Imports persisted to state on plan_only runs
fenech opened this issue · 4 comments
When plan_only is used, the state is updated with any resources that were imported. This can lead of inconsistencies if the resource definitions change before the plan is applied.
In our use case, we run using plan_only during a Pull Request and may make changes before merging/applying. It would be useful to prevent the imports from being persisted until after the apply.
It would be useful to prevent the imports from being persisted until after the apply.
That's not how Terraform works unfortunately. Running terraform import immediately updates the statefile to include IDs for those resources, although it does not modify the actual resources. When generating a Plan, you have to run the import prior to generating the plan so that the plan includes "update" operations for those existing imported resources rather than "create" operations. I don't think Terraform supports the workflow you're describing where you generate a plan with a list of imports but don't want to actually add the imports to the statefile until later.
My problem isn't that the state file is updated; as you say, that makes sense. The problem is that the updated state file ends up being pushed to S3.
Again, that's something Terraform does automatically. When you have a backend configured and run terraform import, Terraform will immediately update your statefile in that storage backend like S3. The import command is mostly intended for one-off surgeries on your statefile like initially migrating your stack to Terraform. Relying on import as part of your normal workflow is likely to cause friction like you're seeing, Terraform really wants to create its resources directly.
The only workaround I can think of is to add a task to download the existing statefile from S3 then configure the plan step to use a local backend pointing to that file rather than using the S3 backend directly, although I'm not positive if that will work either.