Releases: andreimerlescu/reconcile-tfstate
Release list
v1.0.4
I am pleased to announce the release of reconcile-tfstate v1.0.4, a critical stability and usability enhancement release. This version addresses crucial operational gaps identified during real-world CI/CD pipeline integration, ensuring more reliable command execution and guaranteeing comprehensive diagnostic reporting even in the face of unexpected errors.
Building on the comprehensive reporting and backup capabilities introduced in previous versions, v1.0.4 makes reconcile-tfstate more resilient and transparent, particularly for automated reconciliation workflows.
Key Features & Improvements in v1.0.4:
- Robust Command Execution (Fixes
terraform importissues):- Corrected Terraform Command Syntax: Resolves a critical bug where
terraform import(andterraform state rm) commands generated by the tool were malformed, leading to execution failures. The tool now correctly structures these commands, placing options like-statebefore positional arguments (ADDR ID). - Explicit Terraform Working Directory (
--tf-working-dirflag): Introduces a new command-line flag (--tf-working-dirdefaulting to.) that explicitly specifies the directory whereterraformcommands should be executed. This ensures consistency and predictability, especially in complex CI/CD environments where the binary might be invoked from varying paths relative to the Terraform project.
- Corrected Terraform Command Syntax: Resolves a critical bug where
- Guaranteed Error Reporting and Audit Trails to S3:
- Automatic S3 Upload on Application Crash: Implements a robust error recovery mechanism. If
reconcile-tfstateencounters an unexpected error or panic during execution (e.g., a criticalterraformcommand fails), it will now automatically attempt to upload all generated local backups and reports (Markdown and JSON) to your configured S3 bucket. This ensures vital diagnostic information is captured and persisted for debugging, even if the application terminates unexpectedly. - Comprehensive Command Execution Logs in Reports: The JSON report (
report.<env>.json) now includes a detailedexecution_logsarray. This array captures the exact command string executed, itsstdout,stderr,exit_code, and anyerrorencountered for every remediation command attempted. This provides an invaluable audit trail, clarifying precisely what happened during automated execution. - Enhanced JSON Report for Root-Level Errors: The JSON report now features an
application_errorfield at the root level, providing clear visibility into any top-level application panics or critical failures that prevented full report generation.
- Automatic S3 Upload on Application Crash: Implements a robust error recovery mechanism. If
- Internal Code Quality & Efficiency Enhancements:
- Optimized Struct Memory Layout: Fields within key Go structs (
Config,ResourceStatus,AWSClient,TFStateFile,OutputStateV4,ResourceStateV4,InstanceObjectStateV4,CheckResultsV4,CheckResultsObjectV4,CommandExecutionLog,JSONBackupPaths,JSONResultItem,JSONResults,JSONOutput) have been reordered from largest to smallest type size. This reduces memory padding, leading to a slightly smaller memory footprint and potentially improved performance. - Resolved Minor Typos and Logic Gaps: Addressed small but impactful errors such as a
uint66typo, missingCategoryfield references inResourceStatus, missingModefield references inResourceStateV4, and an undefinedserviceNamevariable in a specific ECS verification path.
- Optimized Struct Memory Layout: Fields within key Go structs (
How to Use (New --tf-working-dir flag & Enhanced JSON Output):
To leverage the new working directory control:
# Example in GitHub Actions or any script:
# Assuming your Terraform project root is in: /home/runner/work/another-terraform-project/another-terraform-project/terraform-environments/dev
# And reconcile-tfstate is run from: /home/runner/work/another-terraform-project/another-terraform-project/terraform-environments/dev
./reconcile-tfstate \
-s3-state "s3://your-bucket/path/to/dev.tfstate" \
-region "us-west-2" \
-backups-dir "./backups" \
--json \
--should-execute \
--tf-working-dir "." # Or, if run from a different directory, specify the actual path to your Terraform projectViewing the Changes and Audit Trails:
- GitHub Actions Artifacts: After any workflow run (even failed ones), navigate to the "Summary" tab of the workflow run in GitHub Actions. Look for the "Artifacts" section. The generated JSON report (
tfstate-man-report-env-region.json) will be available for download. This report now containsexecution_logsfor detailed command outcomes. - S3 Backups: In the event of a critical failure during execution of the
reconcile-tfstatebinary itself, look in your S3 bucket (s3://your-bucket/state-backups/YYYY/MM/TIMESTAMP/) for the timestampedreport.json,report.txt, and backup state files. These will contain the diagnostic information.
