Feature: Ability to write custom checks

[fishpen0]

Description

Terraform for the most part bombs out when it should, but I would like a handler for creating custom checks unique to my environment. Users and extensions would be responsible for creating their own data sources or variables, this block would simply be a place to do basic logic and provide cli output. Checks would run after "refreshing state"/"plan", but before "apply" so all variables and data items are available, but no changes have been applied.

Some example scenarios where this would be useful:

• I do not want terraform to run if my CI handler has an active task and I am not using a backend that supports locking
• I want to issue a custom warning with instructions when they are using a workspace that has never been initialized
• I want to user to manually verify they want to run terraform when a service is down
• I hate John Doe in particular and I want to send him an ascii middle finger whenever he runs terraform.

Example structures:

Error

This will cause terraform to exit before making changes and print the response

resource "terraform_check" "my_error" {
  check = "${terraform.workspace} == ${var.config_workspace}"
  response = "Your workspace does not match your var file.  Please check the README.md section 'using a workspace' before continuing"
  action = 'error'
}

Warning with wait for reply, including and an example of using a data source in the check

This will ask the user a y/n question and continue on a 'y' and exit on an 'n'

data "aws_region" "region" {
  current = true
}

resource "terraform_check" "my_warning" {
  check = "{$data.aws_region.region.name} != "us-west-2"
  response = "You are running terraform against a region that is not managed by DevOps, continue?"
  action = 'wait'
}

Warning with continue

This will simply print the response text as a warning at the beginning/end of a tf plan/apply

data "custom_provider" "my_thing" {
  foo = bar
}

resource "terraform_check" "my_warning" {
  check = "${data.custom_provider.thing.bar}" == "foo"
  response = "I'm a warning!"
  action = 'continue'
}

[fishpen0]

Ah, some more digging turned up a similar request in #15469 with a hacky workaround. Unfortunately the workaround doesn't work if someone is using -target which, to my chagrin, is heavily utilized in our workflow.

[apparentlymart]

Hi @fishpen0!

Indeed this seems to be the same as #15469, which is something we're still planning to look at but not able to work on in the short term due to some more fundamental architectural work going on right now.

That point about -target is an interesting one, and would also be true of the design sketch I described in my first commend on that other issue since the require graph node would get excluded by -target too, unless we found a way to make a special exception for that. It'd be great to capture that detail in the other issue, if you'd be willing.

Since we already have an issue for this, I'm going to close this one just to consolidate discussion over there.

---

We don't recommend everyday use of -target since it was added primarily for use in exceptional situations when you find yourself in a bind, and regular use of it can make it hard to reconcile changes in your environment against changes to your configuration. I know it's often hard to "dig your way out" of such a thing -- I got into such a predicament myself in my previous job, which took some time to refactor away -- but Terraform's features generally work best when -target isn't in use, since that allows Terraform to do a full graph walk and visit all of the relevant nodes.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.