Usage in CI/CD

[carbonrobot]

I'm trying to understand how this would be used in a CI/CD context.

Conceptually, here is what we are trying to do (to replace our own homegrown scripts)

• Execute the plan remotely (pushconfig)
• If the exit code is 0, get the plan id and the number of resources to destroy
• If destroy = 0, execute apply on the plan id remotely

[fprimex]

tfh as it stands today would be unable to do this just with its own commands. An exit code of 0 on a plan doesn't necessarily mean that the plan completed successfully. It just means that the pushconfig and optional polling / streaming was successful. So instead you would need to, I think:

• do a pushconfig with log streaming
• get the plan ID from the output of pushconfig
• use the plan ID to get the status of the run
• if the status was planned, then the plan succeeded
• look at the streamed log content for the plan summary line for additions, changes, deletions to see if there are 0 deletions
• if so, queue an apply on the run

If you have a script that does this already, then you might be able to replace the direct curl calls with tfh function calls and then make the script a tfh plugin so it would be its own subcommand, like tfh custompush or something similar.

The terraform command itself can do a few of these things, and if you can make terraform work for this purpose I'd strongly recommend that. If you use the remote backend and do not configure a VCS on the workspace, then a terraform apply can be executed on the workspace from the CLI. You can use Sentinel to ensure that the apply is only run if there are no deletions. Workspaces can be set to auto-apply on successful plans and sentinel passes. With these tools, your desired use case becomes extremely easy to implement.

[fprimex]

I also meant to link to this in case you have not seen it, just for reference:

https://learn.hashicorp.com/terraform/development/running-terraform-in-automation

[carbonrobot]

Thanks for the feedback. We use a combination of the scripts from that link and terraform commands right now, but find that maintaining the scripts takes quite a bit of time.

It would be ideal if the Terraform tool itself supported TFE directly, but currently it can only perform speculative plans. It makes adoption of TFE pretty rocky.

We may try the tfe-go api as an alternate for now.

[fprimex]

Just wanting to make sure this didn't get lost in the shuffle - the terraform tool can perform applies in TFE / TFC, but only if the workspace does not have a VCS configured.

Some of the items we're discussing here are in the other GH issue, and if I change a few of those things (output, return code), then hopefully this can work for you.

tfe-go is what backs the remote backend's operation and the tfe provider, so it is not a bad choice if you are OK with writing Go code. I'd say in general that if you have a support contract with HashiCorp, and terraform + remote + the tfe provider + simple API calls (the 4 supported methods) aren't doing what you need, then you can report your use case to support.

[carbonrobot]

Since the Terraform tool only allows speculative plans it hasn't fit our scenario well for us. We like to use TFE for the manual approval of plans. We let CI auto approve only if the plan does not destroy any resources. So we have custom shell scripts to parse that output, but we spend a lot of time correcting minor issues with it.

If we could use -outplan with speculative plans that would work, but the Terraform tool blocks this path as well.

We do work with support often as we are now running private Terraform enterprise on our own AWS account.