terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add pre-apply hook and a pre-plan hook for custom scripts to be ran prior to terraform commands

Open hajali-amine opened this issue 1 year ago • 4 comments

Terraform Version

Terraform v1.4.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.58.0
+ provider registry.terraform.io/hashicorp/null v3.2.1

Use Cases

A simple example is to only allow people to apply changes when their local branch is not behind the remote branch. Having something like this will help.

terraform {
  required_version = "~>1.4.0"
  pre_plan = "if [[ -n $(git pull --dry-run 2>&1 > /dev/null) ]] ; then exit 1 ; fi"
}

When I run terraform plan, it will run if [[ -n $(git pull --dry-run 2>&1 > /dev/null) ]] ; then exit 1 ; fi. If the status code is 0, it will start the plan. If it's different than 0 terraform will stop everything!

This is a small use case.

Attempted Solutions

Couldn't find a way to surpass this.

Proposal

I think of it as something like this!

terraform {
  required_version = "~>1.4.0"
  pre_plan = "if [[ -n $(git pull --dry-run 2>&1 > /dev/null) ]] ; then exit 1 ; fi"
  pre_apply = "if [[ -n $(git pull --dry-run 2>&1 > /dev/null) ]] ; then exit 1 ; fi"
}

it can also be a block if there are more options!

References

No response

hajali-amine avatar Mar 28 '23 16:03 hajali-amine

Hello @hajali-amine, My two cents on this, as a fellow dev... May be a better approach to handling this sort of requirement could probably be achieved using an automation (CI/CD) and it may scale as well.

Ideally, these hooks (either git , bash script or an API call, etc.) should be handled outside of terraform, as then the external factor involved (based on the logic defined in pre-plan or pre-apply hooks ) does not interfere with terraform failure or success.

It's something like the single responsibility principle. Terraform is responsible for running your infrastructure resource configurations. I think , if both the things are merged together, then we could end up in scenarios where an error in hook (which works on something completely external to terraform) could prevent Terraform to complete successfully.

One workaround, that can be achieved is by using a Makefile with targets and apply the pre-plan and pre-apply logic in the make target itself. This can be even accommodated in your CI/CD tool.

I guess this is probably not the answer you were looking for :disappointed: , hopefully, someone from the team can enlighten further.

Thanks

sushant-kapoor17 avatar Mar 29 '23 14:03 sushant-kapoor17

Hello @sushant-kapoor17, Thank you for your response! I was actually inspired by git pre-commit hook and I thought it may be a great extension for Terraform. They would be defined by the user and the user shall assume responsibility of making it work. It shouldn't overlap with terraform, since the flow would be;

pre-apply which is basically a custom script that shall run -> apply which is managed by Terraform fully

But yes, if this is not possible, a Makefile does sound like a good idea 😄

hajali-amine avatar Mar 29 '23 15:03 hajali-amine

Terragrunt has this feature - https://terragrunt.gruntwork.io/docs/features/hooks/

BDuelz avatar Apr 02 '24 22:04 BDuelz

Hey folks, actually it may help with for_each limitation - https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each

When I want to use values of data source for for_each, I can run apply -targe ... before plan/apply, pull necessary data in data sources state and then run plan/apply.

aleksey-hariton avatar Apr 18 '24 11:04 aleksey-hariton