apply-all and auto-approve is a dangereous combination.

[primeroz]

related to #386 where the auto-approve option for terraform was hardcoded into the apply-all command.

Maybe i am doing something wrong so please correct me.

Assume a setup with 2 modules

• moduleA - Independent Module
• moduleB - Depends_on moduleA
  • moduleB uses a terraform remote state from moduleA to extract some resource attributes

When apply-all is run there is no opportunity to verify what changes will be caused in moduleB depending on changes in moduleA

• running a plan-all first does not help because changes in moduleB will only happen after the remote state for moduleA is updated with an apply
• running an apply-all will not give me any chance to review the changes in moduleB due to the updated remote state for moduleA , this is very dangereous
• The only option left is to run plan and apply for each module manually, which can be quite a pain when there are many modules to run and makes the dependency management in terragrunt useless.

It would be great if, when running terragrunt interactively , the apply-all command gave a chance to review the plan before actually applying it for all modules in the stack.

in the Issue #386 where this option was discussed (sorry i was not around at the time) it was assumed that there was no use-case to not want the terraform auto-approve option always enabled in an apply-all case but i tend to disagree.

It was argued that without it all automated runs of apply-all would break but that is what the terragrunt-non-interactive flag should be about. It should make the run of terragrunt non interactive and so enable the auto-approve terraform option.

Is there anything i am missing that would let me run an apply-all without the risk of destroying all my resources because of no chance of checking the changes before they are applied ?

[brikis98]

That's a fair point. What would be your suggested fix?

FWIW, we very rarely use apply-all for anything other than the initial deployment of an entire environment. After that, once code is running in prod, we always deploy one module at a time, usually via CI, with PR and plan reviews. In other words, I'd argue apply-all in prod in general is risky, even if it had a proper interactive mode.

[primeroz]

I would suggest enabling auto-approve only when terragrunt-non-interactive is specified.

My use case for apply-all is for non production infrastructure ( of which i have many ) and mostly , i'd say , for convenience. So far i have been doing one module at the time as well.

I have yet to implement a Pipeline like the one you describe, and maybe if i did i would find this issue less important.

[bfleming-ciena]

New user to terragrunt and found the auto apply on apply-all quite a problem when developing. Would love a simple option to toggle that.

[aaratn]

That's a fair point. What would be your suggested fix?

FWIW, we very rarely use apply-all for anything other than the initial deployment of an entire environment. After that, once code is running in prod, we always deploy one module at a time, usually via CI, with PR and plan reviews. In other words, I'd argue apply-all in prod in general is risky, even if it had a proper interactive mode.

@brikis98 Do you have a link of working sample of CI/CD Pipeline for the process you mentioned ?

For anyone who still wants auto approve with apply-all. I got workaround by using bash hack

echo "Y" | terragrunt apply-all

Hope this helps !!

[ozbillwang]

Thanks @aaratn

Seems terragrunt apply-all doesn't support -auto-approve , furtherly it doesn't support -help as well. I raised #884 for this issue.

[lukasz-kaniowski]

To auto-approve you can execute terragrunt apply-all --terragrunt-non-interactive

[mildred]

I would suggest enabling auto-approve only when terragrunt-non-interactive is specified.

And of course disabling auto-approve when terragrunt-non-interactive is not set.

What about it? Would a change like this be accepted? I can make a PR, that does not sound very hard to do.

[brikis98]

And of course disabling auto-approve when terragrunt-non-interactive is not set.

It sounds like in the description of the PR, the goal was not to disable auto-approve, but to change when approval is requested. That is, you want to see and approve the plan output of each module before apply is executed.

I'm having a bit of a brain fart though. Doesn't that happen already if you just run apply-all, as apply shows the plan and asks for confirmation?

[mildred]

It sounds like in the description of the PR, the goal was not to disable auto-approve, but to change when approval is requested. That is, you want to see and approve the plan output of each module before apply is executed.

Yes, I want to see the plan of each module and confirm it before apply, one at a time. I believe this should be the default behaviour (overridable with terragrunt-non-interactive)

I'm having a bit of a brain fart though. Doesn't that happen already if you just run apply-all, as apply shows the plan and asks for confirmation?

Nope. Currently you get one interactive question asked:

Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n)

And beyond that, no more interaction. Each terraform apply is executed with -auto-approve, so the plan phase is not even displayed before the application starts. That's why I talked about disabling auto-approve but only when terragrunt-non-interactive is not set.

So, the proposed change is:

• change the default (interactive) behaviour to have terraform ask your confirmation before applying for each terragrunt module. Keeping the question Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n)
• keep the current behaviour when terragrunt-non-interactive is set

I believe the current interactive behaviour is useless and there is no need to keep it. Either you want to be interactive and you care about the plan before the apply, and you want terraform to ask for a confirmation, or you don't care about the plan and you switch to non interactive. The question Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n) is not really useful as you give your consent to something you don't fully know before you see the plan results.

