Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When i run the plan after initial deployment of resources showing the plan out for already deployed resources #295

Open
sadiqgit250691 opened this issue Dec 7, 2023 · 0 comments
Open

When i run the plan after initial deployment of resources showing the plan out for already deployed resources #295

sadiqgit250691 opened this issue Dec 7, 2023 · 0 comments

Comments

@sadiqgit250691
Copy link

sadiqgit250691 commented Dec 7, 2023
edited
Loading

Reusable workflow to plan terraform deployment, create artifact and upload to workflow artifacts for consumption

name: "Build_TF_Plan"
on:
workflow_call:
inputs:
path:
description: 'Specifies the path of the root terraform module.'
required: true
type: string
tf_version:
description: 'Specifies version of Terraform to use. e.g: 1.1.0 Default=latest.'
required: false
type: string
default: latest
az_resource_group:
description: 'Specifies the Azure Resource Group where the backend storage account is hosted.'
required: true
type: string
az_storage_acc:
description: 'Specifies the Azure Storage Account where the backend state is hosted.'
required: true
type: string
keyvault_name:
description: 'Specifies the Azure Key Vault where the client secret is stored.'
required: false
type: string
keyvault_secret_name:
description: 'Specifies the Azure Key Vault secret name where the client secret is stored.'
required: false
type: string
az_container_name:
description: 'Specifies the Azure Storage account container where backend Terraform state is hosted.'
required: true
type: string
tf_key:
description: 'Specifies the Terraform state file name for this plan. Workflow artifact will use the same name'
required: true
type: string
use_oidc:
description: 'OIDC'
required: false
type: boolean
gh_environment:
description: 'Specifies the GitHub deployment environment.'
required: false
type: string
default: null
tf_vars_file:
description: 'Specifies the Terraform TFVARS file.'
required: true
type: string
enable_TFSEC:
description: '(Optional) Enables TFSEC IaC scans and code quality checks on Terraform configurations'
required: false
type: boolean
default: false
secrets:
arm_client_id:
description: 'Specifies the Azure ARM CLIENT ID.'
required: true
arm_client_secret:
description: 'Specifies the Azure ARM CLIENT SECRET.'
required: false
arm_subscription_id:
description: 'Specifies the Azure ARM SUBSCRIPTION ID.'
required: true
arm_tenant_id:
description: 'Specifies the Azure ARM TENANT ID.'
required: true
arm_azure_credentials:
description: 'Specifies the Azure ARM_AZURE_CREDENTIALS.'
required: true
KT_INTERAL_REPO_KEY:
required: true
description: "KT_INTERAL_REPO_KEY"

permissions:
actions: read
contents: read
id-token: write

jobs:
build-plan:
runs-on: [self-hosted, aks]
environment: ${{ inputs.gh_environment }}
defaults:
run:
shell: bash
working-directory: ${{ inputs.path }}
env:
STORAGE_ACCOUNT: ${{ inputs.az_storage_acc }}
CONTAINER_NAME: ${{ inputs.az_container_name }}
RESOURCE_GROUP: ${{ inputs.az_resource_group }}
TF_KEY: ${{ inputs.tf_key }}.tfstate
TF_VARS: ${{ inputs.tf_vars_file }}
USE_OIDC: ${{ inputs.use_oidc }}
ARM_CLIENT_ID: ${{ secrets.arm_client_id }}
ARM_SUBSCRIPTION_ID: ${{ secrets.arm_subscription_id }}
ARM_TENANT_ID: ${{ secrets.arm_tenant_id }}
ARM_AZURE_CREDENTIALS: ${{ secrets.arm_azure_credentials }}
steps:
- name: Checkout
uses: actions/[email protected]
- name: Scan IaC - tfsec
if: ${{ inputs.ENABLE_TFSEC == 'true' }}
uses: aquasecurity/[email protected]
with:
sarif_file: tfsec.sarif
- name: Upload SARIF file
if: ${{ inputs.ENABLE_TFSEC == 'true' }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
- name: Setup Terraform
uses: hashicorp/[email protected]
with:
terraform_version: ${{ inputs.tf_version }}
- uses: actions/setup-node@v2
with:
node-version: '16'
- name: Terraform Format
id: fmt
run: terraform fmt --check
- name: Generate Token
uses: kt/[email protected]
with:
kt-internal-repo-key: ${{ secrets.KT_INTERAL_REPO_KEY }}
export-environment-variable: true
override-git-config: true
- name: Terraform Init
id: init
run: terraform init --backend-config="storage_account_name=$STORAGE_ACCOUNT" --backend-config="container_name=$CONTAINER_NAME" --backend-config="resource_group_name=$RESOURCE_GROUP" --backend-config="key=$TF_KEY" --backend-config="use_oidc=$USE_OIDC"
- name: Terraform Validate
id: validate
run: terraform validate
- name: Terraform Plan
id: plan
run: terraform plan --var-file=$TF_VARS --out=plan.tfplan
continue-on-error: true
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Compress TF Plan artifact
run: zip -r ${{ inputs.tf_key }}.zip ./*
- name: Upload Artifact
uses: actions/[email protected]
with:
name: "${{ inputs.tf_key }}"
path: "${{ inputs.path }}/${{ inputs.tf_key }}.zip"
retention-days: 7

Reusable workflow to download terraform artifact built by az_tf_plan and apply the artifact/plan

name: "Apply_TF_Plan"
on:
workflow_call:
inputs:
path:
description: 'Specifies the path of the root terraform module.'
required: true
type: string
tf_version:
description: 'Specifies version of Terraform to use. e.g: 1.1.0 Default=latest.'
required: false
type: string
default: latest
az_resource_group:
description: 'Specifies the Azure Resource Group where the backend storage account is hosted.'
required: true
type: string
az_storage_acc:
description: 'Specifies the Azure Storage Account where the backend state is hosted.'
required: true
type: string
az_container_name:
description: 'Specifies the Azure Storage account container where backend Terraform state is hosted.'
required: true
type: string
tf_key:
description: 'Specifies the Terraform state file name. Workflow artifact will be the same name.'
required: true
type: string
use_oidc:
description: 'OIDC'
required: false
type: boolean
gh_environment:
description: 'Specifies the GitHub deployment environment.'
required: false
type: string
default: null
tf_vars_file:
description: 'Specifies the Terraform TFVARS file.'
required: true
type: string
enable_TFSEC:
description: '(Optional) Enables TFSEC IaC scans and code quality checks on Terraform configurations'
required: false
type: boolean
default: false
secrets:
arm_client_id:
description: 'Specifies the Azure ARM CLIENT ID.'
required: true
arm_client_secret:
description: 'Specifies the Azure ARM CLIENT SECRET.'
required: false
arm_subscription_id:
description: 'Specifies the Azure ARM SUBSCRIPTION ID.'
required: true
arm_tenant_id:
description: 'Specifies the Azure ARM TENANT ID.'
required: true
arm_azure_credentials:
description: 'Specifies the Azure ARM_AZURE_CREDENTIALS.'
required: true
KT_INTERAL_REPO_KEY:
required: true
description: "KT_INTERAL_REPO_KEY"

permissions:
actions: read
contents: read
id-token: write

jobs:
apply-plan:
runs-on: [self-hosted, aks]
environment: ${{ inputs.gh_environment }}
defaults:
run:
shell: bash
working-directory: ${{ inputs.path }}
env:
STORAGE_ACCOUNT: ${{ inputs.az_storage_acc }}
CONTAINER_NAME: ${{ inputs.az_container_name }}
RESOURCE_GROUP: ${{ inputs.az_resource_group }}
TF_KEY: ${{ inputs.tf_key }}.tfstate
TF_VARS: ${{ inputs.tf_vars_file }}
USE_OIDC: ${{ inputs.use_oidc }}
ARM_CLIENT_ID: ${{ secrets.arm_client_id }}
ARM_SUBSCRIPTION_ID: ${{ secrets.arm_subscription_id }}
ARM_TENANT_ID: ${{ secrets.arm_tenant_id }}
ARM_AZURE_CREDENTIALS: ${{ secrets.arm_azure_credentials }}
steps:
- name: Download Artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: plan-pipeline.yml
name: ${{ inputs.tf_key }}
path: ${{ inputs.path }}
- name: Decompress TF Plan artifact
run: unzip ${{ inputs.tf_key }}.zip
- uses: actions/setup-node@v2
with:
node-version: '16'
- name: Generate Token
uses: kt/[email protected]
with:
kt-internal-repo-key: ${{ secrets.KT_INTERAL_REPO_KEY }}
export-environment-variable: true
override-git-config: true
- name: Setup Terraform
uses: hashicorp/[email protected]
with:
terraform_version: ${{ inputs.tf_version }}
- name: Terraform Init
id: init
run: terraform init --backend-config="storage_account_name=$STORAGE_ACCOUNT" --backend-config="container_name=$CONTAINER_NAME" --backend-config="resource_group_name=$RESOURCE_GROUP" --backend-config="key=$TF_KEY" --backend-config="use_oidc=$USE_OIDC"
- name: Terraform Apply
run: terraform apply --var-file=$TF_VARS -auto-approve

I have two templates, each triggering a distinct pipeline—one for planning and another for applying changes. After the initial deployment of resources, when I run the planning template again for a subsequent deployment, it includes resources that have already been deployed.

workflow structure as fallows below

plan-template.yml
apply-template.yml
plan-pipeline.yml
apply-pipeline.yml

could you please help me out with refactor the template code so that i should not see plan for already deployed resources
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sadiqgit250691