Known Limitations / Future Enhancements:
- This tool still only supports Terraform state file format version 4.
This v1.0.4 release significantly enhances reconcile-tfstate's reliability and diagnostic capabilities, making it an even more trustworthy component in your automated infrastructure management workflows.
v1.0.2
I am pleased to announce the release of reconcile-tfstate v1.0.2, a maintenance and enhancement release that further refines its output, improves data integrity reporting, and solidifies its robust backup mechanisms.
Building on the significant resource verification and backup capabilities introduced in v1.0.1, this release focuses on providing more comprehensive and versatile reporting for improved automation and auditing.
Key Features & Improvements in v1.0.2:
- Comprehensive Backup Data in JSON Format:
- Introduces a new
--jsonflag to render the entire reconciliation report (including configuration, results, and backup details) in a structured JSON format directly to standard output. This enables easy parsing with tools likejqfor automation workflows. - Always-On File-Based JSON Report: Regardless of whether the
--jsonflag is used for console output, a detailed JSON report (report.<env>.json) and its SHA256 checksum (report.<env>.json.sha256) are now always saved to the designated backup directory (--backups-dir). This ensures a complete, machine-readable audit trail for every run.
- Introduces a new
- Enhanced State File Backup Integrity Reporting:
- The
new_checksumfield in the JSON and Markdown reports is now guaranteed to be populated. It accurately reflects the SHA256 checksum of the post-reconciliation local state file (new.<env>.tfstate), ensuring complete integrity verification even when noterraform importorstate rmcommands were executed. - The
new.<env>.tfstatebackup file is now always created in the backup directory, mirroring the final state after reconciliation, regardless of whether changes occurred.
- The
- Accurate State File Source Reporting: The
statefield in the JSON output now correctly reflects the original source URI of the Terraform state file (e.g.,s3://bucket/keyor/path/to/local.tfstate), providing precise context for state provenance in the report. - Improved Backup File Naming Consistency: Resolved an issue where backup state files might be saved with redundant extensions (e.g.,
.tfstate.tfstate). Backup state files are now consistently namedoriginal.<env>.tfstateandnew.<env>.tfstate. - Minor Code Refinements: Addressed minor unused parameter warnings and internal logic streamlining for improved code quality and maintainability.
Key Features & Improvements (from v1.0.1, still relevant):
- Expanded Resource Verification Coverage: Dramatically increased the number of AWS resource types fully analyzed and verified against live infrastructure. This includes comprehensive checks for EC2, Auto Scaling, CloudWatch, IAM, Lambda, CloudFront, S3 configurations, and ECS.
- Automated State File Backups with History and Integrity Checks: Introduces the
--backups-dirflag (defaulting to./backups) and automatically generates SHA256 checksums for both original and modified state files. Supports structured S3 backups for--s3-stateconfigurations. - Improved Reporting: The full reconciliation report, including hashes and change details, is saved to a Markdown file within the backup directory.
- Clearer Console Output: Streamlined the console output for better readability.
- Automated Remediation (
--should-execute): Capability to automatically execute suggestedterraform importandterraform state rmcommands.
How to Use (New --json flag):
# Get JSON output to console, and save all reports to backups/
reconcile-tfstate --s3-state s3://your-bucket/path/to/dev.tfstate --region us-west-2 --json
# Analyze a local state file, execute changes, and save all reports to backups/
reconcile-tfstate --state dev.tfstate --region us-west-2 --should-executeKnown Limitations / Future Enhancements:
- This tool still only supports Terraform state file format version 4.
This v1.0.2 release further enhances reconcile-tfstate's utility, auditability, and ease of integration into automated pipelines.
v1.0.0
I am excited to announce the initial release of reconcile-tfstate, a crucial new tool designed to help us manage and reconcile our Terraform state files with greater confidence and efficiency. This binary was developed to directly address the challenges we've faced with state file discrepancies, particularly after recent multi-region resource movements.
