Viewing Report from Terrafrom plan in Merge Request

Error viewing report from Terrafrom plan in Merge Request

What are you seeing, and how does that differ from what you expect to see?

When generating a terraform report as an artifact in .gitlab-ci.yml the report cannot be loaded into the merge request. I expect to see some sort of report embedded in the merge request showing output from the plan.

Instead, I see:

! A terraform report was generated in your pipelines. Changes are unknown.

I also see a red banner:

An error occurred while loading terraform report

Related documentation

The artifacts:reports:terraform documentation is extremely brief.

Version

I am on gitlab.com running the prerelease 13.0.0 in a private repository, using shared runners.
The feature says it is introduced in version 13.0 by https://gitlab.com/gitlab-org/gitlab/-/issues/207528

CI configuration

The job in concern is

plan:
  stage: plan
  script:
    - terraform plan -input=false -out=tfplan tfbackend
    - terraform show -json tfplan > tfplan.json
  artifacts:
    reports:
      terraform: tfplan.json
    paths:
      - tfplan.json
    expire_in: 5 days
  only:
    - merge_requests
    - staging
    - master

Troublehsooting steps

I have tried several different combinations. terraform plan -out=tfplan outputs a binary plan. Giving that to the report yielded the same error.
What I currently have produces a good JSON artifact that can be downloaded and viewed, but nothing is embedded in the Merge Request.

https://gitlab.com/gitlab-org/gitlab/-/issues/207526 seems relevant, but I am having a hard time figuring out what is in progress and what I should expect to work.

1 Like

Hi!

There’s an example you can view here: https://gitlab.com/emilyring/terraform-test/-/merge_requests/4/diffs

And some docs that are being created here: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31821/diffs

Are you able to see what your JSON file contains?

Thanks!

1 Like

Thank you for the resources, I will give them a try!! I didn’t realize I needed my own jq alias

Yes, I am able to see what the JSON contains - it is essentially the summary that plan displays in the terminal.

@byarbrough Yeah, the jq alias is needed so we can exclude any potential secrets from the plan output. The resulting JSON should look something like:

{
  "create": 0,
  "update": 0,
  "delete": 0
}

Let us know how it goes!

1 Like

I was able to get this working locally, but am still having trouble with the pipeline.

Here is what I output in my local pine container after following the exact same script:

{
  "create": 4,
  "update": 0,
  "delete": 0
}

Unfortunately, in the pipeline I get this error. I am using python:3.8-alpine3.11 as my base image and manually installing Terraform.

$ alias
alias convert_report='jq -r '\''([.resource_changes[]?.change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}'\'''
$ terraform show --json $PLAN | convert_report > $PLAN_JSON
/bin/bash: line 141: convert_report: command not found

This seems more like an error on my end, so I am continuing to debug.

Some things I noticed!
  • The example @emilyring provided does not contain apk add jq
  • There is a discrepancy of a ? between the documentation and the example file. I used the command from the documentation.

Good catch! The command from the documentation should be correct, the command was updated in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30002 and should be part of 13.0.

The apk --no-cache add jq is being done here: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31821/diffs#985e5d840b3f82c46efcb6eebc74ffc83cdb7444_159_184

And it’s also done in the Dockerfile that generates the registry.gitlab.com/gitlab-org/gitlab-build-images:terraform image that the default Terraform.gitlab-ci.yml template will be using in 13.0.

For your image, since it’s also alpine based, I think it should work the same, so I’m curious what’s happening that is causing the alias to not be defined. Maybe it’s a quoting issue with the string?

1 Like

Thank you for all the help!
I never was able to get the alias working, even after trying it on an Ubuntu container. I ended up just echoing the command into a shell script and then calling that. Thrilled with having the summary in our merge requests!

Also, I mentioned the merge request and related issue in a related Terraform issue: https://github.com/hashicorp/terraform/issues/10507

@byarbrough definitely! I’m glad you got it working for your pipeline! Maybe in future we can move that alias into a command available inside the build image, that way you could just use it from the image: or make your custom image from it, that way you wouldn’t have to deal with echoing it to a script. Always glad to see how we can improve things!

Looks like the issue I was having with the alias not working was due to shell options. See this comment. This fixed it!

before_script:
  - shopt -s expand_aliases
1 Like