-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify terraform configuration files matches state file contents #32786
Comments
Hi @osintalex, What you're describing is essentially what Thanks! |
Hey, Ah yeah sorry, I should have made the difference clearer. The end goal for what I'm trying to do is different. I'm in a situation where I know many of the configuration files are incorrect, so I'm looking for a way to (as much as possible) programmatically rewrite them. I realised I missed out a few steps. This is what my workflow looks like at present:
This is quite time consuming so I was hoping for a better way to do this. I don't think I can use I guess what I would really like is an 'inverse' version of |
Thanks @osintalex, Improving the import workflow is something we're working on already, so this seems inline with the current development. Showing the possible configuration values derived from the current state, in a format other than the plan changes, is something we want to have the ability to do. It is not possible for Terraform to know exactly what the config should look like, but a starting value can definitely be generated, and subsequent calls to |
Thanks! A starting value without disallowed characteristics (such as |
Terraform Version
Use Cases
When your state file doesn't match what's in your configuration files.
In practice I think this would come up when managing drift on projects that haven't been maintained in a while. I came across the issue while working on some legacy stuff that hadn't been touched in a few years. I had this problems:
Lots of the stuff in terraform configuration files didn't match what was in the state file. I think this is probably because the state file was old or in a remote backend somewhere that got lost. Perhaps this is a rare issue but it feels to me like the sort of thing which might come up often when inheriting legacy projects.
To solve this I was doing a lot of importing and I noticed that this could create some issues, f/e:
Suppose I had a block like this:
But in my state file, the egress cidr_blocks value was actually
cidr_blocks = ["10.0.0.1/0"]
, which is also what is actually in this security group in the remote infrastructure. If I runterraform plan -refresh-only
this shows the infrastructure as being up to date, even though what's in my configuration block is wrong.Now imagine this on dozens of files - I think it would be useful to have a way of validating that my configuration code matches what's in state. Perhaps something like
terraform compare
orterraform validate -check-state
.Apologies if I've missed an easy way of doing that which exists already - I couldn't find one!
Attempted Solutions
To get round this I was doing the following:
terraform plan -refresh-only
but AFAIK this checks based on what's in my state file. So if my state file is correct and my configuration is wrong, then this passes.terraform state show <resource identifier>
and then manually comparing that with what's in the configuration file.Proposal
I think (hopefully) an implementation for this could be simple:
For every configuration block...
Get the corresponding block in the state file (i.e. output of
terraform state show <resource identifier>
...Check if the details in the configuration block match what's in the relevant state file section. For my above example that would mean check that
cidr_blocks = ["0.0.0.0/0"]
is equal to what the egress cidr blocks value is in the state file along with all the other attributes, i.e description, name, etc.If they don't, raise a helpful error.
Happy to try a PR for this if you think it would be helpful.
Last thought - I wonder if this irrelevant given existing discussions around auto-generating config files from
terraform import
since that would also solve this issue, although that would require deleting your existing config in a situation such as the one I've run into.References
Issue 15608
The text was updated successfully, but these errors were encountered: