Google Sign-In Required

Use your company Google account to access the BetterFleet private content.

Back to private home

BetterFleet Support Private
Skip to content
BetterFleet Dev Wiki
Terraform Plan Dry Runs
Initializing search
    bf-dev
    • Home
    • Process
    • Products
    • Reference
    • Decisions
    • Work
    • Operations
    bf-dev
    • Home
      • Process Handbook
      • BetterFleet Workflow Map
      • Product Development System
      • Product Engineering Workflow
        • Process Workflows
        • Work Intake and Weekly Planning
        • Product Engineering Workflow in Linear
        • Product Engineering Delivery
        • Agent Guidance
        • Workflow
        • Skills
        • Skill Sources
        • Process Guides
        • GitLab Feature Flags
        • In-App Docs Authoring
        • Release Notes
        • Process Templates
        • Release Plan: <title>
      • Process Publishing
      • Product overview
        • General Reference
          • Core Domain Training
          • System Topology
          • Two-Axis Ontology Model
          • Ontology Primer
          • Worked Example
          • Evidence, Ownership, and Lineage
          • Energy Management
          • Standards and Protocol Map
          • Charging, Roaming, and Commercial Model
          • Charge Planning and Operations
          • Cross-Cutting Domains
          • Domain Coverage Matrix
        • BetterFleet Product Ontology
        • Core Operations Data Ontology
        • BetterFleet R&D Plan
        • Index
        • Architecture
        • Manage Product Capabilities
        • Manage Data and State
        • Manage Service Interaction Flows
        • Manage Reference
        • Manage Internal Application Diagrams
          • Manage Authorization And Permissions
          • bf-manage-core Auth and Authorization Model
          • Manage Authorization and Permissions
          • bf-manage-web Auth and Permission Model
          • Manage Service Catalog
          • bf-depot-sim
          • bf-digital-twin (Manage Role)
          • bf-fleet-health
          • bf-manage-connect
          • bf-manage-core
          • bf-manage-incidents
          • bf-manage-roaming
          • bf-manage-sitepwrmon
          • bf-manage-web
          • bf-schedule-creator (Manage Role)
          • bf-support-microsite
          • bf-telematics
        • Index
        • Architecture
        • Plan Reference
        • Plan Internal Application Diagrams
        • Plan Migration and Flags
        • Plan Simulation Request Lifecycle
          • Plan Service Catalog
          • bf-bnl-schedule-analysis-compute
          • bf-bnl-settings
          • bf-bnl-ui
          • bf-digital-twin (Plan Role)
          • bf-route-modelling
          • bf-schedule-creator (Plan Role)
      • Where to Ask Product Questions
      • Reference
        • Platform Reference
        • Platform Architecture
        • Script Runtime Model
        • Compose Profiles and Modes
        • Repository Map
        • Monolithic Git Transition FAQ
        • Monolithic Git Sizing
        • CI and Release Integration
        • Shared Reference
        • Shared Infrastructure Architecture
        • Secrets and Env Strategy
        • Vendors and Local Dependencies
        • System Reference
        • Cloud Data Dependencies
        • Ports and URLs
        • Service Matrix
          • API Docs
          • OCPI API Docs
          • OCPP API Docs
          • OSCP API Docs
          • VDV API Docs
          • Yard State API Docs
        • System Design
        • System Design: BBA Microgrid Controller Generic Packet Translation
        • System Design: Depot Simulation
        • System Design: IoT Sensor Packet
        • System Design: Microgrid Energy Orchestration
          • System Design: OCPP Profile 3 And ISO 15118 PKI
          • Architecture: BetterFleet OCPP Profile 3 and ISO 15118 PKI
          • Specification: BetterFleet OCPP Profile 3 and ISO 15118 Certificate Lifecycle Management
          • System Design: On-Prem Control
          • Challenge
          • Specification: BetterFleet On-Prem Continuity Control
          • System Design: OSCP
          • OSCP Protocol Documentation
          • Depot Sim Testing Requirements
          • System Design: OSCP Flexibility Provider Domain
      • Decisions
        • Architecture Decision Records
        • 0001 - Record architecture decisions
        • 0002 - Cognito for Authentication and Authorisation
        • 0003 - AWS Amplify for Authentication
        • 0004 - DynamoDB for default database
        • 0005 - Data Persistence
        • 0006 - Trunk-Based Development
        • 0007 - Generalised principle for automation
        • 0008 - Naming Repositories, Services, and URLs
        • 0009 - Use Timezone Aware DateTimes and UTC
        • 0010 - Use semantic release
        • 0011 - Centralized feature flag repository
        • 0012 - Use Named Exports in Storybook
        • 0013 - RESTful TITLE GraphQL
        • 0014 - Service Granularity
        • 0015 - Async/co-routine exception handling pattern
        • 0016 - Logging & log levels
