azure-pipelines.yml

trigger:
  - main

variables:
  # Secrets pull from key vault
  - group: kvdevops1

pool:
  name: Contoso

stages:
  - stage: terraform_plan
    displayName: Terraform Plan
    jobs:
      - job: terraform_plan
        displayName: Terraform Plan
        steps:
          - task: DownloadSecureFile@1
            name: terraformrc
            displayName: "Download .terraformrc"
            inputs:
              secureFile: ".terraformrc"
          - script: |
              export TF_CLI_CONFIG_FILE="$(terraformrc.secureFilePath)"
              export ARM_CLIENT_ID=$(client-id)
              export ARM_CLIENT_SECRET=$(client-secret)
              export ARM_SUBSCRIPTION_ID=$(main-subscription-id)
              export ARM_TENANT_ID=$(tenant-id)
              terraform init
              terraform plan -var-file=sample.tfvars \
                -var "vm_username=$(local-vm-username)" \
                -var "vm_password=$(local-vm-password)" \
                -var "domain_name=$(ad-domain-name)" \
                -var "domain_ou_path=$(ad-domain-ou-path)" \
                -var "domain_username=$(ad-domain-username)" \
                -var "domain_password=$(ad-domain-password)" \
                -out=$(System.DefaultWorkingDirectory)/$(Build.BuildId).tfplan
            displayName: Terraform Plan
            name: terraform_plan
          - task: PublishPipelineArtifact@1
            inputs:
              targetPath: $(System.DefaultWorkingDirectory)/$(Build.BuildId).tfplan
              artifactName: $(Build.BuildId).tfplan
            displayName: Publish terraform plan artifact
            name: publish_plan
  - stage: terraform_apply
    displayName: Terraform Apply
    dependsOn: terraform_plan
    condition: succeeded()
    jobs:
      - job: manual_validation
        displayName: Approval Gate
        pool: Server
        steps:
          - task: ManualValidation@0
            displayName: Review terraform plan output
            inputs:
              notifyUsers: $(notifyUsers)
              instructions: "Please review the terraform plan output in the stage above and click Resume to continue."
      - job: terraform_apply
        displayName: Terraform Apply
        dependsOn:
          - manual_validation
        steps:
          - task: DownloadPipelineArtifact@2
            inputs:
              artifactName: $(Build.BuildId).tfplan
              patterns: "**/$(Build.BuildId).tfplan"
              path: $(System.DefaultWorkingDirectory)
            displayName: Download terraform plan artifact
            name: download_plan
          - task: DownloadSecureFile@1
            name: terraformrc
            displayName: "Download .terraformrc"
            inputs:
              secureFile: ".terraformrc"
          - script: |
              export TF_CLI_CONFIG_FILE="$(terraformrc.secureFilePath)"
              export ARM_CLIENT_ID=$(client-id)
              export ARM_CLIENT_SECRET=$(client-secret)
              export ARM_SUBSCRIPTION_ID=$(main-subscription-id)
              export ARM_TENANT_ID=$(tenant-id)
              terraform init
              terraform apply --auto-approve $(System.DefaultWorkingDirectory)/$(Build.BuildId).tfplan
            displayName: Terraform Apply
            name: terraform_apply
            failOnStderr: true
            continueOnError: false