search

radekg / terraform-provisioner-ansible

Ansible with Terraform 0.14.x
Apache License 2.0
572 stars 100 forks source link

Don't mark the resource as created if there is something to apply and we are in check mode #106

Open mcanevet opened 5 years ago

mcanevet commented 5 years ago

I have an idea to implement but I don't really know how to do it. I'd like to have an option to not mark the resource as created if check mode is enabled and the playbook has some changes to apply. AFAIK, Ansible does not have some kind of --detailed-exitcode, the only way I found to check if there is some changes to apply is to search for the changed=0 string in the output.

With this simple Terraform manifest:

variable "ansible_check" {
  default = "true"
}

resource "aws_instance" "test_box" {
  ...
}

resource "null_resource" "provisioner" {
  # ...
  connection {
    user = "centos"
    host = "${aws_instance.test_box.public_ip}"
  }
  provisioner "ansible" {
    plays {
      playbook = {
        file_path = "/path/to/playbook/file.yml"
        roles_path = ["/path1", "/path2"]
        force_handlers = false
        skip_tags = ["list", "of", "tags", "to", "skip"]
        start_at_task = "task-name"
        tags = ["list", "of", "tags"]
      }
      # shared attributes
      enabled = true
      hosts = ["zookeeper"]
      groups = ["consensus"]
      become = false
      become_method = "sudo"
      become_user = "root"
      diff = false
      check = "${var.ansible_check}"
      extra_vars = {
        extra = {
          variables = {
            to = "pass"
          }
        }
      }
      forks = 5
      inventory_file = "/optional/inventory/file/path"
      limit = "limit"
      vault_id = ["/vault/password/file/path"]
      verbose = false
    }

Currently I have to do something like this:

$ terraform taint null_resource.provisioner
$ terraform apply -target null_resource.provisioner | tee /dev/stderr | grep -q changed=0 || terraform taint null_resource.provisioner # dry-run with tainting again if something has to be applied
$ TF_VAR_ansible_check=false terraform apply

That works as long as I have only one null_resource in my Terraform project, but I usually have 2 (one generic playbook to apply to all my instances, and sometimes one specific module to do some specific stuffs on one instance). In that case, dependencies makes hard to know which null_resource have to be marked as tainted again.

It would be easier (and more logical I think), if the Ansible provisioner would return in failure if there is some changes to apply and we are in check mode. In that case, my workflow would be:

$ terraform taint null_resource.provisioner
$ terraform apply -target null_resource.provisioner # dry-run, null_resource will not be marked as created if something has to be applied
$ TF_VAR_ansible_check=false terraform apply

Thus if the ansible playbook hasn't converged yet, it will be re-applied.