Feature request: Optionally run `terraform plan` during `kitchen create`
Opened this issue · 2 comments
When Terraform is used during normal operations it's common to either run a terraform plan before applying changes or review the plan preview with terraform apply to get an idea of what Terraform is about to do. This plan stage is not exposed by kitchen-terraform, which makes it a bit tricky to do things like ensure that kitchen converge doesn't require a second converge. Part of the challenge is that test-kitchen doesn't have a concept of a "plan" stage, so there's no obvious point of insertion for this functionality.
As a workaround a user can directly call terraform plan with all of the required arguments, but this can be slightly cumbersome if kitchen-terraform is providing variables with -var or variable files with -var-file.
A possible solution to this is to optionally run a terraform plan during kitchen create. Both terraform plan and kitchen create should be largely idempotent operations, and kitchen create is a somewhat natural place to insert this behavior since terraform plan precedes terraform apply in the same manner that kitchen create precedes kitchen converge.
One thing to note is that running a terraform plan can potentially stall if any resources are slow to refresh, so this should be opt-in. This sketches out one possible configuration method.
provisioner:
name: terraform
plan_on_create: trueThe downside of this approach is that we're hijacking kitchen create to insert behavior that's not really part of the creation lifecycle step. Using kitchen create will inherently have to re-run terraform init and terraform workspace select for consistency, so inserting the terraform plan might be a bit too hacky to be viable.
Alternatively, simply putting the plan before the apply in kitchen converge also seems helpful.
Hi @adrienthebo and @morgante. Thank you for your interest in the project!
I'm in favour of adding terraform plan before terraform apply in kitchen converge due to the caveats which @adrienthebo highlighted.
A configuration attribute could be added which would cause kitchen converge to run terraform plan and not to run terraform apply. I think this would strike a balance between the desire to inspect a plan before provisioning infrastructure and maintaining the existing Kitchen-Terraform workflow.
I believe it would make sense to generate a plan file to be used for terraform apply to ensure that the plan displayed generates the state which is ultimately tested.