        • 0017 - Instantiated Models
        • 0018 - Repository Pattern for Database Access
        • 0019 - Use of Design Tokens in TypeScript React Application
        • 0020 - API backwards compatibility and versioning
        • 0021 - Alembic Migration strategy
        • 0022 - Consistent react-hook-form usage
        • 0023 - Domain Event-Driven Architecture
        • 0024 - Domain Event Bus Tech Stack
        • 0025 - No enum types in DB table columns
        • 0026 - In-Memory Ormar Stores for Repository testing
        • 0027 - Storing Tab State in Query and Local Storage
        • 0028 - Adopt OpenTelemetry Semantic Conventions for Structured Logging
        • 0029 - Adopt RFC 9457 for HTTP Error Responses
        • 0030 - Use GitLab registry and Terraform state for ECS services
        • 0031 - Adopt DDD, Hexagonal Architecture, and CQRS for Python Domain Services
      • Work
        • Active Work
          • Work: Bba Microgrid Controller
          • Implementation Specification: BBA Microgrid Controller
          • BBA Microgrid Controller Deliverables (Stories)
          • Work: BFDev Monolithic Git
          • Challenge
          • Specification: BFDev Monolithic Git v2
          • BFDev Monolithic Git v2 Stories
          • Work: Complex Circuit Load Balancing
          • Implementation Specification: Complex Circuit Load Balancing
          • Complex Circuit Load Balancing Deliverables (Stories)
            • COR-10 and COR-11 Consolidation Review
          • Work: Dispatch Reliability and Reconciliation
          • Challenge
          • Specification: Dispatch Reliability and Reconciliation
          • Dispatch Reliability and Reconciliation (Unit User Stories)
            • Dispatch populated vehicle cards grey surface snapshot
            • Dispatch Visual Review
          • Work: Enable Scheduled Managed Charger Access
          • Challenge: Enable Scheduled Managed Charger Access
          • Specification Exploration Dossier: Enable Scheduled Managed Charger Access
          • Specification Review: Enable Scheduled Managed Charger Access
          • Specification: Enable Scheduled Managed Charger Access
          • Work: Guided Cut-Off and Release Orchestration
          • Specification: Guided Cut-Off and Release Orchestration
          • Guided Cut-Off and Release Orchestration (Unit User Stories)
          • Work: Production Deployment Validation
          • Challenge
          • Work: Scheduled Report Parity
          • Specification: Scheduled Report Parity
          • Work: Telematics
          • Telematics EventBridge Path
          • Telematics Ingress Architecture
          • Specification: Telematics Migration into bf-manage-core with 5-Minute Freshness and Health Visibility
          • Telematics Core Migration MVP (Implementation-Time BDD)
          • Work: Vector Derms
          • Implementation Specification: Vector DERMS
          • Vector DERMS Deliverables (Stories)
          • Work: Visiting Vehicle Charging Visibility
          • Specification: Visiting Vehicle Charging Visibility
          • Visiting Vehicle Charging Visibility (Unit User Stories)
          • Work: Workspace Owned Stripe Roaming
          • Specification: Workspace-Owned Stripe Credentials for Roaming Payments
        • Backlog Work
          • Work: Microgrid
          • Microgrid Backlog Stories
          • Work: Mobile Ops Companion
          • Challenge
          • Specification: Mobile Operations Companion v1
          • Mobile Operations Companion Deliverables (Stories)
          • Work: Oscp
          • OSCP Backlog Stories
        • Archived Work
          • Work: Code Canonical Orchestration
          • Challenge
          • Specification: Product Engineering Workflow
          • Product Engineering Workflow Deliverables (Unit User Stories)
          • Work: Release Notes Automation
          • Release Plan: Release Notes Automation
          • Release Notes Automation Backlog Stories
      • Operations
      • Onboarding Runbook
        • Operations Runbooks
        • Production Hotfix Release
        • Staging Hotfix Release
        • Manage Staging Release Validation
        • Terraform Plan Dry Runs
          • 3AM Quick Guide
          • Purpose And When To Use It
          • Prerequisites And Permissions
          • Normal Procedure
          • Reference Screenshots
          • Decision Points And Exceptions
          • Validation And Evidence
          • Rollback And Recovery
          • Links To Service-Specific Details
        • Operations Tooling
        • Code Indexing
        • Operations Evidence
        • Database Restoration Test Report
      • Daily Operations Runbook
      • Testing Guide
      • Troubleshooting
    • 3AM Quick Guide
    • Purpose And When To Use It
    • Prerequisites And Permissions
    • Normal Procedure
    • Reference Screenshots
    • Decision Points And Exceptions
    • Validation And Evidence
    • Rollback And Recovery
    • Links To Service-Specific Details
    1. Home
    2. Operations
    3. Runbooks
    Operations Resilience & Security Security & Access Control general

