Help is needed with Azure DevOps pipeline

Alex Rom 60 Reputation points
2023-11-23T21:18:38.9533333+00:00

I am creating an Azure DevOps pipeline to provision infrastructure, I am using Terraform.

My question is, is there a way to validate what the TF pipeline is going to do before executing the pipeline ?

I mean I want to create a condition in my pipeline based on Terraform Plan. If my pipeline is going to perform any destroy or change I want it to pause and notify certain users before executing the pipeline.

I have some approvers already, so every time the pipeline runs it requires an admin to approve the build. My question is, if the pipeline is going to perform any change to an existing Azure Resource, I want myself and someone else to be notified and approve it not the usual approver.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,598 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam Zachary 2,886 Reputation points
    2023-11-23T21:39:48.2766667+00:00

    Hi Alex, I have performed something similar to one of my customers a while ago, the idea is to use manual approval process.

    The diagram I have included can illustrate my approach:

    User's image

    So essentially, you can use your TF plan file "terraform.tfplan" usually ADO uses

    workingDirectory: '/home/vsts/work/1/s/'
    

    Then you can use this file with tf show command and then you can use the option output to 'file', and the file format to 'Json' -> then you can store the file in your home directory;

    '/home/vsts/work/1/s/tfplan.json'
    

    Then next you can create a new PS task in your pipeline to grab the Json file and and use get-content command and "ConvertFrom-Json".

    Then look for a property in the file called 'resource_changes' usually it holds 3 values "delete", "update", and "add"

    delete = destroy

    update = change

    add = new resource no change to your infrastructure.

    here's the PS script

    if ($Action -contains "delete") {
                        $message = "This deployment is going to perform a Terraform Destroy to some resources in your $environment environment under $subscriptionName Subscription... Please review the Terraform Plan carefully before applying any changes"
                        $deploymentAction = "Destroy"
    }
                    
    if ($Action -contains "update" -and $Action -notcontains "delete") {
                        $message = "This deployment is going to perform a Terraform Change/Update to some resources in your $environment environment under $subscriptionName Subscriptionto ... Please review the Terraform Plan carefully before applying any changes"
                        $deploymentAction = "Change"
    }
                    
    if ($Action -contains "create" -and $Action -notcontains "change" -and $Action -notcontains "delete") {
                        $message = "This deployment is not going to performe any (Change or Destroy) to your existing resources in your $environment environment under $subscriptionName Subscription"
                        $deploymentAction = "Add"
    }
                  
    if ($deploymentAction -contains "Destroy" -or $deploymentAction -contains "Change" ) {
                       Write-Host "##vso[task.logissue type=warning]Changes or Destroy detected, pipeline requires a manual approval to proceed"
    }
     
    echo "##vso[task.setvariable variable=action;isOutput=true]$deploymentAction"
                  pwsh: true
    

    then you can echo variable to make it available to a different stage in the pipeline

    then you can create a new stage, with manual validation task

    task: ManualValidation@0
    

    Kindly if you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful