Add a new flag --out for saving a plan file after dry-run migrations #37
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6a19d01 to
8761dc0
Compare
8761dc0 to
82dfe64
Compare
tfmigrate plan --out=foo.tfplan82dfe64 to
83fb691
Compare
Fixes #36 Add a new flag `--out` for saving a plan file after dry-run migrations. It almost equivalents to `terraform plan -out`, but runs after dry-run migrations. Note that the new flag is `--out`, not `-out`. This is only because the pflag library we use follows the GNU style long options. This is intuitively simple, but after implemented, it turned out it wasn't a trivial matter. The plan file internally contains terraform configurations used by plan. The tfmigrate uses a temporary local backend configuration not to change a remote state in plan phase. This means applying the plan file affects only a local state. We need the following steps to apply the plan: (1) tfmigrate plan --out=foo.tfplan tfmigrate_test.hcl (2) tfmigrate apply tfmigrate_test.hcl (3) terraform apply foo.tfplan (4) terraform state push -force terraform.tfstate (5) terraform plan -detailed-exitcode (6) rm terraform.tfstate foo.tfplan Make sure to force push the local state to remote after `terraform apply`. The `-force` flag is required in (4) because the lineage of the state will be changed. As you know, this is unsafe operation. But I couldn't find a safe way to do this in the current technical limitations. You can confirm the final plan has no changes in (5).
83fb691 to
fa66cfd
Compare
Terraform >= v0.12.25 and < v0.13 has a bug for state push -force. hashicorp/terraform#25761 I added a version check in acceptance tests to minimize the patch. Ideally, the version check process should be implemented in TerraformCLI instead of the test helper function because supported features may be different for some Terraform versions. I'll follow up a separated PR to add some version checks in runtime.
minamijoyo
added a commit
that referenced
this pull request
Dec 10, 2021
Closes #62 The tfmigrate plan --out=tfplan option was originally requested in #36, and added in #37. While testing Terraform 1.1 support, I found it no longer work with Terraform 1.1. #62 After debugging, the tfmigrate plan --out=tfplan option was based on a bug prior to Terraform 1.1. Since terraform state push increments the serial of tfstate, a saved plan file in tfmigrate plan phase should not be able to terraform apply. However, prior to Terraform 1.1, there was no proper validation and terraform apply allows a such case incorrectly. Starting from Terraform 1.1, it now rejects the plan as stale, which seems to be a correct behavior. That is, the tfmigrate plan --out=tfplan option doesn't work with Terraform 1.1 or later. There is no way to do this. Fortunately, Terraform 1.1 added a new `moved` block feature, so some use-cases could be covered by the `moved` block. So, I decided to deprecate the tfmigrate plan --out=tfplan option without replacement and it will be removed in a future release.
minamijoyo
added a commit
that referenced
this pull request
Dec 10, 2021
Closes #62 The tfmigrate plan --out=tfplan option was originally requested in #36, and added in #37. While testing Terraform 1.1 support, I found it no longer work with Terraform 1.1. #62 After debugging, the tfmigrate plan --out=tfplan option was based on a bug prior to Terraform 1.1. Since terraform state push increments the serial of tfstate, a saved plan file in tfmigrate plan phase should not be able to terraform apply. However, prior to Terraform 1.1, there was no proper validation and terraform apply allows a such case incorrectly. Starting from Terraform 1.1, it now rejects the plan as stale, which seems to be a correct behavior. That is, the tfmigrate plan --out=tfplan option doesn't work with Terraform 1.1 or later. There is no way to do this. Fortunately, Terraform 1.1 added a new `moved` block feature, so some use-cases could be covered by the `moved` block. So, I decided to deprecate the tfmigrate plan --out=tfplan option without replacement and it will be removed in a future release.
This was referenced Dec 10, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #36
Add a new flag
--outfor saving a plan file after dry-run migrations.It almost equivalents to
terraform plan -out, but runs after dry-run migrations. Note that the new flag is--out, not-out. This is only because the pflag library we use follows the GNU style long options.This is intuitively simple, but after implemented, it turned out it wasn't a trivial matter. The plan file internally contains terraform configurations used by plan. The tfmigrate uses a temporary local backend configuration not to change a remote state in plan phase. This means applying the plan file affects only a local state.
We need the following steps to apply the plan:
Given a migration file with
forceattribute.(1) tfmigrate plan --out=foo.tfplan tfmigrate_test.hcl
(2) tfmigrate apply tfmigrate_test.hcl
(3) terraform apply foo.tfplan
(4) terraform state push -force terraform.tfstate
(5) terraform plan -detailed-exitcode
(6) rm terraform.tfstate foo.tfplan
Make sure to force push the local state to remote after
terraform apply. The-forceflag is required in (4) because the lineage of the state will be changed. As you know, this is unsafe operation. But I couldn't find a safe way to do this in the current technical limitations. You can confirm the final plan has no changes in (5).There are some limitations:
foo.tfplanrejects it as a stale plan. Option to not error when showing a stale Terraform plan hashicorp/terraform#28136