Open sjourdan opened 3 years ago
It's unclear to me what does the export command would perform under the hoods. Does it need to perform an actual scan ?
default driftctl mode doesn't include resource details (experimental --deep mode does)
We could make deep mode being a requirement to use the export feature.
there's no need for any processing middleware there
It's still possible to create the export before running any middleware.
It's unclear to me what does the export command would perform under the hoods. Does it need to perform an actual scan ?
Yes, driftctl export
should scan the resources like the real scan, but also add resources content from the tf provider without any processing (we don't care about it there). Like a "raw" deep mode by default if you prefer.
We could make deep mode being a requirement to use the export feature.
True, driftctl export
can't work without either the real deep mode or an equivalent!
It's still possible to create the export before running any middleware.
interesting, do you mean a prototype version of the driftctl export
command can be done to reuse the current tfplan PoC and make it less complicated to maintain in the long run?
interesting, do you mean a prototype version of the driftctl export command can be done to reuse the current tfplan PoC and make it less complicated to maintain in the long run?
I think having to create a new command to make another kind of scan will be hard to maintain. May be we could embed the export feature in a simple --export
flag for the existing scan command ? In this way, we don't rewrite the scan command and still be able to avoid useless processing. Unlike the abandoned PoC was suggesting, the export format shouldn't be considered as a scan output
The scan in its root feature (read state + scan remote + first part of the analysis) is indeed what we need to do here.
BUT what we meant by "processing" is all the attributes that we decided voluntarily to remove for the sake of driftctl (e.g. look at initAwsCloudfrontDistributionMetaData
) and all the middlewares that could potentially remove other essential attributes.
I don't think we could do that in just one command, thus creating another command for it.
all the attributes that we decided voluntarily to remove for the sake of driftctl
@wbeuil You're right I didn't think about metadata we remove. I better understand the choice of abandoning the previous ideas.
Wow, it's quite a big one RFC for sure.
First thing, resource anonymization is another topic, and for me, it should remain in a dedicated RFC. We're gonna to end with a big mess in our brain if we try to solve multiples problems in a single RFC.
While reading I don't get what we really want here. We talk everywhere about "result"
I want to export my result to the Terraform JSON plan format
Maybe the first thing can be to explain what we want exactly to export ?
there's no need for any processing middleware there
Why ? One more time, what do we expect as a result ? If this is actual scan
result, it does not make sense not to run middleware on a scan result. Middleware are here to ensure consistency between IaC and real life resources, if you simply not run them you'll end with an inconsistent output 🤔
Yes, driftctl export should scan the resources like the real scan, but also add resources content from the tf provider without any processing (we don't care about it there). Like a "raw" deep mode by default if you prefer.
but also add resources content from the tf provider
I don't get it, what is a tf provider for you ?
TL;DR I'm stopping the review here since I don't get what we really want here. I think we should start from a clear explanation of what we want, with real life usecase.
So that I can use it somewhere else
"somewhere else" sounds very unclear. This should be clarified.
Implementation details will came after a deep reflection about what we want, and then we'll talk about UX/UI and implementation details.
I have to agree with Elie on the export part. I'll have to add that I'm not sure the anonymization part is the same thing as the export part. For debug purpose we need a full scan run and most of the think we want to anonymize are in the logs. I'm pretty sure these are modification of scan and not a new command.
Summary
The idea with a dedicated
driftctl export
command is to work independently from thescan
command (and its middlewares) as well as the related, experimental--deep
mode.Abandoned Ideas
An undocumented proof-of-concept of the feature currently exists using
driftctl scan
(driftctl <= 0.15):This PoC works but we're not satisfied enough to support this long-term: it goes through all processing middlewares targeted at drift detection and requires a working deep mode.
Export Formats
Here are two examples of export formats that could be used with this feature.
Export Format: Terraform Plan (JSON)
As a driftctl CLI user I want to export my result to the Terraform JSON plan format So that I can send it to another product for analysis
Proposal
--deep
mode does)Format Structure
More detailed specs will follow, but the bottom line for the 2 main sections is:
planned_values { }
should contain all the expected resources we know about (like a regular plan would generate), so existing, expected resources, can be analyzed, if needed. It should also include (abusively!) the discovered unmanaged resources (while yes, those resources won't be detectable there by anyone)resource_changes [ ]
should contain the unmanaged resources, to be analyzed by the destination tool (with thecreate
action, while others keep the"no-op"
action)Export Format: Anonymized Output (Console)
LOG_LEVEL=debug driftctl scan [...]
)Example output:
Option 1: anonymize only resources names
In the following case, we would hash
"customername1"
.That would share this:
Option 2: anonymize everything
Goal: so there's no wonder what can leak.
Such a resource with identifiable strings will be fully anonymized with such a system:
So an output using those would end up shared like this: