Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preventing accidental deletes #26511

Closed
steeling opened this issue Oct 8, 2020 · 5 comments
Closed

Preventing accidental deletes #26511

steeling opened this issue Oct 8, 2020 · 5 comments
Labels
enhancement new new issue not yet triaged

Comments

@steeling
Copy link
Contributor

steeling commented Oct 8, 2020

Hi there,

Looking to remove some potential "foot guns". I had created a k8s cluster with azurerm_kubernetes_cluster, and found I can't pass the creds to other providers in the same module .

If I move a resource from one module to another, or move some files and forget a file (thereby omitting terraform resource definitions), terraform deletes the resource.The issue is that running this under automation often comes with -auto-approve. How can we prevent people from shooting themselves in the foot?

How about adding a --no-delete flag to terraform apply.
@steeling steeling added enhancement new new issue not yet triaged labels Oct 8, 2020
@jbardin
Copy link
Member

jbardin commented Oct 8, 2020

Hi @steeling,

This would likely fall under the proposal to make deletion events more manageable, which we're tracking here: #24658

In general, we would not recommend using --auto-approve in automation, specifically to prevent this type of situation. Most workflows will be in 2 steps, generating a plan for inspection, and then applying that plan.

Thanks!

@jbardin jbardin closed this as completed Oct 8, 2020
@steeling
Copy link
Contributor Author

Thanks for the reply @jbardin!

Quick question, the docs here mention that specifying a plan file is ignored when using remote state... https://www.terraform.io/docs/commands/apply.html#state-path, what is the guidance in this case? Does this specifically mean when using the "remote" field, or does this also apply to azurerm backends, or s3 buckets?

@jbardin
Copy link
Member

jbardin commented Oct 12, 2020

I'm not sure where you are seeing that. The linked docs do mention that the -state and -state-out flags are ignored when you are not using local state. The apply operation always operates on a plan, which is fundamental to how terraform functions. Running apply with no plan just combines plan and apply into 1 step, with -auto-approve skipping the review of the plan.

@steeling
Copy link
Contributor Author

I see now, I was conflating the state file with the plan file.. thanks for the clarification here!

If I may ask one more semi-related question:

Is there a way to do a refresh of the state file, without updating the remote-state? ie: a terraform refresh -dry_run, without rewriting the old state file. The goal is that I would like to detect out-of-band changes that were not made through terraform to prevent "stomping" over peoples changes.

Something like

tf show > tfstate.old
tf refresh -dry_run > tfstate.new
diff tfstate.old tfstate.new

@ghost
Copy link

ghost commented Nov 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked as resolved and limited conversation to collaborators Nov 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbardin @steeling