Our Azure release pipeline takes our Terraform code stored within an Azure repo, performs variable replacement based off of the stage, and deploys to the appropriate environment.
Within the above screenshot, one can see our artifact (Terraform code) is called grouper_IaC, basically a zip file. We have two stages, Sandbox IaC Deploy and Dev IaC Deploy; these represent different environments which can comprise of different Azure subscriptions and resource groups. We use service connections to connect to the different subs/ resource groups. None of our stages automatically run when a commit is made to the IaC Terraform repo. Rather, one must manually start one or many stages, which could initiate an approval process built into the stage.
Within a given stage, we have 3 jobs and 7 tasks, shown below.
The 3 jobs are:
- Plan
- Performs variable replacement within our tfvars file and installs Terraform via a Task Group (reusable Azure release pipeline component)
- Terraform init: connects to our Terraform state file (stored in Azure, in a different RG than our Grouper deployment...but doesn't have to be)
- Terraform plan: show what would change
- Review:
- Manual intervention step: basically pauses the release pipeline, instructs (via email) folks to review the Terraform plan carefully before proceeding. We have a default action of timing out in 60 minutes.
- Do:
- Performs variable replacement within our tfvars file and installs Terraform via a Task Group (reusable Azure release pipeline component); we need to repeat this step as we lost our Azure VM when the plan job concluded.
- Terraform init: connects to our Terraform state file (stored in Azure, in a different RG than our Grouper deployment...but doesn't have to
- Terraform apply: applies the plan