-
-
Notifications
You must be signed in to change notification settings - Fork 957
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apply-all and auto-approve is a dangereous combination. #486
Comments
That's a fair point. What would be your suggested fix? FWIW, we very rarely use |
I would suggest enabling auto-approve only when terragrunt-non-interactive is specified. My use case for apply-all is for non production infrastructure ( of which i have many ) and mostly , i'd say , for convenience. So far i have been doing one module at the time as well. I have yet to implement a Pipeline like the one you describe, and maybe if i did i would find this issue less important. |
New user to terragrunt and found the auto apply on apply-all quite a problem when developing. Would love a simple option to toggle that. |
@brikis98 Do you have a link of working sample of CI/CD Pipeline for the process you mentioned ? For anyone who still wants auto approve with
Hope this helps !! |
To |
And of course disabling auto-approve when terragrunt-non-interactive is not set. What about it? Would a change like this be accepted? I can make a PR, that does not sound very hard to do. |
It sounds like in the description of the PR, the goal was not to disable auto-approve, but to change when approval is requested. That is, you want to see and approve the I'm having a bit of a brain fart though. Doesn't that happen already if you just run |
Yes, I want to see the plan of each module and confirm it before apply, one at a time. I believe this should be the default behaviour (overridable with terragrunt-non-interactive)
Nope. Currently you get one interactive question asked:
And beyond that, no more interaction. Each terraform apply is executed with So, the proposed change is:
I believe the current interactive behaviour is useless and there is no need to keep it. Either you want to be interactive and you care about the plan before the apply, and you want terraform to ask for a confirmation, or you don't care about the plan and you switch to non interactive. The question Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n) is not really useful as you give your consent to something you don't fully know before you see the plan results. |
Ah, that's the context I was missing. Thanks for explaining!
Agreed. PR to do this is very welcome! 👍 |
Note that for whoever is trying to implement this, you will run into issues where the This will lead to a few issues:
I am not sure it is possible to implement this without disabling the concurrency (from a UX perspective), so it seems like #636 is a necessary prerequisite. |
Hi all, When running a terragrunt apply, what is the difference between terragrunt apply -auto-approve vs. terragrunt apply --terragrunt-non-interactive? |
|
Do we have any ETA to change this beaviour? |
EDIT: Disregard this comment, even For others arriving at this issue, terragrunt now discourages the use of The above issue works as expected when using If you want to skip terragrunt's prompts, then use: |
@emilhdiaz, in my case |
@tensor5 You're right, not sure how I missed that before (made a note of it in my prior comment, thanks). In that case, I would echo the OP. This behavior seems counter intuitive to me. |
In v0.38.1, a I'd like to ensure this argument is provided for all From my understanding, the
I also considered setting an environment variable using Does anyone have any thoughts? |
@jlepere-everlaw Just came across this new flag myself. You might have better luck simply setting the |
Thanks, @emilhdiaz! I ended up setting the |
New Terragrunt user here. I love the fact that you can have your Terragrunt Architecture DRY. It helps A LOT when you have multiple modules and dependencies between them. I came from a pure Terraform complex multi-account level structure, and TF sucks really bad at dependencies between modules and duplication of code. TBH, the I wish Also, need to think about consistency. In I have also published a discussion here, to debate best practices on my use case. |
related to #386 where the auto-approve option for terraform was hardcoded into the apply-all command.
Maybe i am doing something wrong so please correct me.
Assume a setup with 2 modules
When apply-all is run there is no opportunity to verify what changes will be caused in moduleB depending on changes in moduleA
It would be great if, when running terragrunt interactively , the apply-all command gave a chance to review the plan before actually applying it for all modules in the stack.
in the Issue #386 where this option was discussed (sorry i was not around at the time) it was assumed that there was no use-case to not want the terraform auto-approve option always enabled in an apply-all case but i tend to disagree.
It was argued that without it all automated runs of apply-all would break but that is what the terragrunt-non-interactive flag should be about. It should make the run of terragrunt non interactive and so enable the auto-approve terraform option.
Is there anything i am missing that would let me run an apply-all without the risk of destroying all my resources because of no chance of checking the changes before they are applied ?
The text was updated successfully, but these errors were encountered: