The tasks in this extension allow for running terraform cli commands from both the Build and Release pipelines in Azure DevOps. The motivation for this extension was to provide terraform pipeline tasks that could execute on all build agent operating systems and provide contextual/guided task configuration.
Supported Commands
The Terraform CLI task supports executing the following commands
- version
- init
- validate
- plan
- apply
- destroy
- show (NEW destroy detection)
Compatible with Linux Build Agents
The tasks can execute on all supported build agent operating systems including Ubuntu and MacOS.
The dedicated Terraform Installer task allows for complete control over how frequently and on which agents terraform is installed. This prevents from having to install terraform before executing each terraform task. However, if necessary, this can be installed multiple times to support pipelines that span multiple build agents
Contextual Task Configuration
The task definition will adjust to the selected command to prompt for what is relevant to the command. For example, validate does not require knowledge of the backend configuration so this section will not be used when executing validate. The validate command does accept vars file however. Therefore, the field to specify vars file will be available.
Azure Service Connection / Service Principal Integration
When executing plan, apply, and destroy commands, the task will prompt for the target azure subscription to use. This is specified as a service connection/principal for deploying azure resources.
Remote & Local Backend State Support
The task currently supports two backend configurations
- local (default for terraform) - State is stored on the agent file system.
- azurerm - State is stored in a blob container within a specified Azure Storage Account.
The backend configuration will be prompted when relevant for the selected command. If azurerm selected, the task will prompt for a service connection and storage account details to use for the backend.
Automated Remote Backend Creation
The task supports automatically creating the resource group, storage account, and container for remote azurerm backend. To enable this, select the task for the terraform init command. Check the checkbox labled "Create Backend (If not exists)" underneath the backend type drop down. Once selected, the resource group location and storage account sku can be provided. The defaults are 'eastus' and 'Standard_RAGRS' respectively. The task will utilize AzureCLI to create the resource group, storage account, and container as specified in the backend configuration.
Secure Variable Secrets
There are three methods to provide secrets within the vars provided to terraform commands. First, if providing individual -var options to the command line, the secret pipeline variables can be used. Use the Command Options field to input your secret vars as -var 'secret=$(mySecretPipelineVar). Secondly, a var file secured in Secure Files Library of Azure DevOps pipeline can be specified via drop-down menu. Storing sensitive var files in the Secure Files Library not only provides encryption at rest, it also allows the files to have different access control applied than that of the Source Repository and Build/Release Pipelines.
Secure Env Files (NEW)
If the Secure Variables file name is *.env, it is referred as .env file. This task loads environment variables from the .env file.
.env file example
KEY1=VALUE1
KEY2=VALUE2
When running terraform plan with -detailed-exitcode, a pipeline variable will be set to indicate if any changes exist in the plan. TERRAFORM_PLAN_HAS_CHANGES will be set to true if plan detected changes. Otherwise, this variable will be set to false. This can be used in conjunction with Custom Condition expression under Control Options tab of the task to skip terraform apply if no changes were detected.
Sample expression
and(succeeded(), eq(variables['TERRAFORM_PLAN_HAS_CHANGES'], 'true'))
(NEW) Plan Destroy Detection
The task now has the ability to set a pipeline variable TERRAFORM_PLAN_HAS_DESTROY_CHANGES if a generated plan has destroy operations. To utilize this, run terraform plan and set the -out=my-plan-file-path to write the generated plan to a file. Then run terraform show and provide the path to the generated plan file in the Target Plan or State File Path input field. If show, detects a destroy operation within the plan file, then the pipeline variable TERRAFORM_PLAN_HAS_DESTROY_CHANGES will be set to true.
