Having issue getting terraform report to show up

private runners using gitlab/gitlab-runner:alpine
custom terraform image with jq pre-installed

Can someone please help me understand why the terraform report does not show up in the MR after the plan has run? I am expecting to see it in the MR then after reviewing it triggering the manual apply job. However the report does not appear until the manual job is done.

---
default:
  image:
    name: terraform:latest
    entrypoint:
      - ""

stages:
  - validate
  - plan
  - apply

variables:
  ENVIRONMENT: "production"
  PLAN_FILE: plan.tfplan
  JSON_PLAN_FILE: tfplan.json
  TF_IN_AUTOMATION: "true"

.prepare: &prepare
  - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"

.init: &init
  - terraform init
  - echo $ENVIRONMENT
  - terraform workspace select $ENVIRONMENT

before_script:
  - *prepare
  - eval $(ssh-agent -s)
  - echo "$KEY" | tr -d '\r' | ssh-add -
  - mkdir $HOME/.ssh/
  - chown 700 $HOME/.ssh/
  - echo -e "Host *\n  StrictHostKeyChecking no" >> $HOME/.ssh/config

.apply: &apply
  stage: apply
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event"
      when: manual
  script:
    - *init
    - terraform apply -input=false -auto-approve $PLAN_FILE
  allow_failure: false

.plan: &plan
  stage: plan
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - *init
    - terraform plan --out $PLAN_FILE
    - "terraform show --json $PLAN_FILE | convert_report > $JSON_PLAN_FILE"
    - jq --version
    - cat $JSON_PLAN_FILE
  artifacts:
    reports:
      terraform: $JSON_PLAN_FILE
    paths:
      - $PLAN_FILE
  allow_failure: false

.validate: &validate
  stage: validate
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - *init
    - terraform validate
  allow_failure: false

Validate-Client:
  <<: *validate

Plan-Client:
  <<: *plan

Apply-Client:
  <<: *apply
  dependencies:
    - Plan-Client

Output from the debug statements in the plan

$ jq --version
jq-master-v20200917-3811-g2b0a3891bf
$ cat $JSON_PLAN_FILE
{
  "create": 0,
  "update": 4,
  "delete": 0
}

Report does not show up

Thank you!

2 Likes

We have the exact same workflow and issue: generate a plan, review the plan, approve the MR, run a manual job to apply. However, the plan report doesn’t show up in the MR until after ALL jobs complete. It seems that it would make sense for uploaded reports to display in the MR as soon as they become available.

Edit: This seems to only occur when allow_failure is set to false for the manual jobs.