Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote execution on Terraform Cloud fail to apply #2794

Open
lilincmu opened this issue Dec 13, 2022 · 7 comments
Open

Remote execution on Terraform Cloud fail to apply #2794

lilincmu opened this issue Dec 13, 2022 · 7 comments
Labels
bug Something isn't working Stale

Comments

@lilincmu
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

When running remote apply on Terraform Cloud, an error is returned which blocks the apply.

Reproduction Steps

  • Set up remote execution on Terraform Cloud, for example
terraform {
  required_version = ">=1.3"

  cloud {
    hostname = "app.terraform.io"
    organization = "lilin"

    workspaces {
      name = "lilin-atlantis-with-tfc"
    }
  }
}

resource "null_resource" "example" {
}
  • Create a PR, Atlantis will run atlantis plan automatically
  • Run atlantis apply in PR comment
  • An error is returned as below:
running "/Users/li/.atlantis/bin/terraform1.3.6 apply -input=false -no-color" in "/Users/li/.atlantis/repos/lilincmu/atlantis-sample-repo-with-tfc/11/lilin-atlantis-with-tfc": exit status 1
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/lilin/lilin-atlantis-with-tfc/runs/run-C2R6G61LuvimYchL

Waiting for 1 run(s) to finish before being queued...
Waiting for 1 run(s) to finish before being queued... (30s elapsed)

Terraform v1.3.5
on linux_amd64
Initializing plugins and modules...
null_resource.example: Refreshing state... [id=8674665223082153551]
null_resource.example2: Refreshing state... [id=5577006791947779410]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # null_resource.example3 will be created
  + resource "null_resource" "example3" {
      + id = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.


Error: Cannot confirm apply due to -input=false. Please handle run confirmation in the UI.

Environment details

If not already included, please provide the following:

  • Atlantis version: v0.21.0
  • Terraform version: v1.3.6
  • Atlantis server-side config file:
{
    "repos": [
        {
            "id": "/.*/",
            "apply_requirements": [
                "mergeable"
            ]
        }
    ]
}
  • Repo atlantis.yaml file:
version: 3
automerge: true
delete_source_branch_on_merge: true
projects:
- dir: .
  workspace: lilin-atlantis-with-tfc
@lilincmu lilincmu added the bug Something isn't working label Dec 13, 2022
@lilincmu
Copy link
Contributor Author

Workaround

Currently there are two workarounds for this issue.

  1. As pointed out by Terraform Cloud Remote Operations broken for Terraform versions >= 0.15.0 #1628 (comment), we can use custom workflow to pass in the -auto-approve argument.
  2. We can pass in the extra argument directly in PR comment like atlantis apply -- -auto-approve.

Proposed Fixes

  1. We can pass -auto-approve argument by default for remote apply on Terraform Cloud. However, this could be dangerous, since unlike local execution, the plan for remote execution seen in PR comments might not be the actual plan that's going to be applied. It's more like a tentative plan. We might need to add more documentation if we decide to make -auto-approve a default behavior for remote apply.
  2. Update the prompt returned by atlantis plan. Currently, the prompt does not mention -auto-approve at all. If users run any of the commands, they'll see an error. We might update the prompt and mention the usage of -auto-approve.
  • ▶️ To apply this plan, comment:
    • atlantis apply -w lilin-atlantis-with-tfc
  • ⏩ To apply all unapplied plans from this pull request, comment:
    • atlantis apply

@lilincmu lilincmu mentioned this issue Dec 13, 2022
Merged
@GenPage
Copy link
Member

GenPage commented Dec 14, 2022
edited
Loading

Proposed Fixes

  1. We can pass -auto-approve argument by default for remote apply on Terraform Cloud. However, this could be dangerous, since unlike local execution, the plan for remote execution seen in PR comments might not be the actual plan that's going to be applied. It's more like a tentative plan. We might need to add more documentation if we decide to make -auto-approve a default behavior for remote apply.
  2. Update the prompt returned by atlantis plan. Currently, the prompt does not mention -auto-approve at all. If users run any of the commands, they'll see an error. We might update the prompt and mention the usage of -auto-approve.

I think the 2nd proposed fix is most likely the way we want to go. I caution against changing the default action depending on the use case. I feel giving enough documentation/prompt to the user and letting them make the choice is the best first step. We can always change the default action at a later time.

@lilincmu
Copy link
Contributor Author

Forgot to mention, upon seeing the error, users can manually apply the queued plan in Terraform Cloud UI, as the error message indicates.

Error: Cannot confirm apply due to -input=false. Please handle run confirmation in the UI.

However, they'll need to run atlantis unlock and close the PR manually after the apply is executed.

@nitrocode
Copy link
Member

At the risk of sounding naive since I do not run terraform cloud... Doesn't atlantis currently run terraform apply -auto-approve? Otherwise wouldn't everyone hit a prompt (and subsequent error) when attempting to apply?

@alexclifford
Copy link

At the risk of sounding naive since I do not run terraform cloud... Doesn't atlantis currently run terraform apply -auto-approve? Otherwise wouldn't everyone hit a prompt (and subsequent error) when attempting to apply?

I believe it uses a saved plan - https://developer.hashicorp.com/terraform/cli/commands/apply#saved-plan-mode

@nitrocode
Copy link
Member

Yes the plan is saved. However if you apply a saved plan, i believe it will still prompt you to confirm unless you -auto-approve, no?

@nitrocode nitrocode mentioned this issue Dec 31, 2022
Closed
@Eddman
Copy link

Eddman commented Aug 9, 2023

Just an idea: in such case Atlantis can call terraform apply instead of plan and simply after plan keep the apply unconfirmed. And during apply just confirm previous plan. And obviously discard plan if new plan is called/PR is closed.

This would be the target behavior for me, although I understand not the simplest to implement....

@dosubot dosubot bot added the Stale label Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexclifford @Eddman @GenPage @nitrocode @lilincmu