When outputting terraform plan log output into a PR to allow approvers to easily review a PR, we assume these are the changes which are going to be applied to the state file which is being changed. However when the PR is merged into the default branch, the default behaviour of Spacelift is to replan off the default branch and apply those changes.
However, this poses a problem- if there are changes in the environment between the last plan outputting in the PR and the second plan after merge. This could mean that Spacelift is applying changes which have not been approved by the original PR reviewer. In the real world of AWS ClickOps, this is a very real issue where another Engineer could have made manual changes in the case of an incident to mitigate an issue and Spacelift would be reverting these changes.
Having an extra gate after merge and on apply to production environments would be fine at small scale, but not for those customers who are managing large scale infrastructure and want to follow a strict GitOps workflow, it is very important to make things easier to manage, not harder and the audit trail clearer.
Please authenticate to join the conversation.
π Discovery
π‘ Feature Requests
IaC Workflows
8 days ago
Get notified by email when there are changes.
π Discovery
π‘ Feature Requests
IaC Workflows
8 days ago
Get notified by email when there are changes.