[brikis98]

Nope. Currently you get one interactive question asked:

Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n)

And beyond that, no more interaction. Each terraform apply is executed with -auto-approve, so the plan phase is not even displayed before the application starts. That's why I talked about disabling auto-approve but only when terragrunt-non-interactive is not set.

Ah, that's the context I was missing. Thanks for explaining!

So, the proposed change is:

• change the default (interactive) behaviour to have terraform ask your confirmation before applying for each terragrunt module. Keeping the question Are you sure you want to run 'terragrunt apply' in each folder of the stack described above? (y/n)
• keep the current behaviour when terragrunt-non-interactive is set

Agreed. PR to do this is very welcome! 👍

[yorinasub17]

Note that for whoever is trying to implement this, you will run into issues where the stdin and stdout is interleaved across concurrent terraform runs.

This will lead to a few issues:

• You won't be able to parse the plan output because resource plans will be interleaved across modules (note that this is the same issue we have with plan-all).
• Your answers you type to confirm could be sent to multiple apply calls, since the stdin is shared.

I am not sure it is possible to implement this without disabling the concurrency (from a UX perspective), so it seems like #636 is a necessary prerequisite.

[ado120]

Hi all,

When running a terragrunt apply, what is the difference between terragrunt apply -auto-approve vs. terragrunt apply --terragrunt-non-interactive?

[brikis98]

Hi all,

When running a terragrunt apply, what is the difference between terragrunt apply -auto-approve vs. terragrunt apply --terragrunt-non-interactive?

-auto-approve skips interactive prompts from Terraform, such as the prompt to check the plan output before running apply. --terragrunt-non-interactiveskips interactive prompts from Terragrunt, such as the prompt to create an S3 bucket as a state backend if the bucket doesn't exist already.

[j-pedrosa]

Do we have any ETA to change this beaviour?

[emilhdiaz]

EDIT: Disregard this comment, even terragrunt run-all apply will automatically append -auto-approve to the terraform commands, see comment below from @tensor5

For others arriving at this issue, terragrunt now discourages the use of terragrunt apply-all in favor of terragrunt run-all apply instead.

The above issue works as expected when using terragrunt run-all apply, as in both terragrunt AND terraform will prompt for input.

If you want to skip terragrunt's prompts, then use: terragrunt run-all apply --terragrunt-non-interactive
If you want to skip terraform's prompts, then use: terragrunt run-all apply -auto-approve
If you want to skip both sets of prompts, then use: terragrunt run-all apply --terragrunt-non-interactive -auto-approve

[tensor5]

@emilhdiaz, in my case terragrunt run-all apply behaves the same with or without -auto-approve, i.e. in both cases it skips Terraform's confirmation prompt.

[emilhdiaz]

@tensor5 You're right, not sure how I missed that before (made a note of it in my prior comment, thanks).

In that case, I would echo the OP. This behavior seems counter intuitive to me.

[jlepere-everlaw]

In v0.38.1, a --terragrunt-no-auto-approve cli option was added that might help some use cases mentioned here.

I'd like to ensure this argument is provided for all run-all commands because I share the concerns mentioned in this issue, but I'm struggling to do so.

From my understanding, the extra_arguments argument on the terraform block only works for terraform commands, so something like this wouldn't work:

terraform {
  ...

  extra_arguments "no_auto_approve" {
    commands  = ["run-all"]
    arguments = ["--terragrunt-no-auto-approve"]
  }
}

I also considered setting an environment variable using extra_arguments to override the -auto-approve option automatically supplied by terragrunt, but I don't think terraform supports this.

Does anyone have any thoughts?

[emilhdiaz]

@jlepere-everlaw Just came across this new flag myself. You might have better luck simply setting the TERRAGRUNT_AUTO_APPROVE environment variable in your shell or automatically via something like https://github.com/direnv/direnv.

[jlepere-everlaw]

Thanks, @emilhdiaz! I ended up setting the TERRAGRUNT_AUTO_APPROVE environment variable in a similar fashion to your suggestion.

[lpossamai]

New Terragrunt user here.

I love the fact that you can have your Terragrunt Architecture DRY. It helps A LOT when you have multiple modules and dependencies between them.

I came from a pure Terraform complex multi-account level structure, and TF sucks really bad at dependencies between modules and duplication of code.

TBH, the run-all Terragrunt command caught my attention when I was comparing the two solutions, but I was disappointed when I saw it is not recommended for production usage.

I wish plan-all would take care of all the dependencies and just work.

Also, need to think about consistency. In terraform with Github Actions, I was able to upload the .tfplan file to Github and use that same file when running terraform apply. With Terragrunt, that's not something I can easily have.

I have also published a discussion here, to debate best practices on my use case.