search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.77k stars 9.56k forks source link

Wait for remote approval flag for enhanced remote backend #23405

Open petems opened 5 years ago

petems commented 5 years ago

Use-cases

Scenario: Remote approval with enhanced remote backend

As a Terraform user I want to be able to wait for approval from the Terraform Cloud/Ent API So I can get secondary approval for runs

Example Workflow:

  1. Bob triggers a terraform apply in orchestration tool with the backend pointing to TF Cloud/Enterprise
  2. This hangs waiting for approval in TFE itself, as Bob wants a second pair of eyes to approve the run.
  3. Alice goes into TFE, sees it looks good, clicks approve
  4. The run continues as normal.

Attempted Solutions

Right now, the only real way to do this is to run Terraform and then have wait at the approval stage. This requires a TTY present (not always possible in certain orchestration environments). 

$ terraform apply 
Running apply in the remote backend. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/johndoecorp/example/runs/run-uJAX3Toy6xbvaFnH

Waiting for the plan to start...

Terraform v0.11.13

Configuring remote state backend...
Initializing Terraform configuration...
2019/11/18 16:26:51 [DEBUG] Using modified User-Agent: Terraform/0.11.13 TFC/4471262601
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

[...]

Do you want to perform these actions in workspace "example"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: approved using the UI or API

2019/11/18 16:27:17 [DEBUG] Using modified User-Agent: Terraform/0.11.13 TFC/4471262601

Proposal

Some sort of flag specifically for remote approval.

For example:

$ terraform apply --wait-for-approval
Running apply in the remote backend. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/johndoecorp/example/runs/run-uJAX3Toy6xbvaFnH

Waiting for the plan to start...

Terraform v0.11.13

Configuring remote state backend...
Initializing Terraform configuration...
2019/11/18 16:26:51 [DEBUG] Using modified User-Agent: Terraform/0.11.13 TFC/4471262601
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

[...]

Do you want to perform these actions in workspace "example"?
  --wait-for-approval enabled
  Waiting on remote approval (sleep 2s)
  Waiting on remote approval (sleep 2s)
  Approval received! 

2019/11/18 16:27:17 [DEBUG] Using modified User-Agent: Terraform/0.11.13 TFC/4471262601

References

https://www.terraform.io/docs/backends/types/remote.html#apply

ColtonHerrodWork commented 2 years ago

Is this likely to see any movement? The ability to wait for a UI or API approval in Terraform Cloud would be a useful feature for our CI/CD implementation.

GabrieleMazzola commented 1 year ago

Any news on this topic? this would be very useful for our use case.

jeffhuys commented 2 months ago

Yeah, would love to have some updates about this as well. Running terraform apply without -auto-approve in CircleCI will just state:

│ Error: Cannot confirm apply due to -input=false. Please handle run confirmation in the UI.

I mean... Yes? That's the whole point. I want CircleCI to keep waiting until I confirm in the Terraform Cloud UI. No need to crash. Now I gotta work around this thing, so that'll take me some more hours unfortunately.