Managing infrastructure as code for AWS requires careful change validation. Tools like Terraform, AWS CloudFormation, and AWS CDK provide built-in commands for previewing changes. However, when using Helm, this capability was absent—until the Helm diff plugin arrived.
Visualising Changes Before Deployment
I prefer visualising changes before applying them to environments. Adding a user validation step in deployment pipelines helps achieve this. While not always needed in every environment, it proves invaluable for production. Below is a straightforward example using “make” and “bash” as deployment tools:
deploy.diff:
terraform plan -out=$(TFPLAN_FILE)
deploy.apply: deploy.diff
@read -p "Apply changes? (Y)es or (N)o " apply;
if [ "$$apply" = "Y" ]; then
echo "Applying changes";
terraform apply $(TFPLAN_FILE);
else
echo "Changes cancelled by user";
fi
Running Deployment Commands
Running the command make deploy.apply outputs a detailed plan and prompts user input:
terraform plan -out=thebest.tfplan
aws_s3_bucket.demos3: Refreshing state... [id=tf-demo]
Terraform will perform the following actions:
~ update in-place
# aws_s3_bucket.demos3 will be updated in-place
~ resource "aws_s3_bucket" "demos3" {
~ "Version" = "0.7.3" -> "0.7.4"
}
Plan: 0 to add, 1 to change, 0 to destroy.
Apply changes? (Y)es or (N)o
Filling the Gap with Helm Diff
Helm initially lacked an integrated way to preview changes before deployment. I found this surprising, given the importance of this feature. Luckily, the Helm plugin fills this gap and offers similar functionality.
How to Install and Use Helm Diff Plugin
Installing the Helm diff plugin is straightforward. You install it like any other Helm plugin:
helm plugin install https://github.com/databus23/helm-diff
After installation, the “diff” command appears in the Helm help menu:
helm --help
To preview changes, add the “diff” command before the “upgrade” command:
helm diff upgrade test-diff . -f test-values.yaml
Integrating Helm Diff in Your CI/CD Pipeline
Integrating the Helm diff plugin into deployment workflows enhances validation. Here’s an example with a simple Nginx web server deployment:
deploy.diff:
helm --kubeconfig ./kube-config diff upgrade diff-demo . -f values.yaml
deploy.apply: deploy.diff
@read -p "Apply changes? (Y)es or (N)o " apply;
if [ "$$apply" = "Y" ]; then
echo "Applying changes";
helm --kubeconfig ./kube-config upgrade -i diff-demo . -f values.yaml;
else
echo "Changes cancelled by user";
fi
Understanding the Output
The command generates an output that highlights changes:
helm --kubeconfig ../kube-config diff --allow-unreleased upgrade diff-demo . -f values.yaml
default, diff-demo-simple-nginx, Deployment (apps) has changed:
# Source: simple-nginx/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
[...]
- image: "nginx:stable"
+ image: "nginx:1.22.1"
This output indicates the deployment of a new Nginx version.
Comparing Code vs. Infrastructure States
Comparing code versions with infrastructure states differs significantly. The Helm diff plugin allows comparing the current state of infrastructure with the desired state. Keep in mind, the term “state” here refers to what was last deployed using the tool. Real infrastructure conditions may vary due to external changes. These drifts, and how to manage them, are discussions for another day.
Curious About Streamlining Your Infrastructure?
Check out TechRadar by Devoteam to see what our experts say about its viability in the market.