Alternative workflow with plan, approve and apply for customizations pipeline #542
Conversation
…mework_create_pipeline of aft-account-provisioning-framework sfn
|
+1 This is a valuable enhancement request that would significantly improve AFT's safety and flexibility for core account management. The proposed optional workflow with plan/approve/apply stages aligns with infrastructure-as-code best practices, especially for critical accounts that can impact the entire landing zone. The rationale provided around protecting core shared services (TGW, IPAM, etc.) is compelling - having the ability to preview and approve changes before they're applied would help prevent unintended consequences across the landing zone. Keeping this as an optional feature maintains AFT's simplicity for standard account vending while adding necessary controls for sensitive environments. This addresses a clear need expressed by multiple users previously. I support prioritizing this enhancement. |
|
This is a great initiative, I've been looking for something like that and thinking about developing in house. Thanks! From a Terraform perspective, when the plan and apply are executed in different stages, your plan should include a I don't have much experience with CodePipeline, but I believe you can use output artifacts for that. |
I hope that the feature will be merged, obviously you can develop it by yourself, but I would recommend to stick to the official releases of AFT, that are provided and officially supported by the AWS Control Tower service team. In case of a custom release, probably you would have difficulties in being supported in case of problems...
You're right, Codepipeline artifacts are the way to save the plan (and also the .terraform folder) and have it ready for the apply phase. I already did it in different terraform pipelines with Codepipeline. I deliberately decided to not introduce it in this PR to reduce the number of changes, but for sure this could be an improvement that can be introduced later on. |
|
Could someone from the AFT team review this PR? Thank you 🙏 |
|
We ended up making quite the contraption in CI, where we'd essentially pull down the state file from HCP terraform and manipulate the backend stanzas so that there would be local runs and we could post the plans in the PR comments. It's helped us somewhat, but this would be a much preferable solution. |
igordust
requested review from
JamesActually,
aspiratr-aws,
aviwshah,
dashbat,
harrisonhku,
ouyanguf and
wiltangg
as code owners
| /opt/aft/bin/terraform plan -no-color | ||
| elif [[ "apply" == ${ACTION} ]] ; then | ||
| /opt/aft/bin/terraform apply -no-color --auto-approve | ||
| elif [[ -z "${ACTION}"" ]] ; then |
There was a problem hiding this comment.
Is the double quote after ${ACTION} intended?
There was a problem hiding this comment.
I added this last condition in the case the account doesn't have set the ACTION env variable, in case the user hasn't updated the account request
|
Is there any update on this feature? |
|
For local testing, someone may find my response in this thread #153 useful. |
7 participants
This feature is the implementation of the feature request #541.
It adds a new parameter
workflow_typeto the account request module.The parameter can be valued:
apply(default)apply-with-approvalThis parameter is saved with all other parameters in the DynamoDB table and is passed to the step function for the account creation and the customizations pipeline.
The
applyvalue maintains unchanged the current behaviour, the customizations pipeline is created with the usual 3 stages.When you specify
apply-with-approval, the resulting customizations pipeline will have the following stages: