skip to Main Content

I have configured the below YAML pipeline for generating terraform plan.

trigger:
  - none

stages:
  - stage: Terraform Build
    displayName: Terraform Validate
    pool:
      vmImage: "ubuntu-latest"
    jobs:
      - job: Terraform Validate
        variables:
          - group: xxxx
        steps:
          - script: |
              set -x
              terraform init
              terraform validate
              terraform plan -var-file="./testterraform.tfvars" --out test_tf.plan
            displayName: Init, Validate, Plan and Apply
            env:
              ARM_TENANT_ID: $(TenantId)
              ARM_SUBSCRIPTION_ID: $(SubscriptionId)
              ARM_CLIENT_ID: $(ClientId)
              ARM_CLIENT_SECRET: $(ClientSecret)

I want to add new stage with approvals for deploying the above generated terraform plan.

2

Answers


  1. How build terraform approve and non approve YAML pipelines in Azure DevOps

    You could add a deployment job with entire environment (group of resources) as shown in the following YAML snippet:

    - stage: deploy
      jobs:
      - deployment: DeployWeb
        displayName: deploy Web App
        pool:
          vmImage: 'Ubuntu-latest'
        environment: 'GeneratedTerraformPlan'
        strategy:
          runOnce:
            deploy:
              steps:
              - script: echo Hello world
    

    Then add Approvals and checks to the environment GeneratedTerraformPlan:

    enter image description here

    And add depend on for the stage terraform plan

    stages:
      - stage: Terraform Build
        dependsOn: deploy
        displayName: Terraform Validate
        pool:
          vmImage: "ubuntu-latest"
        jobs:
          - job: Terraform Validate
    

    You could check this document for some more details.

    Login or Signup to reply.
  2. As defined here you can define a job which waits for manual validation:

    pool: 
       vmImage: ubuntu-latest
    
    jobs:
    - job: waitForValidation
      displayName: Wait for external validation  
      pool: server    
      timeoutInMinutes: 4320 # job times out in 3 days
      steps:   
       - task: ManualValidation@0
         timeoutInMinutes: 1440 # task times out in 1 day
         inputs:
             notifyUsers: |
                [email protected]
             instructions: 'Please validate the build configuration and resume'
             onTimeout: 'resume'
    

    Do note that you would have to publish your Terraform build artifact using the PublishBuildArtifacts task in the stage before the validation task. After validation, you would have to use the DownloadBuildArtifacts task to download your plan. Based on this a more complete example looks like this:

    pool: 
       vmImage: ubuntu-latest
    
    jobs:
    - job: terraformPlan
      displayName: Create a Terraform plan file and publish it
      steps: 
        # Creating a tf.plan file and copy it to $(Build.ArtifactStagingDirectory)
        # ...
        - task: PublishBuildArtifacts@1
          inputs:
            pathToPublish: '$(Build.ArtifactStagingDirectory)'
            artifactName: tf.plan
    - job: waitForValidation
      displayName: Wait for external validation  
      pool: server    
      timeoutInMinutes: 4320
      steps:   
       - task: ManualValidation@0
         timeoutInMinutes: 1440
         inputs:
             notifyUsers: |
                [email protected]
             instructions: 'Please validate the build configuration and resume'
             onTimeout: 'resume'
    - job: terraformApply
      steps:   
        - task: DownloadBuildArtifacts@0
          inputs:
            buildType: 'current'
            buildId: '$(Build.BuildId)'
            downloadType: 'single'
            artifactName: 'tf.plan'
            downloadPath: '$(System.ArtifactsDirectory)'
         # Apply your tf.plan file
         # ...
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search