    Terraform Plan Dry Runs¶

    3AM Quick Guide¶

    • Use this only for IaC merge requests in repositories that already support the BF_PIPELINE_TYPE=dry-run path.
    • Get the required senior-engineer security review before exposing protected variables or runners to the merge request pipeline.
    • Temporarily enable MR access to protected variables and runners, and temporarily protect the MR source branch.
    • Trigger a new merge request pipeline with a commit message containing [dry-run].
    • In the pipeline, confirm the run is actually dry-run mode, review the Terraform plan artifacts, and make sure no deploy or apply jobs appear.
    • Remove the temporary protected access as soon as the review is complete. If deploy or apply jobs appear, stop immediately and disable access.

    Purpose And When To Use It¶

    This runbook explains how to validate infrastructure-as-code changes in a merge request by running Terraform plan through the merge request dry-run pipeline path before merge, without publishing releases, pushing Docker images, or running deploy or apply jobs.

    The shared trigger lives in bf-dev CI templates. Downstream repositories may implement different Terraform plan jobs, environments, regions, and evidence artifacts while still using the same BF_PIPELINE_TYPE=dry-run mechanism.

    Use this workflow when a merge request changes Terraform or other IaC that needs plan-level validation, and the plan requires protected variables or protected runners that are not normally available to merge request pipelines.

    This workflow exists so reviewers can inspect the Terraform plan for the MR before merge, without taking on the risks of running terraform plan locally and without needing to merge first just to see the plan output.

    Do not use this workflow for non-IaC changes, release pipelines, or any change that has not first been reviewed for CI and secret-handling safety.

    Prerequisites And Permissions¶

    Before using this workflow:

    • A senior engineer must review the merge request and confirm the pipeline or CI changes do not expose protected variables or runners unsafely.
    • That same senior engineer must temporarily change the repository CI/CD settings and branch protection while the dry run is being performed.
    • The target repository must actually implement the dry-run path. In the current BetterFleet setup, the shared trigger lives in ci-templates/Orchestration-Workflow.gitlab-ci.yml, while each repository owns its own dry-run-safe plan job rules and evidence outputs.
    • The dry-run pipeline is only triggered for merge request pipelines whose commit message contains [dry-run].

    In repositories that support this workflow:

    • BF_PIPELINE_TYPE becomes dry-run
    • DRY_RUN becomes true
    • any release metadata jobs needed by Terraform inputs should emit the expected variables without publishing a release
    • any build prerequisites should exit through their dry-run-safe path without building or pushing deployable artifacts
    • Terraform plan jobs should run or become available according to the target repository's established workflow
    • Terraform deploy and apply jobs should be blocked from appearing in the pipeline

    Normal Procedure¶

    1. Confirm the repository actually supports the dry-run path. For the BetterFleet mechanism, the shared trigger is defined in bf-dev/ci-templates/Orchestration-Workflow.gitlab-ci.yml. The target repository must also have its own dry-run-safe release, build, and Terraform plan job rules.
    2. Complete the security review before exposing protected variables to the MR pipeline.
    3. Temporarily enable protected access in GitLab for the target repository. Enable Allow merge request pipelines to access protected variables and runners.
    4. Temporarily add the MR source branch to the protected branches list.
    5. Trigger the dry-run pipeline with a commit message containing [dry-run].
    git commit --allow-empty --message "chore: trigger pipeline [dry-run]"
git push
    1. Open the MR pipeline and confirm the dry-run trigger conditions are in effect. Confirm that the pipeline was created from the merge request after the [dry-run] commit, and confirm through job context, logs, or variable output that BF_PIPELINE_TYPE resolved to dry-run and DRY_RUN resolved to true where the target repository exposes those values.
    2. Wait for the dry-run prerequisites to complete. The exact prerequisite jobs vary by repository, but any release metadata and build-related steps should succeed through their dry-run-safe branches rather than publishing a release or pushing deployable artifacts.
    3. Review the Terraform plan jobs and artifacts. The exact plan jobs, environments, regions, and artifacts vary by repository. Review the target repository's configured plan jobs and use the relevant evidence artifacts for that repository, such as the GitLab Terraform report, plan.json, plan.cache, outputs.json, or equivalent outputs.
    4. Confirm no deploy or apply jobs are available in the pipeline before you treat the run as safe for review.
    5. Remove the temporary protected access as soon as the dry-run pipeline is no longer needed.

