Hey everyone,
We’re trying to set up a CI/CD pipeline for our Genesys Cloud configuration using Terraform. The goal is to run terraform plan on every Pull Request to catch drift, and only run apply when the PR gets merged into the main branch.
The setup seems straightforward, but we’re hitting a wall with the state file. We’re storing the state in an S3 bucket with DynamoDB locking. The issue is that terraform plan in the PR environment is picking up the state from a previous run that wasn’t fully applied or was reverted, causing it to show massive differences for resources that haven’t actually changed in our code.
Here’s the relevant part of our GitHub Actions workflow:
name: Genesys Cloud Terraform
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: Init
run: terraform init
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Plan
run: terraform plan -var-file=vars.tfvars
env:
GENESYS_CLOUD_OAUTH_CLIENT_ID: ${{ secrets.GENESYS_CLOUD_CLIENT_ID }}
GENESYS_CLOUD_OAUTH_CLIENT_SECRET: ${{ secrets.GENESYS_CLOUD_CLIENT_SECRET }}
GENESYS_CLOUD_OAUTH_TOKEN_URL: ${{ secrets.GENESYS_CLOUD_TOKEN_URL }}
The plan step fails with errors about missing resources or incorrect IDs, even though the code is identical to what’s currently in the environment. It looks like the state file is out of sync with the actual Genesys Cloud instance.
We’ve tried running terraform refresh before the plan, but that doesn’t seem to help in the CI context. Is there a way to force a state pull or ensure the state is consistent before the plan runs? Or should we be using a different strategy for managing state in PRs?
Any insights would be appreciated. We don’t want to accidentally blow away configs on a failed PR merge.