In certain situations, you want to apply only some planned Terraform changes at a time. This could be because of the critical nature of certain changes or the constraints of your environment. With Spacelift’s Targeted Replans, you can select which planned changes you want to apply, allowing you to roll out changes in a step-by-step manner iteratively.
Why would you want to do this? Here are some reasons:
- rolling out changes in a step-by-step manner
- migrating existing infrastructure to Terraform
- performing clean-ups that require extra-care
- working in environments where infrastructure changes might be made out of Terraform
- solving IaC dependency-related issues
Let’s use a concrete example to see how the target replans work:
I have a Terraform configuration that creates a VPC, a security group, and 20 security group rules. You can find the code on GitHub.
The next step is to trigger a run and wait for it to reach an unconfirmed state.
Click on Changes in the top left corner and select the resources you would like to target, similar to the screenshot below.
After you have finished selecting the resources you are interested in, click on Replan.
You also have the option to filter the resources view, based on different parameters such as Address, Change type, Name, Resource type, and even the Terraform provider.
Before the new plan is created for the resources you’ve selected, you’ll see details of how many resources you’ve chosen and how many are ignored.
In my case, I’ve chosen four security group rules.
Even though I chose just four resources, you will see I have six in my plan. This happens because the security group rules have a dependency on a security group, and this security group has a dependency on an aws_vpc resource.
Under the hood, this feature leverages the “terraform plan -target” functionality, so let’s see what problems arise with this command.
Let’s suppose you have defined the following resources:
To run a targeted plan for the aws_vpc resource, the syntax would look like this:
terraform plan -target=aws_vpc.this
Things become a little more complicated when you are using two resources. Let’s suppose you want a plan now just for the aws_vpc and aws_subnet resources. The syntax would be:
terraform plan -target=aws_vpc.this -target=aws_subnet.this
I saved the worst for last. If you have resources defined with for_each as I have above for the aws_security_group_rule resource, and you want to delete only an instance of that resource, the syntax would be:
terraform plan -target=”aws_security_group_rule.this[\”rule2\”]”
You need to escape the quotes for the keys, and the resource name should also be added between quotes, which makes this pretty error-prone.
You would need to select ten or twenty resources, and your cli command will be massive and very hard to follow if there is a syntax error.
Manage Terraform Better with Spacelift
Build more complex workflows based on Terraform using policy as code, programmatic configuration, context sharing, drift detection, resource visualization and many more.