Decide how to use terraform output

[henrjk]

Currently the plan stage does not set the plan output which an apply stage could use.

The plan may contain sensitive information and we need to be careful not to leak that. One starting point to explore the sensitive nature of terraform plan files is opentofu/issues/874.

At the moment I see 2 possible goals for using the terraform output:

• environment promotion: In theory a plan artifact could allow to promote infrastructure to another environment. However I am not sure that the terraform plan does allow that as it might bake in environment concerns which would need to be flexible.

• task consistency: Another usage of the terraform plan is to ensure that within a single task run the plan and apply stage are consistent.

Questions:

• Would the potential to leak sensitive information by using a terraform plan output be offset by the value of using it?
• Is environment promotion feasible and worthwhile?

See also #2 (comment)

[tbugfinder]

A plan output should be used for opa to decide (e.g. risk based approach) if the deployment should be reviewed before applying.

I wouldn't use it for environment promotion, though.

[henrjk]

A plan output should be used for opa to decide (e.g. risk based approach) if the deployment should be reviewed before applying.
@tbugfinder Using the terraform plan to enable a flexible decision to decide whether a plan needs review/approval could be useful. I would assume that opa is just one possible tool for that however. Do you have suggestions on how the review/approval process might work?