Support `atlantis refresh` subcommand

[nitrocode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

• [ ] I'd be willing to implement this feature (contributing guide)

Describe the user story

For terraform 0.15.4 and later, sometimes the attributes of managed resources are modified. When a terraform plan is run, we get a lot of information that frankly no one cares about and then finally the plan is appended beneath it.

In order to remove the text above the plan we have to run a terraform refresh.

This can be added to the plan workflow but I do not want to run it all the time since it's more calls to AWS than we need.

Ref https://support.hashicorp.com/hc/en-us/articles/4405950960147-New-Feature-Objects-have-changed-outside-of-Terraform-

Example of the "junk" with the no changes message

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # module.xyz.module.this_green.aws_autoscaling_group.this[0] has changed
! resource "aws_autoscaling_group" "this" {
+       default_instance_warmup   = 0
!       desired_capacity          = 24 -> 0
        id                        = "xyz"
!       max_size                  = 72 -> 0
!       min_size                  = 15 -> 0
        name                      = "xyz"
        # (22 unchanged attributes hidden)

        # (8 unchanged blocks hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

Describe the solution you'd like

It would be best to have an option to run it like this.

atlantis plan --refresh-first

or

atlantis refresh

Related to this issue https://github.com/runatlantis/atlantis/issues/2776

Describe the drawbacks of your solution

None

Describe alternatives you've considered

Run a refresh-only plan first

# create a refresh only plan
atlantis plan -- -refresh-only
# approval required
# apply the refresh only plan w/o merging the branch
atlantis apply -auto-merge-disabled
# create a new plan with an easier to review plan
atlantis plan
# apply the plan
atlantis apply

or

Run terraform refresh locally and then run atlantis plan in the PR.

[bschaatsbergen]

I believe that the terraform refresh command has been deprecated due to it being unsafe. Is this something we still want to work on? Also running atlantis plan or atlantis apply should result in the same behaviour according to the docs:

Terraform automatically performs the same refreshing actions as a part of creating a plan in both the terraform plan and terraform apply commands

[nitrocode]

I believe that the terraform refresh command has been deprecated due to it being unsafe

Do you have a reference explaining that the refresh command is unsafe?

Is this something we still want to work on?

Yes, id personally like it.

Also running atlantis plan or atlantis apply should result in the same behaviour according to the docs:

Yes this is true. However, then you get a more complex plan to review. The refresh reduces the plan to the main resources that are changing.

[bschaatsbergen]

It's mentioned in the documentation here: https://developer.hashicorp.com/terraform/cli/commands/refresh, I don't think that the warning should apply to Atlantis, as I expect that this more related to local development.

Anyhow, I would like to pick this up in the case that we still want this feature.

[nitrocode]

Ah thank you for sharing that link. I did not know it was deprecated.

https://developer.hashicorp.com/terraform/tutorials/state/refresh

Though Terraform will continue to support the refresh subcommand in future versions, it is deprecated, and we encourage you to use the -refresh-only flag instead. This allows you to review any updates to your state file. Unlike the refresh subcommand, -refresh-only mode is supported in workspaces using Terraform Cloud as a remote backend, allowing your team to collaboratively review any modifications.

Then perhaps the workaround i included above is the best way forward.

[nitrocode]

The downside of not implementing atlantis refresh is that you would need to get an approval first for the plan with all the junk before you could complete the lifecycle of a refresh only plan in order to create a new plan without the junk to make it easier to review....

This is the issue with the current workaround.

The ideal method would be that you could run atlantis refresh and it would either run terraform refresh && terraform plan or terraform plan -refresh-only && terraform apply && terraform plan (without merging the branch). Whether the former or latter is used, it's just an implementation detail.