From afd0162a1cebd3c2634db4735ae25000d81143e4 Mon Sep 17 00:00:00 2001 From: Nicholas Warila <33955773+NWarila@users.noreply.github.com> Date: Sat, 20 Jun 2026 15:31:32 +0000 Subject: [PATCH] ci(reusable): make plan_only use local backend --- .github/workflows/reusable-terraform-deploy.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-terraform-deploy.yaml b/.github/workflows/reusable-terraform-deploy.yaml index f32ba77..93d40ae 100644 --- a/.github/workflows/reusable-terraform-deploy.yaml +++ b/.github/workflows/reusable-terraform-deploy.yaml @@ -230,7 +230,16 @@ jobs: working-directory: framework/terraform run: | set -euo pipefail - terraform init -backend=false + # plan_only: replace the S3 backend with a local one so the ungated import-adoption + # steps can write to EPHEMERAL local state. The canonical S3 tfstate is never + # configured or reached here; OIDC/AWS creds are also skipped under plan_only (two + # independent guards). The whole framework/ workspace is deleted in Cleanup. + cat > 00-providers.tf <<'EOF' + terraform { + backend "local" {} + } + EOF + terraform init - name: Terraform init (S3 backend) if: ${{ !inputs.plan_only }} @@ -255,8 +264,8 @@ jobs: # `terraform import`, which writes to whatever backend the preceding init configured. # They are intentionally UNGATED so the dry-run plan faithfully reflects reconciliation # (not misleading creates). This is safe under plan_only ONLY because the - # `terraform init (plan_only local state)` step ran `-backend=false` (local ephemeral - # state) and the S3-backend init was skipped. DO NOT allow the S3-backend init to run + # `terraform init (plan_only local state)` initialized an ephemeral local backend, + # and the S3-backend init was skipped. DO NOT allow the S3-backend init to run # under plan_only, or these imports would write to the canonical S3 tfstate. - name: Adopt existing repositories into state working-directory: framework/terraform