terraform-github-actions icon indicating copy to clipboard operation
terraform-github-actions copied to clipboard

Published 20 hours ago verified publisher icon dflook

Terraform plan with -refresh argument

Open aywengo opened this issue 3 years ago • 3 comments

Sometimes we need to run terraform-plan with option -refresh=false to ignore external changes. Planning Options

aywengo avatar Aug 28 '22 20:08 aywengo

Terraform plan for pull_request_target

Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_string.my_string will be created
  + resource "random_string" "my_string" {
      + id          = (known after apply)
      + length      = 11
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = true
      + upper       = true
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + output_string = "the_string"

:white_check_mark: Plan applied in pull_request_target test #396

github-actions[bot] avatar Aug 28 '22 20:08 github-actions[bot]

Hello @aywengo, can you explain what you would use this for?

dflook avatar Aug 30 '22 09:08 dflook

Hello @aywengo, can you explain what you would use this for?

In our rare case, terraform plan with refresh need to hit private resource endpoints which are not available for external access. Hence making a plan for only new changes in PR is considered as sufficient without revision existing ones stored in remote stat.

aywengo avatar Aug 30 '22 09:08 aywengo

To add on to that, my configuration spans over 3,000 resources which I know won't be touched outside of Terraform. So it's more practical to pass -refresh=false argument in both Terraform plan and apply commands to save several minutes of run time.

Sometimes, refreshing all of these resources exceeds the request/rate-limit threshold, so -refresh=false comes in handy again to nearly halve my number of calls. Note, I've already tried adjusting -parallelism=n but it's nowhere near as effective as -refresh=false for my use-case.

As an additional opt-in feature, I'd hope there's not concern about breaking backwards compatibility.

rdhar avatar Feb 16 '23 02:02 rdhar

No longer required as I found a solution in DevSecTop/TF-via-PR repository, which hosts a reusable workflow to run Terraform commands via PR comments, like a CLI.

Here's an example of how the output of the workflow looks when triggered by PR comments input with multiple Terraform arguments, like: -refresh, -workspace, -var-file, etc.

rdhar avatar Aug 21 '23 13:08 rdhar