I'm wondering why the job "tf-plan-production" in the to-be-continuous/terraform template is the only one running on a merge request pipeline?
Does anybody know the reason behind this?
Because I find it disturbing to have 2 pipelines, 1 detached pipeline containing only a single job while the other pipeline contains all the other jobs (tf-plan-review, tf-tflint, tf-checkov ...). I hesitate to override this rule as I may miss something important.
To be more precise, in this to-be-continuous template, all the defined jobs are never run on a merge request pipeline by using the rule :
# exclude merge requests
- if: $CI_MERGE_REQUEST_ID
when: never
Except the "tf-plan-production" job which have the rule:
# enabled on merge requests
- if: $CI_MERGE_REQUEST_ID
terraform plan is a nondestructive operation that compares what terraform would create to what exists in output, and creates a diff between existing state and state that has been coded but not created.
Typically it is run when a PR is created so that a dry run is available and visible to the developers, while terraform apply is run on merge. If there isn't another environment developers can test their changes in, it is a necessary step.