<\/p>\n
Pipeline Overview<\/h3>\n
<\/p>\n
The pipeline itself has expanded a little and it now not only uses stages but also depending on what Terraform is planning on doing it will trigger a manual approval process should there be any resources being destroyed.<\/p>\n
The stages in the pipeline are as follows;<\/p>\n
- \n
- Checkov Scan<\/strong>, this stage run\u00a0Checkov<\/a>, a tool by\u00a0BridgeCrew<\/a>\u00a0which scans Terraform configuration to find common misconfigurations before they\u2019re deployed. The results of the scan are uploaded to the Pipeline run and are available as a report.<\/li>\n
- Terraform Validate<\/strong>, this stage run the\u00a0
terraform validate<\/code>\u00a0command to check that the Terraform files are valid, if there are any problems the pipeline errors.<\/li>\n- Terraform Plan<\/strong>, this stage runs the\u00a0
terraform plan<\/code>\u00a0command. Depending in the state of resources it finds variables are set which are used to determine the next stage which is executed. The output of the\u00a0terraform plan<\/code>\u00a0command is also upload to Azure DevOps.<\/li>\n- Terraform Apply (Auto Approval)<\/strong>, if the\u00a0Terraform Plan<\/em>\u00a0stage determines that the only changes to the state are additions then this stage is ran, it performs the\u00a0
terraform apply<\/code>\u00a0and effects the change.<\/li>\n- Terraform Apply (Manual Approval)<\/strong>, if the\u00a0Terraform Plan<\/em>\u00a0stage determines that the changes to the state includes any resources being destroyed then this stage is ran, it triggers a manual approval task prompting someone to check before the\u00a0
terraform apply<\/code>\u00a0command is executed.<\/li>\n<\/ul>\nThe who<\/span>le workflow can be found below (click on the image for a larger view);<\/p>\n
![\"\"](\"http:\/\/content.n4stack.io\/wp-content\/uploads\/2021\/06\/azure-devops-pipeline-workflow-2.png\")
<\/a><\/p>\nAzure DevOps Pipeline Workflow {Source: MediaGlasses<\/a>}<\/p>\n
As well as the addition of the stages detailed above, the pipeline has moved to using the\u00a0Terraform Azure DevOps extension from Microsoft DevLabs<\/a>\u00a0to the\u00a0Terraform Azure DevOps extension by Charles Zipp<\/a>.<\/p>\n
The reasoning for this is that the extension by\u00a0Charles Zipp<\/a>\u00a0enables a lot of the functionality I needed to enable the two different approval stages without having to code the logic myself \u2014 which I am always a fan of \ud83d\ude09<\/p>\n
The Stages<\/h3>\n
<\/p>\n
Now that we have an idea of what should happen, let\u2019s take a look at what the pipeline looks like.<\/p>\n
<\/p>\n
Stage: Checkov Scan<\/h4>\n
<\/p>\n
The first stage to run downloads and executes a scan of the Terraform files using\u00a0Checkov<\/a>, you will notice the YAML below that we are pulling the\u00a0Checkov container from Dockerhub<\/a> and running it;<\/p>\n
[\/et_pb_text][et_pb_code _builder_version=”4.9.4″]
- Terraform Validate<\/strong>, this stage run the\u00a0