search

hashicorp / consul-terraform-sync

Consul Terraform Sync is a service-oriented tool for managing network infrastructure near real-time.
Mozilla Public License 2.0
120 stars 27 forks source link

Replace third-party handlers in support of general post-task execution script #309

Open lornasong opened 3 years ago

lornasong commented 3 years ago

Support a task-level feature that executes a user-configured custom scripts after a task updates network infrastructure. This feature would be similar to Consul-Template’s support for exec command. It would allow users the flexibility to write their own custom scripts as needed without dependency on CTS.

An example of what this could look like (subject to change):

task {
  name = "task_a"
  description = "task with post execution script"
  services = ["db"]
  source = "./my/module"
  exec {
    // TBD to configure a custom script to execute after the task runs
    // For example, run a script: "./post_execution.sh"
  }
}

This feature removes the need for custom third-party support. Currently, CTS's only third-party support is for the PANOS out-of-band commit. We would like to remove related code afterwards since this feature can replace this use-case.

The existing PANOS commit could be supported by this new feature by using the PANOS commit script and a process similar to the one described in the PANOS commit guide. An example of CTS could support the PANOS commit

task {
  name = "panos_task"
  description = "task with post execution script"
  services = ["db"]
  source = "./my/panos/module"
  exec {
    // For example, run panos script: "firewall-commit -config fwauth.json 'My commit comment'"
    // see PANOS commit guide linked above for details on script
  }
}
eikenb commented 3 years ago

Consul-template re-uses it's child process running sub-module for this. It is most likely overkill for this case and I'd probably not recommend it (if you were even thinking of this).

Random passing thought... what about gRPC or hashicorp/go-plugins for this? Seems like you could better integrate running the 'script' this way than an external shell call if that was desirable.

findkim commented 3 years ago

Linking in this bug ticket https://github.com/hashicorp/consul-terraform-sync/issues/125 that the feature should also consider that the script/commits should only run if the Terraform plan/apply have a diff