feat(terraform): add apply --forbid-resource-changes guard#194
Merged
Conversation
Generic safety flag: with --forbid-resource-changes, `mars <env> apply`
produces (or reuses) a saved plan, inspects it via `terraform show -json`,
and FAILS if the plan would create, update, or delete (incl. replace) any
managed resource. State-only actions — no-op, read, and forget (a
`removed { lifecycle { destroy = false } }` block) — are allowed; the vetted
plan is then applied exactly (no TOCTOU, no -auto-approve needed for a saved
plan).
Use case: safely apply state-only changes — e.g. forgetting adopted /
reverse-imported resources from state before a destroy — while failing loudly
if the same apply would also touch real infrastructure. Not tied to any
specific consumer; it's a generic terraform guard.
Parses with hashicorp/terraform-json (promoted from indirect to direct dep).
Tests: assertNoResourceChanges classification truth table (forget/no-op/read
allowed; create/update/delete/replace refused, naming the offenders) + a
Fake-runner flow test asserting the guarded apply refuses (no `terraform
apply`) on a resource change and proceeds to `apply <savedplan>` on a
state-only forget.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generic terraform safety guard, added for the InsideOut #2048 two-step destroy but not coupled to it.
What
mars <env> apply --forbid-resource-changes:--plan) a saved plan.terraform show -json(parsed withhashicorp/terraform-json).no-op,read, andforget(aremoved { lifecycle { destroy = false } }).-auto-approve).Why
Lets a caller safely apply state-only changes — e.g. forgetting adopted / reverse-imported resources from state before a
destroy— while failing loudly if the same apply would also touch real infrastructure. It's a generic guard (no consumer-specific logic), usable by any pipeline that wants "apply, but only if nothing real would change."First consumer:
sandbox-infrastructure-template's two-steptfDestroy(apply theremoved{}forgets, then destroy) — reliable #2048.Tests
assertNoResourceChangestruth table: forget/no-op/read allowed; create/update/delete/replace refused, naming the offenders; forget+delete still refused (names the delete).terraform apply) when a resource would change; proceeds toapply <savedplan>for a state-only forget.go build,go vet,gofmt, fullinternal/terraformsuite green.terraform-jsonpromoted from indirect to direct dep.