Is there any way to get TF output ONLY for resources that are going to be created from a given plan or apply?

Matt_Finnigan · October 22, 2024, 6:16pm

For context, i want to spit out instructions to the person running the terraform to go send an IT ticket to create an AD group. In an ideal world this would be run in a CI/CD ecosystem that had permissions to create AD groups from terraform but that’s not the world I live in at the moment

i started looking at conditionals, and there MIGHT be a way if you grab your existing state as a data resource? Seems clumsy

wyardley · October 23, 2024, 2:54am

In the plan there’s a Changes to Outputs: section, which will show any items that will be either added or modified, but I assume that’s not what you’re looking for?

To do more than that, I’m guessing you might have to write something custom? I think if you first dump the plan to a plan file, then dump that as json, the resulting json data will have output_changes.foo.actions and you could then filter on ones that have create within actions?

This dumb example works for me:

$ terraform show -json plan.json | jq '.output_changes[] | select(.actions[] | contains("create")) | .after'

Matt_Finnigan · October 23, 2024, 3:40pm

Oooh - good call. “changes to outputs” might be a good place for this.

jbardin · October 23, 2024, 7:37pm

It doesn’t sound like you necessarily want outputs, but all resource changes are also enumerated in the plan as well. You can search for create actions of the type you want, and apply the policy of your choosing.

The output of terraform show -json is intended for programatic use like this, and the most common application is for policy enforcement.

Matt_Finnigan · October 23, 2024, 8:10pm

yeah, i get that. Unfortunately, we don’t currently have any tooling around TF apply automation, it’s “whoever put the change in will run it on their own”. I’m looking for a bandaid because my team doesn’t have the resources to build stronger guardrails here.

This is working for me:

locals {
kerb_group_string =<<EOT
Please send an IThelp ticket to create group %s in the domain for %s
Include the intent of the group, the owner(s), and the members.
If this is in the bungie domain, also request that this group be made a member of hcp_vault_kerberos_auth_users
EOT
}

output "kerb_auth_groups_instructions" {
  value     = [
    for group in local.kerb_auth_groups : 
    format(local.kerb_group_string, group.group_name, group.auth_path)
  ]
}

and then that gets printed in the changes to outputs.