search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.52k stars 9.52k forks source link

Terraform plan does not create plan for queueing in Terraform Enterprise #24357

Open fishpen0 opened 4 years ago

fishpen0 commented 4 years ago

Terraform Version

0.12.20

Expected Behavior

Running terraform plan using the remote backend to a terraform enterprise instance generates a plan that can be viewed and queued for apply.

Actual Behavior

The plan runs and outputs locally, but is not saved in the enterprise workspace to be applied. Meanwhile terraform apply followed by aborting, does save the plan in the workspace.

Steps to Reproduce

  1. Run terraform plan

  2. Go to your Terraform Enterprise workspace and see that no plans are queued.

  3. Run terraform apply and then abort the plan when prompted to run.

  4. Go to your Terraform Enterprise workspace and see that a plan had been generated and queued.

Additional Context

We should be able to use a combination of terraform plan to construct and save a plan in the Terraform Enterprise backend that is viewable in the UI, and then apply that plan using terraform apply. The current behavior does not match that expectation in that plan never saves the plan in TFE.

References

njenan commented 2 years ago

I was experiencing the same issue as you but I approached it in a slightly different way. Specifically, I'd like to generate team tokens that do not have apply permissions, but allow them to generate runs (and then the users, who do have apply permissions, can log onto the UI and apply the run), so I don't have the risk of exposing those tokens outside of my CI/CD system.

I expected to be able to run a terraform apply as normal and have it wait indefinitely (or for a reasonable period of time) once it got to the confirm apply portion, but that was erroring out on me.

I found a relevant section of code:

    // We should remove the `CanUpdate` part of this test, but for now
    // (to remain compatible with tfe.v2.1) we'll leave it in here.
    if !w.Permissions.CanUpdate && !w.Permissions.CanQueueApply {
        diags = diags.Append(tfdiags.Sourceless(
            tfdiags.Error,
            "Insufficient rights to apply changes",
            "The provided credentials have insufficient rights to apply changes. In order "+
                "to apply changes at least write permissions on the workspace are required.",
        ))
        return nil, diags.Err()
    }

https://github.com/hashicorp/terraform/blob/main/internal/backend/remote/backend_apply.go#L25

I'm not sure what this compatibility requirement is or how it could be circumvented, but it would be nice to have an option like:

terraform apply -unsafe-skip-can-update-check

And be able to queue up a plan