We run CI pipelines in which we deploy all our infrastructure using terraform, run some tests, then destroy that infrastructure.
We also have a script which runs
terraform import upon that infrastructure. I want to run some tests in our CI pipeline to check that those import scripts can successfully get us back to a true state. My desired method of doing this is to, in our CI pipeline:
- deploy the infrastructure
- rename the terraform state file to terraform.tfstate.old
- run the terraform import script
- Compare the new terraform.tfstate to terraform.tfstate.old to check that they are the same. If not, fail the pipeline
- destroy the infrastructure
My question is about step 4: Compare the new terraform.tfstate to terraform.tfstate.old to check that they are the same. Obviously it won’t be sufficient to check they are the same by simply comparing file hashes because:
- There are various parts that are guaranteed to be different (e.g.
lineage, some of the resources might have attributes that are legitimately different)
- The resources might not exist in the same order that they did before
- The new tfstate file won’t contain the outputs
So, I’m looking for an algorithm to verify that the infrastructure represented by two tfstate files are identical. Before I handcrank something like this myself, does anyone know if this is a solved problem anywhere?