aws-kms.git. Relative paths in downloaded Terraform code may not work.  prefix=[/path/to/security/kms_key/testing-app1-pre]
time=2023-03-23T16:12:38+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/security/kms_key/testing-app1-pre/.terragrunt-cache/hMC4CNlaUR10bgr8FEARBrrYVog/4q57KfNLVX1iMhjvMRtuG0bZLmk prefix=[/path/to/security/kms_key/testing-app1-pre]
Acquiring state lock. This may take a few moments...
data.aws_caller_identity.current: Reading...
data.aws_partition.current: Reading...
data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_caller_identity.current: Read complete after 1s [id=xxxx]
data.aws_iam_policy_document.this[0]: Reading...
data.aws_iam_policy_document.this[0]: Read complete after 0s [id=1863602439]
aws_kms_key.this[0]: Refreshing state... [id=mrk-xxx]
aws_kms_alias.this["testing-app1-pre"]: Refreshing state... [id=alias/testing-app1-pre]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_kms_key.this[0] will be updated in-place
  ~ resource "aws_kms_key" "this" {
        id                                 = "mrk-xxx"
      ~ tags                               = {
          - "map-migrated"   = "d-server-xxxx" -> null
            # (12 unchanged elements hidden)
        }
      ~ tags_all                           = {
          - "map-migrated"   = "d-server-xxxx" -> null
            # (12 unchanged elements hidden)
        }
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tgplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tgplan"
Releasing state lock. This may take a few moments...
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/alerting/ec2_state/.terragrunt-cache/pc4ZjhNwDk51ZyFTI-yEtTRxILY/0EBcnr9vNvW7JCOrbk1fKGPsL1I prefix=[/path/to/alerting/ec2_state]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC201/.terragrunt-cache/3I8w7XvwtY3UH5kmmnZrDUTKTyg/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC201]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC202/.terragrunt-cache/Rl1k6ZhUGV5uXMeM-s5UTzlevks/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC202]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/compute/EC203/.terragrunt-cache/FZUxMvvbWHz3dDrqnp97jyve4O0/LZT4UnsArFmBooxK-qcZowhfptI prefix=[/path/to/compute/EC203]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/network/security_group/app1-pre-SG-main-endpoint/.terragrunt-cache/SmQQeXv-qEaAekDP3M_pO6b-KUo/20BMX8TS24vfVUsq5HXh8IkQ0cA prefix=[/path/to/network/security_group/app1-pre-SG-main-endpoint]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/network/security_group/account1-sgr-001/.terragrunt-cache/Fcc8mcc6o7sw94O4Jb1r3OI0y2U/20BMX8TS24vfVUsq5HXh8IkQ0cA prefix=[/path/to/network/security_group/account1-sgr-001]
INFO[0024] time=2023-03-23T16:12:22+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/security/iam_role/account1-iam-ec2-001/.terragrunt-cache/GAiquq0V_pk1T7r6sSyNT6GTUXg/ujiMEjZvBSqofi5KSR6wGO9quzU prefix=[/path/to/security/iam_role/account1-iam-ec2-001]
INFO[0024] time=2023-03-23T16:12:34+01:00 level=warning msg=No double-slash (//) found in source URL /repo/terraform-iam-instance-role.git. Relative paths in downloaded Terraform code may not work. prefix=[/path/to/security/iam_role/account1-iam-ec2-001]
time=2023-03-23T16:12:38+01:00 level=info msg=Debug mode requested: generating debug file terragrunt-debug.tfvars.json in working dir /path/to/security/kms_key/testing-app1-pre/.terragrunt-cache/hMC4CNlaUR10bgr8FEARBrrYVog/4q57KfNLVX1iMhjvMRtuG0bZLmk prefix=[/path/to/security/kms_key/testing-app1-pre]

Expected

• A way to archive plans to restore them later
• A way to apply these plans without regenerating new ones
• ( A way to display a json view of this tgplan without a "run-all plan -json" (which would redo another plan )

[denis256]

Hi, I was thinking that collection of plans can be done through hooks, but it will require some scripting to search and collect plan files

[cdelgehier]

Hi,

Thank you for the answer.

Honestly I don't understand the idea for the hooks? You want to make a hook to zip all ./app1 ? Archive it on the jenkins master then terragrunt run-all apply tgplan ? If so, why make a hook? Eventually a sh in the pipeline can do it.

I have looked at the code, but I am not sure that terragrunt run-all apply tgplan applies specifically this plan. In any case, the console output does not show it.

[pradit-ra]

Any update on this question. I'm struggling to run-all apply file using Github Action. it turns out to raise state lock error. Looking deeply in the error log, seems like terragrunt creates parallel process to run terraform apply using the same plan file

[chell0veck]

Trying to solve the same problem. In CI we need to run plan firstly and if it passes apply ready binary files from previous operation. As per my understanding it is not supported yet. Also using run-all with -out in case of multiple submodules simply override previous leaving just latest. So far I've came is to generate individual binaries with the following hook:

terraform {
    extra_arguments "generate_plan_binary" {
    commands  = ["plan"]
    arguments = ["--out=${get_terragrunt_dir()}/${basename(get_terragrunt_dir())}.plan.bin"]
  }
}

How to apply them intelligently remains open for me.