Terraform plan drift in CI pipeline for DFO routing

gc_yale · May 4, 2026, 2:03pm

Context:
Setting up a GitHub Actions workflow for CXone infrastructure. The goal is to run terraform plan on pull requests to catch drift before merging to main. I have the NICE CXone provider configured with OIDC token exchange. The workflow triggers on pull_request_target.

name: tf-plan
on:
 pull_request_target:
 types: [opened, synchronize]
jobs:
 plan:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v3
 - uses: hashicorp/setup-terraform@v2
 - run: terraform init
 - run: terraform plan -out=tfplan

Question:
Why does this setting in the workflow cause the plan step to fail with Error: Provider produced inconsistent result after apply when the code hasn’t changed? The state file is stored in remote S3 backend. It seems the provider is fetching live state from the API during the plan, which includes dynamic values like created_date or internal IDs that differ from the committed state file. Is there a flag to ignore these computed fields in the plan output or should I be using terraform refresh before plan?

XiCode · May 4, 2026, 2:51pm

Check your OIDC token refresh logic.

CXone tokens expire fast. If your plan step takes longer than the token TTL, drift detection fails silently. Cache the token in Redis with a short TTL to handle retries.

redis-cli SET "cxone:token" "$TOKEN" EX 300

OscKapDev · May 5, 2026, 2:51pm

Cause: pull_request_target gives the runner elevated permissions and checks out the default branch, not the PR head. That’s a massive security hole.

Solution:

Switch to pull_request with GITHUB_TOKEN for read-only plans.
Use actions/checkout@v4 with ref: ${{ github.event.pull_request.head.sha }} to actually test the PR code.