    Reference Screenshots¶

    These screenshots show the GitLab settings used during steps 3 and 4 of the normal procedure.

    Screenshot What It Shows File
    CI/CD variables settings The GitLab CI/CD settings area where Allow merge request pipelines to access protected variables and runners is enabled temporarily. terraform-plan-dry-run/cicd-variables.png
    Branch protection settings The branch protection page where the MR source branch is temporarily added to the protected branches list. terraform-plan-dry-run/branch-protection.png

    Decision Points And Exceptions¶

    • If the repository does not inherit the shared BFDev dry-run trigger or does not have downstream dry-run-safe Terraform plan jobs, stop and use a repository-specific process instead.
    • If the merge request does not change Terraform or other IaC that needs plan validation, do not use this workflow.
    • If the merge request changes CI definitions, pipeline scripts, Terraform job wiring, or secrets usage, treat that as a higher-risk run and require an explicit security review before enabling protected access.
    • If the target repository already has an established safe way to expose MR plan output without temporarily enabling protected access, use that repository-specific workflow instead.
    • If the [dry-run] trigger commit is present but the pipeline does not behave like the dry-run path, or if BF_PIPELINE_TYPE is not dry-run where that value is visible, stop and inspect the trigger conditions before trusting the result.
    • If any deploy or apply job appears in the pipeline, stop immediately, disable protected access, and treat the configuration as unsafe until reviewed.
    • If the target repository runs plan jobs automatically once prerequisites finish, review all relevant jobs or record the subset you intentionally checked.
    • If the target repository exposes manual plan jobs, run only the approved subset and record exactly which environments and regions were reviewed.

    Validation And Evidence¶

    Treat a dry-run review as complete only when you can point to evidence for each of these checks:

    • The pipeline was triggered from the merge request by a commit containing [dry-run], and the observed job behavior matches the dry-run path.
    • BF_PIPELINE_TYPE=dry-run and DRY_RUN=true were confirmed where the target repository exposes those values in job context, logs, or variable output.
    • The prerequisite jobs completed through their dry-run-safe branches rather than publishing a release or pushing Docker images.
    • The relevant Terraform plan jobs completed and produced reviewable artifacts or GitLab Terraform reports.
    • The reviewed plan output corresponds to the IaC changes in the merge request and was available before merging the branch.
    • No deploy or apply jobs were available in the pipeline.
    • The merge request or review note records which plan jobs were checked and any follow-up action or decision that came from the output.
    • The temporary protected access changes were removed after the review.

    Rollback And Recovery¶

    After the dry-run pipeline completes:

    • disable Allow merge request pipelines to access protected variables and runners
    • remove the MR source branch from the protected branches list
    • leave a short note in the MR if the dry-run output informed a decision

    If the dry-run pipeline exposes unexpected jobs or behavior:

    • cancel the pipeline if it is still running
    • disable protected MR access immediately
    • remove the MR source branch from protected branches
    • capture the pipeline link and the unexpected job names in the merge request
    • stop using this workflow until the CI rules are reviewed and corrected

    Links To Service-Specific Details¶

    • Shared trigger and workflow context: CI and Release Integration
    • Current shared trigger implementation: ci-templates/Orchestration-Workflow.gitlab-ci.yml
    • Current dry-run release metadata implementation: ci-templates/Semantic-Release.gitlab-ci.yml
    • Target repository Terraform-plan implementation: the target repository's .gitlab-ci.yml and included CI templates
    • Target repository runbooks and service docs: use the target repository's own docs for plan job names, environments, regions, approval rules, and evidence expectations
    Made with Material for MkDocs
    BFDev Docs Assistant
    New conversation?
    Ask one focused question at a time, this helps the assistant provide accurate answers about what's been implemented in BetterFleet.