terragrunt
terragrunt copied to clipboard
gruntwork-io
Feature to optionally ignore `changes made outside of Terraform` in output
Hi,
I haven't found related issues and decided to create a new one.
It seems to me that it would be great to add option to Terragrunt to ignore Terraform "feature", introduced in 0.15.4, which often creates loads of useless diffs with header
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
Today they stated that they don't have plans to fix it soon and it lasts almost a year already. https://github.com/hashicorp/terraform/issues/28803#issuecomment-951209299
Current problem
Terraform > 0.15.3 shows messages Terraform detected the following changes made outside of Terraform since the last "terraform apply" with diff between state file and state from refresh. Sometime it's useful, but in many cases just generates a lot of useless messages, resulting unusable automation and in general hard to understand what will be changed at all.
Possible solution
Add new option to Terragrunt to be able ignore everything after that line (previous behaviour).
I think this would require some design work. I'm not sure a feature to implement a blanket filter for that makes sense in terragrunt, and would be quite brittle as terraform is likely to change the text. But a more generic filter for parsing plan sections might make sense.
The open questions that should be addressed before anyone attempts to implement this are:
- Is there a meta feature terragrunt can implement around output filtering that would cover this use case?
- Is terraform consistent about reporting this output? AFAIK, these would be rolled into the existing plan if there are any other changes.
- Should
terragrunt applyalways runterraform applyand thenterraform apply -refresh-onlyinstead of parsing the log output? This could also be a flag so that users can choose whether terragrunt should do that (e.g.,auto_refresh = true).
Should terragrunt apply always run terraform apply and then terraform apply -refresh-only instead of parsing the log output? This could also be a flag so that users can choose whether terragrunt should do that (e.g., auto_refresh = true).
This one sounds interesting to me... I might add that step to my CI/CD anyway and see how much it helps...
Please note that from discussions in original issue, terraform apply -refresh-only is not always works and might be not safe
https://github.com/hashicorp/terraform/issues/28939
https://github.com/hashicorp/terraform/issues/28803#issuecomment-884959989
Please note that from discussions in original issue,
terraform apply -refresh-onlyis not always works and might be not safe hashicorp/terraform#28939 hashicorp/terraform#28803 (comment)
From what I can see, both the issue and the comment are in response to running apply -refresh-only before apply. Which I agree is undesirable. Many of my issues with 'changes made outside Terraform' I believe can be resolved by reversing that order, as @yorinasub17 suggests, conditional on a successful apply so we know the credentials are fine.
According to this comment, since v1.2 this problem shouldn't be that bad and it kinda does. So I think this issue could be closed.
Starting with v1.2, the goal for the refresh report is that only external changes which may have contributed to changes in the plan will be shown. This means in most cases, unused attributes changing outside of terraform will not show up in the normal plan output. If there are no changes in the plan, no external changes will be shown in the CLI at all. All refresh information is still stored within the plan, and if a user wants to see all external changes of resources in the CLI, a refresh-only plan can be used.