Saturday, 19 September 2020

Azure Terraform Infra as Code Deployment via Custom PowerShell with Azure DevOps Pipelines – Part 2 – Execute Plan with Approval

In the previous post “Azure Terraform Infra as Code Deployment via Custom PowerShell with Azure DevOps Pipelines – Part 1 – Create Plan” we have discussed how to generate a terraform plan targeting Azure Infrastructure deployment and upload it to an Azure Git repo. The solution is implemented instead of using terraform task for Azure DevOps, which is available with Microsoft DevLabs extension due to it is having a prerequisite of Azure resource group, storage etc. as described in the post “Why Azure DevOps Terraform Extension Task by Microsoft DevLabs to Deploy Infra to Azure Does Not Work for Me”. As the second part of previous post, let’s explore the steps require to approve the terraform plan and get the plan executed with Azure DevOps pipeline relying on a state kept in Azure Git repo instead of a storage blob, which is eliminating the need of having manually created Azure resources.

Terraform plan can be viewed in the release logs as explained in the previous post. Once the plan is uploaded to an Azure Git repo it is possible to complete the agent job and utilize an agentless job in the pipeline to use a manual intervention task. Such Manual intervention task will allow the approver to check the plan in the log or from the uploaded plan file (need to convert the plan to viewable Jason using tools such as terraform plan parser).

Once the approver is happy with plan it is possible to approve or if unhappy can reject further execution of the pipeline.



Once the approval is given the next steps to be executed in another hosted agent job. As a prerequisite need to download the package which is containing the main.tf and the variables.tf and extract it. Then Install the terraform should be installed in the agent machine utilizing the Microsoft DevLabs extension task to install terraform. The next step would be to clone the Azure Git repo containing the plan and optionally the terraform state of the target environment (first execution will not have the state). Next the terraform init command should be executed to get the required terraform modules and plugins loaded. All these steps were describe n detail in the post “Azure Terraform Infra as Code Deployment via Custom PowerShell with Azure DevOps Pipelines – Part 1 – Create Plan”.

Once these prerequisites are ready in the agent job the next step would be to use a simple PowerShell task to execute Terraform Apply using the plan. Below script can be used for the purpose of applying the plan cloned from the Azure Git repo. It is required to pass the terraform state file path (even if no state file in the first run after apply command the file will be created), and the plan file path already available in the cloned repo folder. The task working directory should be set to the package extracted folder which contains the cloned repo content as well in a folder.

$tfStateFilePath = '$(tfStateFilePath)';

$planFilePath = '$(planFilePath)';

# Set terraform state file path parameters

$stateParam = '-state',("'",$tfStateFilePath,"'" -join '') -join '='

# Build up terraform apply command

$applyCommand = 'terraform apply',$stateParam ,$planFilePath -join ' '

write-host ($applyCommand )

# Execute terraform apply

Invoke-Expression $applyCommand



Once the plan is executed successfully state would be saved in the cloned folder Azure Git repo path. It is required to update the Azure Git repo with the terraform state file so that in the next release, the state file can be utilized to execute next plan with any modification to the target environment Azure infrastructure. How to push the changes was described via Git command line in a PowerShell task was described in the post “Azure Terraform Infra as Code Deployment via Custom PowerShell with Azure DevOps Pipelines – Part 1 – Create Plan”.



Once pushed the terraform state would be available in the repo for next infra run cycle. This implementation eliminates the need to keep the terraform state in another Azure resource such as storage account, which is making only prerequisite to deploy to a new subscription (in QA, UAT or Production environment needs), would be to have an SPNN created to make necessary connectivity.

No comments:

Popular Posts