1

I'm wondering why the job "tf-plan-production" in the to-be-continuous/terraform template is the only one running on a merge request pipeline?
Does anybody know the reason behind this?
Because I find it disturbing to have 2 pipelines, 1 detached pipeline containing only a single job while the other pipeline contains all the other jobs (tf-plan-review, tf-tflint, tf-checkov ...). I hesitate to override this rule as I may miss something important.

To be more precise, in this to-be-continuous template, all the defined jobs are never run on a merge request pipeline by using the rule :

# exclude merge requests
 - if: $CI_MERGE_REQUEST_ID
 when: never

Except the "tf-plan-production" job which have the rule:

# enabled on merge requests
- if: $CI_MERGE_REQUEST_ID
gresam
  • 13
  • 3

1 Answers1

2

terraform plan is a nondestructive operation that compares what terraform would create to what exists in output, and creates a diff between existing state and state that has been coded but not created.

Typically it is run when a PR is created so that a dry run is available and visible to the developers, while terraform apply is run on merge. If there isn't another environment developers can test their changes in, it is a necessary step.

Dan Monego
  • 9,637
  • 6
  • 37
  • 72
  • My question is really related to the [to-be-continuous template](https://gitlab.com/to-be-continuous/terraform/-/blob/master/templates/gitlab-ci-terraform.yml). All the defined jobs don't run in a merge request pipeline by using # exclude merge requests - if: $CI_MERGE_REQUEST_ID when: never Only the "tf-plan-production" job have the rule: # enabled on merge requests - if: $CI_MERGE_REQUEST_ID – gresam Oct 21 '21 at 17:07
  • Well, actually @dan-monego is right: the `terraform plan` job is launched in merge requests to let you see simply **the potential infra changes on prod generated by this MR**. By the way GitLab provides a very nice [Terraform plan diff support](https://docs.gitlab.com/ee/user/infrastructure/iac/mr_integration.html) in merge requests that is off-course implemented in the `to-be-continuous`template :) – pismy Oct 22 '21 at 09:40