Thanks a lot for that helpful tutorial. One question, can you save the plan file as artefact for later use in "apply"? If there is a time gap between plan and apply, there is a potential delta between the commented changes in the pull request and the time of applying changes.
I believe when the pull request is open, every commit to the branch will automatically trigger a new terraform plan operation. After completing the pull request and merging it to main, the terraform apply happens onto this commit immediately. So no gap should happen in between.
@@CarlintVeld That's correct, each commit will cause a new plan to run. In practice, I would hold off on creating a PR until my code was most of the way there. Or you could use the draft functionality to pause the `terraform plan` for a bit. (You'd need to change the workflow a bit to check for the draft status). As for saving a plan file? There's been a fair amount of debate around the utility of a saved plan file. Generally, I don't recommend it, unless you're using the plan file against something like Checkov or Sentinel to check for policy violations. Even then, I would want a fresh plan before an apply.
Nice one! And thanks also for the source code. Though now would be better to use the OIDC federated credentials rather than the classic password secret.
Thanks a lot for that helpful tutorial. One question, can you save the plan file as artefact for later use in "apply"? If there is a time gap between plan and apply, there is a potential delta between the commented changes in the pull request and the time of applying changes.
I believe when the pull request is open, every commit to the branch will automatically trigger a new terraform plan operation. After completing the pull request and merging it to main, the terraform apply happens onto this commit immediately. So no gap should happen in between.
@@CarlintVeld That's correct, each commit will cause a new plan to run. In practice, I would hold off on creating a PR until my code was most of the way there. Or you could use the draft functionality to pause the `terraform plan` for a bit. (You'd need to change the workflow a bit to check for the draft status). As for saving a plan file? There's been a fair amount of debate around the utility of a saved plan file. Generally, I don't recommend it, unless you're using the plan file against something like Checkov or Sentinel to check for policy violations. Even then, I would want a fresh plan before an apply.
Nice one! And thanks also for the source code. Though now would be better to use the OIDC federated credentials rather than the classic password secret.