We recently changed the default tags added to all the resources we provision in AWS for one of our clients. We also made some other more serious networking changes during the same release. This resulted in quite a hairy Terraform (tf) plan that we had to review.
If you’ve used tf for provisioning large environments you will know that the text plans that gets generated can be tricky to read and sometimes a small change (like a tags change) can result in a plan where the more important changes can get lost in all the noise. In a process to find a better way to render these plans I found PrettyPlan by Chris Lewis, which allows you to convert text tf plans to HTML in a much more readable format. This tool was meant to fill some of the gaps in older versions of tf’s plan output and it does an amazing job at it. We however needed something similar for tf versions 0.12+ and that is where our version of the pretty plan was born.
Initially, I forked the original code base with the idea to add the changes for the new plan format, but I quickly realised that would not be needed for new versions of tf. New versions of tf allow you to print your plan in JSON format, making text parsing a thing of the past. With all this time saved, I decided to add some features to make plan reviews even simpler.
the bells and whistles
These are very much catered to the way I review plans, but I found that most teams I’ve worked with review plans in a similar way.
all the filters
filter on the action type, it is really important for me to first review all the destructive actions tf is going to make when I apply a plan. For this reason, I added a quick way to filter on the actions you are interested in.
filter most common changes, in the example above we, had a ton of resources where just the tags property was being changed. I added a way to either just show resources where a certain property is going to be changed or filter those changes out of the plan. The list of properties gets filled by finding the top 5 changing properties in the plan.
resource addressing
resource addressing, when using tf’s looping and modules, the resource address can be quite important to track the resource to where it is defined in code, so I added the full resource address to the expanded view.
fancy view
fancy view, this was more for show than anything else, but when viewing changes to large JSON objects, it sometimes helps to have the differences highlighted for you. I have not tested this with IAM policy changes or ECS task definition changes, but I see this being handy in those situations.
auto plan, I’m planning on using this in our custom tf CD pipeline (more on that in the future 😉). For this, we will embed the site content in our pipeline plan step to help with approvals. When the site starts up it tries to load a plan from the project artefact root and renders it with the rest of the pipeline reports.
how to
Unlike the original pretty plan, you need to do a little more work. When we do tf plans we use the -out cli option (terraform plan -out=plan.out), which creates a file that can be used as input on an apply. This ensures that the plan you are reviewing is actually the changes that will be applied and will be rendered useless if a different apply happened in between.
This plan output can also be used to generate a JSON representation of the changes with the tf show command (terraform show -json plan.out > plan.json).
If you are using Terraform Cloud (or Enterprise) you can the JSON output of a plan as follow:
disclaimer
This is still just a toy and needs a ton of testing, I would not recommend only using this when reviewing a tf plan. I have not tested it at all with changes where modules are involved, with is top of the priority list. We’ll continue to fix bugs and add features that make plan reviews less painful.
Feel free to report a bug on Github or put in a feature request if there is something cool we can add.
Comments