search

runatlantis / atlantis

Terraform Pull Request Automation
https://www.runatlantis.io
Other
7.53k stars 1.02k forks source link

Remote execution on Terraform Cloud fail to apply #2794

Open lilincmu opened 1 year ago

lilincmu commented 1 year ago

Community Note

Overview of the Issue

When running remote apply on Terraform Cloud, an error is returned which blocks the apply.

Reproduction Steps

resource "null_resource" "example" { }

- Create a PR, Atlantis will run `atlantis plan` automatically
- Run `atlantis apply` in PR comment
- An error is returned as below:

running "/Users/li/.atlantis/bin/terraform1.3.6 apply -input=false -no-color" in "/Users/li/.atlantis/repos/lilincmu/atlantis-sample-repo-with-tfc/11/lilin-atlantis-with-tfc": exit status 1 Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C will cancel the remote apply if it's still pending. If the apply started it will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit: https://app.terraform.io/app/lilin/lilin-atlantis-with-tfc/runs/run-C2R6G61LuvimYchL

Waiting for 1 run(s) to finish before being queued... Waiting for 1 run(s) to finish before being queued... (30s elapsed)

Terraform v1.3.5 on linux_amd64 Initializing plugins and modules... null_resource.example: Refreshing state... [id=8674665223082153551] null_resource.example2: Refreshing state... [id=5577006791947779410]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

Terraform will perform the following actions:

null_resource.example3 will be created

Plan: 1 to add, 0 to change, 0 to destroy.

Error: Cannot confirm apply due to -input=false. Please handle run confirmation in the UI.


### Environment details
If not already included, please provide the following:
- Atlantis version: v0.21.0
- Terraform version: v1.3.6
- Atlantis server-side config file:

{ "repos": [ { "id": "/.*/", "apply_requirements": [ "mergeable" ] } ] }

- Repo `atlantis.yaml` file:

version: 3 automerge: true delete_source_branch_on_merge: true projects:

lilincmu commented 1 year ago

Workaround

Currently there are two workarounds for this issue.

  1. As pointed out by https://github.com/runatlantis/atlantis/issues/1628#issuecomment-907267823, we can use custom workflow to pass in the -auto-approve argument.
  2. We can pass in the extra argument directly in PR comment like atlantis apply -- -auto-approve.

Proposed Fixes

  1. We can pass -auto-approve argument by default for remote apply on Terraform Cloud. However, this could be dangerous, since unlike local execution, the plan for remote execution seen in PR comments might not be the actual plan that's going to be applied. It's more like a tentative plan. We might need to add more documentation if we decide to make -auto-approve a default behavior for remote apply.
  2. Update the prompt returned by atlantis plan. Currently, the prompt does not mention -auto-approve at all. If users run any of the commands, they'll see an error. We might update the prompt and mention the usage of -auto-approve.
    • :arrow_forward: To apply this plan, comment:
    • atlantis apply -w lilin-atlantis-with-tfc
    • :fast_forward: To apply all unapplied plans from this pull request, comment:
    • atlantis apply
GenPage commented 1 year ago

Proposed Fixes

  1. We can pass -auto-approve argument by default for remote apply on Terraform Cloud. However, this could be dangerous, since unlike local execution, the plan for remote execution seen in PR comments might not be the actual plan that's going to be applied. It's more like a tentative plan. We might need to add more documentation if we decide to make -auto-approve a default behavior for remote apply.
  2. Update the prompt returned by atlantis plan. Currently, the prompt does not mention -auto-approve at all. If users run any of the commands, they'll see an error. We might update the prompt and mention the usage of -auto-approve.

I think the 2nd proposed fix is most likely the way we want to go. I caution against changing the default action depending on the use case. I feel giving enough documentation/prompt to the user and letting them make the choice is the best first step. We can always change the default action at a later time.

lilincmu commented 1 year ago

Forgot to mention, upon seeing the error, users can manually apply the queued plan in Terraform Cloud UI, as the error message indicates.

Error: Cannot confirm apply due to -input=false. Please handle run confirmation in the UI.

However, they'll need to run atlantis unlock and close the PR manually after the apply is executed.

nitrocode commented 1 year ago

At the risk of sounding naive since I do not run terraform cloud... Doesn't atlantis currently run terraform apply -auto-approve? Otherwise wouldn't everyone hit a prompt (and subsequent error) when attempting to apply?

alexclifford commented 1 year ago

At the risk of sounding naive since I do not run terraform cloud... Doesn't atlantis currently run terraform apply -auto-approve? Otherwise wouldn't everyone hit a prompt (and subsequent error) when attempting to apply?

I believe it uses a saved plan - https://developer.hashicorp.com/terraform/cli/commands/apply#saved-plan-mode

nitrocode commented 1 year ago

Yes the plan is saved. However if you apply a saved plan, i believe it will still prompt you to confirm unless you -auto-approve, no?

Eddman commented 11 months ago

Just an idea: in such case Atlantis can call terraform apply instead of plan and simply after plan keep the apply unconfirmed. And during apply just confirm previous plan. And obviously discard plan if new plan is called/PR is closed.

This would be the target behavior for me, although I understand not the simplest to implement....