Share via

Help is needed with Azure DevOps pipeline

Alex Rom 60 Reputation points
2023-11-23T21:18:38.9533333+00:00

I am creating an Azure DevOps pipeline to provision infrastructure, I am using Terraform.

My question is, is there a way to validate what the TF pipeline is going to do before executing the pipeline ?

I mean I want to create a condition in my pipeline based on Terraform Plan. If my pipeline is going to perform any destroy or change I want it to pause and notify certain users before executing the pipeline.

I have some approvers already, so every time the pipeline runs it requires an admin to approve the build. My question is, if the pipeline is going to perform any change to an existing Azure Resource, I want myself and someone else to be notified and approve it not the usual approver.

Community Center Not monitored
0 comments
Accepted answer
  1. Adam Zachary 2,936 Reputation points
    2023-11-23T21:39:48.2766667+00:00

    Hi Alex, I have performed something similar to one of my customers a while ago, the idea is to use manual approval process.

    The diagram I have included can illustrate my approach:

    User's image

    So essentially, you can use your TF plan file "terraform.tfplan" usually ADO uses 

    workingDirectory: '/home/vsts/work/1/s/'

    Then you can use this file with tf show command and then you can use the option output to 'file', and the file format to 'Json' -> then you can store the file in your home directory; 

    '/home/vsts/work/1/s/tfplan.json'

    Then next you can create a new PS task in your pipeline to grab the Json file and and use get-content command and "ConvertFrom-Json".

    Then look for a property in the file called 'resource_changes' usually it holds 3 values "delete", "update", and "add"

    delete = destroy

    update = change

    add = new resource no change to your infrastructure.

    here's the PS script 

    if ($Action -contains "delete") {
                    $message = "This deployment is going to perform a Terraform Destroy to some resources in your $environment environment under $subscriptionName Subscription... Please review the Terraform Plan carefully before applying any changes"
                    $deploymentAction = "Destroy"
}
                
if ($Action -contains "update" -and $Action -notcontains "delete") {
                    $message = "This deployment is going to perform a Terraform Change/Update to some resources in your $environment environment under $subscriptionName Subscriptionto ... Please review the Terraform Plan carefully before applying any changes"
                    $deploymentAction = "Change"
}
                
if ($Action -contains "create" -and $Action -notcontains "change" -and $Action -notcontains "delete") {
                    $message = "This deployment is not going to performe any (Change or Destroy) to your existing resources in your $environment environment under $subscriptionName Subscription"
                    $deploymentAction = "Add"
}
              
if ($deploymentAction -contains "Destroy" -or $deploymentAction -contains "Change" ) {
                   Write-Host "##vso[task.logissue type=warning]Changes or Destroy detected, pipeline requires a manual approval to proceed"
}
 
echo "##vso[task.setvariable variable=action;isOutput=true]$deploymentAction"
              pwsh: true

    then you can echo variable to make it available to a different stage in the pipeline

    then you can create a new stage, with manual validation task 

    task: ManualValidation@0

    Kindly if you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.