0

I have configured the below YAML pipeline for generating terraform plan.

trigger:
  - none

stages:
  - stage: Terraform Build
    displayName: Terraform Validate
    pool:
      vmImage: "ubuntu-latest"
    jobs:
      - job: Terraform Validate
        variables:
          - group: xxxx
        steps:
          - script: |
              set -x
              terraform init
              terraform validate
              terraform plan -var-file="./testterraform.tfvars" --out test_tf.plan
            displayName: Init, Validate, Plan and Apply
            env:
              ARM_TENANT_ID: $(TenantId)
              ARM_SUBSCRIPTION_ID: $(SubscriptionId)
              ARM_CLIENT_ID: $(ClientId)
              ARM_CLIENT_SECRET: $(ClientSecret)

I want to add new stage with approvals for deploying the above generated terraform plan.

Pradeep
  • 5,101
  • 14
  • 68
  • 140

2 Answers2

0

As defined here you can define a job which waits for manual validation:

pool: 
   vmImage: ubuntu-latest

jobs:
- job: waitForValidation
  displayName: Wait for external validation  
  pool: server    
  timeoutInMinutes: 4320 # job times out in 3 days
  steps:   
   - task: ManualValidation@0
     timeoutInMinutes: 1440 # task times out in 1 day
     inputs:
         notifyUsers: |
            someone@example.com
         instructions: 'Please validate the build configuration and resume'
         onTimeout: 'resume'

Do note that you would have to publish your Terraform build artifact using the PublishBuildArtifacts task in the stage before the validation task. After validation, you would have to use the DownloadBuildArtifacts task to download your plan. Based on this a more complete example looks like this:

pool: 
   vmImage: ubuntu-latest

jobs:
- job: terraformPlan
  displayName: Create a Terraform plan file and publish it
  steps: 
    # Creating a tf.plan file and copy it to $(Build.ArtifactStagingDirectory)
    # ...
    - task: PublishBuildArtifacts@1
      inputs:
        pathToPublish: '$(Build.ArtifactStagingDirectory)'
        artifactName: tf.plan
- job: waitForValidation
  displayName: Wait for external validation  
  pool: server    
  timeoutInMinutes: 4320
  steps:   
   - task: ManualValidation@0
     timeoutInMinutes: 1440
     inputs:
         notifyUsers: |
            someone@example.com
         instructions: 'Please validate the build configuration and resume'
         onTimeout: 'resume'
- job: terraformApply
  steps:   
    - task: DownloadBuildArtifacts@0
      inputs:
        buildType: 'current'
        buildId: '$(Build.BuildId)'
        downloadType: 'single'
        artifactName: 'tf.plan'
        downloadPath: '$(System.ArtifactsDirectory)'
     # Apply your tf.plan file
     # ...
Moritz Wolff
  • 436
  • 1
  • 7
  • 16
-1

How build terraform approve and non approve YAML pipelines in Azure DevOps

You could add a deployment job with entire environment (group of resources) as shown in the following YAML snippet:

- stage: deploy
  jobs:
  - deployment: DeployWeb
    displayName: deploy Web App
    pool:
      vmImage: 'Ubuntu-latest'
    environment: 'GeneratedTerraformPlan'
    strategy:
      runOnce:
        deploy:
          steps:
          - script: echo Hello world

Then add Approvals and checks to the environment GeneratedTerraformPlan:

enter image description here

And add depend on for the stage terraform plan

stages:
  - stage: Terraform Build
    dependsOn: deploy
    displayName: Terraform Validate
    pool:
      vmImage: "ubuntu-latest"
    jobs:
      - job: Terraform Validate

You could check this document for some more details.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135