Key Features & Improvements:
- Comprehensive State File Analysis: Scans your Terraform state file (
.tfstate) and compares it against live AWS resources in a specified region. - Intelligent Categorization: Provides a clear, actionable report categorizing every resource into one of six states:
OK: Resource exists in both state and AWS, and IDs match.INFO: Local data sources or resources that don't require external AWS verification.WARNING: Resources that are complex to verify fully, or that have minor discrepancies not requiring immediate action (e.g.,aws_security_group_rule,aws_region). Manual verification is recommended for these.ERROR: Critical issues found during live AWS checks (e.g., a child resource is present in state, but its parent resource is missing in AWS). These often indicate fundamental infrastructure issues or severe state corruption.REGION_MISMATCH: Resources that exist in the state file but whose ARN indicates a different AWS region than the one being scanned. This helps identify resources that have truly "moved" or are tracked in the wrong state.DANGEROUS: Resources present in the state file but explicitly not found in the target AWS environment. These represent potential drift or unmanaged deletions and require immediate attention.POTENTIAL_IMPORT: Resources found in AWS that exist in your state, but their IDs (or other identifying attributes) don't perfectly match, indicating they might need to be imported to fix the state.
- Automated Remediation Commands: Generates a ready-to-use list of
terraform importandterraform state rmcommands to quickly synchronize your state file with reality. - S3 State File Support: Seamlessly downloads and prepares state files directly from S3 for analysis, providing clear instructions for re-uploading modified state (with versioning in mind).
How to Use:
# Analyze a local state file
reconcile-tfstate --state dev.tfstate --region us-west-2
# Analyze an S3-backed state file
reconcile-tfstate --s3-state s3://your-bucket/path/to/dev.tfstate --region us-west-2Known Limitations / Future Enhancements:
aws_security_group_rule: Due to the complex, nested nature of security group rules in the AWS API, full attribute-level verification is not yet implemented and they are flagged asWARNING. Manual validation for these specific rules is still recommended.
This tool marks a significant step towards improving our Terraform state hygiene and reducing manual debugging efforts. We encourage everyone working with Terraform to integrate it into their workflow.
Technical Preview
I AM ($IAM) excited to announce the first technical preview pre-release of reconcile-tfstate! This tool helps you detect and manage discrepancies between your Terraform state file and your live AWS infrastructure. Our goal is to provide a robust solution for identifying drift and assisting with state reconciliation.
As a technical preview, this release is intended for early adopters to test and provide feedback. Expect ongoing development, potential breaking changes in future pre-releases, and an evolving feature set. Your input is crucial for shaping the future of this tool!
What's Included
This initial preview focuses on core functionality:
- Terraform State File Parsing: Reads and interprets Terraform state files (currently supporting Terraform state file version 4).
- AWS Resource Verification: Connects to your AWS account to verify the existence and details of resources declared in your state.
- S3 State Support:
- Download: Automatically downloads Terraform state files from S3 buckets.
- Upload Instructions: Provides clear AWS CLI commands to upload the modified state back to S3, ensuring versioning is maintained.
- Drift Detection: Identifies resources that are:
DANGEROUS: In state but not found in AWS (e.g., manually deleted).POTENTIAL_IMPORT: Found in AWS but with a different ID than in state, suggesting they exist but aren't correctly tracked.REGION_MISMATCH: Resources whose ARNs indicate they are in a different AWS region than the one being checked.
- Actionable Commands: Generates
terraform importorterraform state rmcommands where applicable, helping you resolve discrepancies. - Supported Resource Types: Initial support for verifying common AWS resources, including:
aws_s3_bucketaws_cloudwatch_log_groupaws_key_pairaws_security_groupaws_route53_zoneaws_lbaws_lb_listeneraws_lb_target_groupaws_lb_listener_rule- Ignores local/data resources like
aws_caller_identity,aws_iam_policy_document,archive_file,local_file, andrandom_password.
- Concurrency Control: Allows you to specify the number of concurrent AWS API calls for faster checks.
- Version Flag: Use
--vto display the tool's version.
Known Limitations & Areas for Improvement
- Limited Resource Type Coverage: The current version only supports a subset of AWS resource types. We plan to expand this significantly.
- Read-Only Verification: This tool performs read-only checks against AWS. It does not modify your AWS resources directly. Any suggested
terraformcommands must be executed manually. - Error Handling Refinements: Ongoing work to improve error messaging and robustness.
- Terraform State Version Support: Currently restricted to v4 state files.
We Need Your Feedback!
This is your chance to influence the development of reconcile-tfstate. Please report any issues, unexpected behaviors, or feature requests via the GitHub Issues page.
Thank you for being an early tester!