[Terraform] Terraform apply Inheriting from terraform plan

Harness Experts
1

The terraform plan command creates an execution plan. By default, creating a plan consists of:

  • Reading the current state of any already-existing remote objects to make sure that the Terraform state is up-to-date.
  • Comparing the current configuration to the prior state and noting any differences.
  • Proposing a set of change actions that should, if applied, make the remote objects match the configuration.

The terraform apply command executes the actions proposed in a Terraform plan.

Harness allows users to run a terraform Apply, by inheriting all the configuration and changes from the previously run terraform plan in the same workflow. This allows you to not specify the entire config and variables and values both times and also to preserve and validate that the plan is the exact same one as applied.

How does Inherit from terraform plan work in the backend?

Screenshot 2021-10-14 at 10.21.13 AM
Screenshot 2021-10-14 at 10.21.13 AM3386×1132 180 KB

Once you select “Inherit following configurations from Terraform Plan” in the apply step and you have setup the previous step as a Plan. Harness handles this in the following way:

  • The Plan step is run first and the tfplan is generated with changes or updates to the resources config.

  • This tfplan is then stored in an Encrypted format in the Harness Secret manager or the default secret manager setup by the user, and during the Apply step the tfplan file is Decrypted and then applied.

Screenshot 2021-10-14 at 10.21.13 AM
Screenshot 2021-10-14 at 10.21.13 AM3386×1132 180 KB

Note: Harness uses the Harness Secret Manager you have selected as your default in the export process. As a result, the size of the plan you can export is limited to the size of secret that Secret Manager allows.

One other thing to understand while using this feature of inheriting the configuration in the apply step from the plan step is that, storing Terraform Plan uses the customer’s configured default secret manager and for security, it is expected that the delegate deploying the terraform has access to it. Thus if you use harness default secret manager and try and use the inherit option, it might fail as your delegate may not have access to this and may give an error like, “No eligible delegate

2 ways to overcome this are:

  1. open FW to 443 cloudkms.googleapis.com to the appropriate delegat(es)
  2. use/set a different default Secret Manager, one that they delegate(s) have network access to, and Harness will use that to both store/retrieve it for when Inherit following configurations from Terraform Plan
2 Likes