Add --check parameter

[mcanevet]

When tainting the resource where the provisioning is attached, I'd like to be able to run Ansible in check mode first.

My workflow is:

variable "ansible_check" {
  default = "true"
}

resource "aws_instance" "test_box" {
  ...
}

resource "null_resource" "provisioner" {
  # ...
  connection {
    user = "centos"
    host = "${aws_instance.test_box.public_ip}"
  }
  provisioner "ansible" {
    plays {
      playbook = {
        file_path = "/path/to/playbook/file.yml"
        roles_path = ["/path1", "/path2"]
        force_handlers = false
        skip_tags = ["list", "of", "tags", "to", "skip"]
        start_at_task = "task-name"
        tags = ["list", "of", "tags"]
      }
      # shared attributes
      enabled = true
      hosts = ["zookeeper"]
      groups = ["consensus"]
      become = false
      become_method = "sudo"
      become_user = "root"
      diff = false
      check = "${var.ansible_check}"
      extra_vars = {
        extra = {
          variables = {
            to = "pass"
          }
        }
      }
      forks = 5
      inventory_file = "/optional/inventory/file/path"
      limit = "limit"
      vault_id = ["/vault/password/file/path"]
      verbose = false
    }

So that I can conditionally apply/re-apply the playbook with:

$ terraform taint null_resource.provisioner
$ terraform apply # dry-run
$ terraform taint null_resource.provisioner
$ TF_VAR_ansible_check=false terraform apply # apply playbook

[mcanevet]

@radekg any thought on this?

[radekg]

Hey @mcanevet, apologies. Last few days were pretty busy. Looks really good.
Thank you!

[mcanevet]

@radekg thanks for merging this.
I have another idea to implement but I don't really know how to do it.
I'd like to have an option to not mark the resource as created if check mode is enabled and the playbook has some changes to apply.
AFAIK, Ansible does not have some kind of --detailed-exitcode, the only way I found to check if there is some changes to apply is to search for the changed=0 string in the output.

Currently I have to do something like this:

$ terraform taint null_resource.provisioner
$ terraform apply -target null_resource.provisioner | tee /dev/stderr | grep -q changed=0 || terraform taint null_resource.provisioner # dry-run with tainting again if something has to be applied
$ TF_VAR_ansible_check=false terraform apply

That works as long as I have only one null_resource in my Terraform project, but I usually have 2 (one generic playbook to apply to all my instances, and sometimes one specific module to do some specific stuffs on one instance). In that case, dependencies makes hard to know which null_resource have to be marked as tainted again.

It would be easier (and more logical I think), if the Ansible provisioner would return in failure if there is some changes to apply and we are in check mode. In that case, my workflow would be:

$ terraform taint null_resource.provisioner
$ terraform apply -target null_resource.provisioner # dry-run, null_resource will not be marked as created if something has to be applied
$ TF_VAR_ansible_check=false terraform apply

Thus if the ansible playbook hasn't converged yet, it will be re-applied.

[mcanevet]

Maybe I should create an issue for that instead of adding a comment on this PR