Terraform plan for developer role? | GitLab Community | Page 1

harsh badge Nov 18, 2023, 5:34 PM

#

By default terraform plan step runs in an MR pipeline, but developers aren't allowed to access the TF state so the job fails.
Any bright ideas?
I wondered if maybe a pipeline trigger configured to run as someone with maintainer role might be a good idea- though realise it would be an attack vector...

pseudo folio Nov 18, 2023, 5:34 PM

#

You can use -lock=false. Only locking is limited to maintainers, but reading the state is allowed

#

But you should only disable the lock for pipelines from MRs, never from pipelines that actually plan to apply their changes

buoyant cloak Nov 18, 2023, 5:35 PM

#

That's the best option for plan, yeah. For apply ( if you want review environments ), you can use a project access token to at least limit attack vector

#Terraform plan for developer role?