Best Practice for Developing Terraform in GCP?

Hi! I would like my “devopelers” to be able to run terraform plan against my prod environment, but NOT run terraform apply . . . is this possible? I’ve tried to create a “read-only” service account, but the service account needs to be able to write a lock file, so that didn’t work (I don’t really want to run with -lock=false).

Any advice out there for safe development? Thanks!

Hi @gmatz,

It sounds like what you are trying to do is set up the gcs backend so that your users can only lock the state for read operations, and not for write operations.

Unfortunately I don’t think that’s possible, because Terraform doesn’t distinguish between different kinds of locks; it supports only a single mutual-exclusion lock per workspace, which aims to block anyone else from acquiring a lock. The locking mechanism is not intended as a means of access control, only as a way to avoid two people trying to run Terraform operations at the same time.

I think my best idea to meet your requirement would be to apply the access control to the real operations Terraform would be performing, rather than to the state lock. Specifically, I’m thinking of using the access control mechanisms of the remote systems you’re interacting with to give your users read access but not write access, which should then allow the providers to take the actions they need to take during planning, but cause an immediate access control failure if someone actually tries to apply a plan, because the remote system will block the write operations that the provider tries to perform in order to execute the plan.

One advantage of this approach is that it means the users won’t be able to use the credentials you’ve issued them to make modifications by either intentionally or unintentionally using Terraform incorrectly (such as using -lock=false in your example), or by bypassing Terraform altogether. Of course, that comes in return for the disadvantage of being more complex to set up because you need a more detailed access policy than just control over a single locking operation.

Ah!! At first I didn’t understand what you meant by [quote=“apparentlymart, post:2, topic:42330”]
real operations
[/quote]!! Yes, fine idea. Thanks.