Merge pull request #3663 from nhsuk/improve_terraform_plan_validation

TheOneFromNorway · web-flow · commit feda5a194250 · 2025-06-05T13:19:06.000+01:00
Improve plan validation in pipeline
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -156,11 +156,13 @@ jobs:
         run: |
           set -e
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform plan -var="image_digest=$DIGEST" -var="app_version=$APP_VERSION" -var-file="env/${{ inputs.environment }}.tfvars" \
-          -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
-      - name: Validate the changes
-        run: |
-          set -e
+          terraform plan -var="image_digest=$DIGEST" -var-file="env/${{ inputs.environment }}.tfvars" \
+          -out ${{ runner.temp }}/tfplan &> ${{ runner.temp }}/tf_stdout
+          TF_EXIT_CODE=$?
+          cat ${{ runner.temp }}/tf_stdout
+          if [ $TF_EXIT_CODE -eq 1 ]; then
+              exit $TF_EXIT_CODE
+          fi
           ../scripts/validate_plan.sh ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
         uses: actions/upload-artifact@v4
diff --git a/terraform/scripts/validate_plan.sh b/terraform/scripts/validate_plan.sh
@@ -38,11 +38,11 @@ tfstdout=$1
 
 for resource in "${down_time_if_destroyed[@]}"; do
   if [[ $(grep -cE "$resource.*(replaced|destroyed)" "$tfstdout") -ne 0 ]]; then
-    echo "A resource is being destroyed:"
+    echo -e "\e[41mPOTENTIALLY CRITICAL RESOURCES ARE BEING DESTROYED:\e[0m"
     grep -E "$resource.*(replaced|destroyed)" "$tfstdout"
-    echo "This would cause a downtime. Aborting"
-    exit 1
+    echo "Check carefully if this would cause a downtime"
+    exit 0
   fi
 done
 
-echo "No obvious downtime-relevant changes detected. Proceeding with the plan."
+echo -e "\e[32mNo obvious downtime-relevant changes detected.\e[0m"
