Terraform in the pipeline

Continuing the topic of CI/CD, I felt like reflecting on the subject of "Terraform in the pipeline".

What I mean is: does it make sense to wrap terraform operations into a pipeline for changing infrastructure? In my practice I've seen attempts to do this several times. The most surprising part is that it even worked, but as a rule not for long (:trollface)

I can understand the motives that drive people to do this. You really want a git-ops approach, where you change something in the code and it goes off and deploys the infra by itself. And at the same time you don't have to set up credentials, tokens, and so on — you don't even need terraform of the right version locally. But that's in an ideal world.

In practice, you can't compile everything in your head and foresee absolutely everything. So you push a commit, and at the terraform plan step something pops up: either the syntax went off, or something else. Okay, a couple of commits later you seem to have fixed it, but you've already cluttered the repo with messy commits. Fine, then we get to the terraform apply stage, and there the cloud provider makes its own adjustments, which weren't known yet at the plan stage. And the debugging starts all over again. 👾

👀 In the end, I came to the conclusion long ago that terraform and cicd are better not mixed; it's far more convenient and safer to perform infrastructure changes from localhost. The only thing is that the human factor still plays a role, and sometimes after a local apply people forget to push the updated code, but that's solved by other means.

〰️ There's also an interesting-looking tool — crossplane — which lets you manage infra from k8s through custom resources. I haven't had a chance to try it, but I think it could work for limited management of resources for development needs.