Automation

In the previous article we've been able to set up VCS integration such that merges to the tracked branch cause a run to be automatically triggered. Still, the outcome of this run needs to be manually reviewed and confirmed before it can be applied. This is a good, conservative default, but sometimes you can afford to do more automation. Apart from the manual mode already described, Geopoiesis supports two further levels of automation - auto-confirm and reconciliation modes.

Auto-confirm mode

Auto-confirm mode is nearly identical to the manual mode, except that it does not require a manual confirmation step for a plan about to be applied. This may sound risky, but the fact is that Geopoiesis provides feedback on commits before they are merged to the tracked branch. If you believe that the code review process is working well in your organization, you can trade this confidence for a bit of useful automation. In auto-confirm mode Geopoiesis does not need to persist your Terraform workspace to S3, making the workflow quicker and easier on your RAM.

In order to set auto-confirm mode on one of your Geopoiesis scopes, modify the config file accordingly:

config.hcl
scope "hello-world" {
domain = "geopoiesis.ngrok.io"
mode = "AUTO_CONFIRM"
# the rest of your config...
}

State diagram

The state diagram below shows all possible state transitions for a run targeting a tracked branch in a scope using auto-confirm mode.

The above diagram looks nearly identical to what's going on in fully manual mode. The only significant difference is that the AUTOCONFIRMED state replaces manual review step (UNCONFIRMED state) where a run could be CONFIRMED or DISCARDED. In auto-confirm mode there is no way to discard a run once it starts running.

Reconcile mode

Reconcile mode works like auto-confirm except that in addition to automatically applying changes from merges and manually triggered runs, Geopoiesis runs a periodic process refreshing the state. If it detects any discrepancies between what's declared and what's deployed, it attempts to reconcile differences. Reconcile runs block the scope the same way all possible state change do.

When setting reconcile mode on your Geopoiesis scope, you will need to specify how frequently the reconciliation process should run. The frequency string is processed using Go's time.ParseDuration function, so make sure your input is compatible with what the function expects.

config.hcl
scope "hello-world" {
domain = "geopoiesis.ngrok.io"
mode = "RECONCILE"
reconcile_frequency = "3h"
# the rest of your config...
}

Reconciliation run for a scope will run when all these conditions are met:

  • the scope is not blocked by a run on the tracked branch or a task;

  • more time has passed since the last run on the tracked branch than the reconcile frequency;

  • there is no other work available to a worker;

If no changes are detected, reconciliations runs will be transparent to the user and won't show on the Runs dashboard. Only when changes are detected does the run become visible. Also worth noting is the fact that reconciliations are never expected to delete any resources. If a reconciliation plan detects that it would cause any resource to be destroyed, the run enters UNCONFIRMED state and waits for human review. This is to prevent situations where a change in provider's API would cause Terraform to try to recreate certain resources, which is something that would look obviously wrong to a human.

Reconcile mode is the highest level of automation and we would only advise to use it after your team is comfortable with Geopoiesis in manual mode, and has been successfully running it in the auto-confirm mode for a few weeks.

State diagram

The state diagram below shows all possible state transitions for a state reconciliation run. Note that if any resource destruction is detected, the run goes into full manual mode.