Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
65 commits
Select commit Hold shift + click to select a range
b37e95a
Migrate TerraformCLI@2 to @3 and update init task parameters
Kamil-Biegaj-HM Jan 16, 2026
1494fc6
Correct task name for Microsoft terraform extension
Kamil-Biegaj-HM Jan 22, 2026
7fb57da
Correct task name for Microsoft terraform extension
Kamil-Biegaj-HM Jan 22, 2026
56242d4
Update to TerraformTask@5 from Microsoft and add TerraformInstaller@1
Kamil-Biegaj-HM Jan 22, 2026
8365a51
Update task name to Terraform@5 (without publisher prefix)
Kamil-Biegaj-HM Jan 22, 2026
3da8db5
Fix task name to TerraformTask@5 per Microsoft docs
Kamil-Biegaj-HM Jan 22, 2026
11c3f07
Use fully qualified Microsoft extension names to avoid ambiguity
Kamil-Biegaj-HM Jan 23, 2026
5590aca
Pin terraform version to 1.13.3 to match required_version constraint
Kamil-Biegaj-HM Jan 23, 2026
815f92b
Fix to pipeline
Kamil-Biegaj-HM Jan 23, 2026
9322bc0
Add backendType: azurerm to init task
Kamil-Biegaj-HM Jan 23, 2026
5cfd82a
Remove duplicate subscription_id from init commandOptions - extension…
Kamil-Biegaj-HM Jan 23, 2026
567376b
Add backendServiceConnection parameter to allow separate backend serv…
Kamil-Biegaj-HM Jan 23, 2026
0526b1d
Restore terraformInitSubscription to commandOptions for backend subsc…
Kamil-Biegaj-HM Jan 23, 2026
2520072
Use separate backendServiceConnection defaulting to azurerm-control f…
Kamil-Biegaj-HM Jan 23, 2026
808829a
Add backendSubscriptionId parameter to override backend subscription …
Kamil-Biegaj-HM Jan 23, 2026
4bf7d46
Use existing terraformInitSubscription parameter for backend subscrip…
Kamil-Biegaj-HM Jan 23, 2026
fe0a8cd
Remove backendType and backend params - use only commandOptions for f…
Kamil-Biegaj-HM Jan 23, 2026
e9baecb
Add required backendServiceArm while still controlling backend via co…
Kamil-Biegaj-HM Jan 23, 2026
9604ceb
Add all required backend parameters back, rely on subscription_id ove…
Kamil-Biegaj-HM Jan 23, 2026
c9d22c4
Testing old pipeline parameters with new microsoft extension
Kamil-Biegaj-HM Jan 28, 2026
f9062cd
Testing old pipeline parameters with new microsoft extension
Kamil-Biegaj-HM Jan 28, 2026
6e4176a
Testing no resource group name
Kamil-Biegaj-HM Jan 28, 2026
05b8e01
Adding back in resource group name
Kamil-Biegaj-HM Jan 28, 2026
5b82c46
Replace tfswitch with Microsoft TerraformInstaller and fix init task …
Kamil-Biegaj-HM Jan 28, 2026
4e2036e
Replace tfswitch with TerraformInstaller in terraform-precheck
Kamil-Biegaj-HM Jan 28, 2026
70d9f32
Adding in ensureBackend: false
Kamil-Biegaj-HM Jan 28, 2026
3fa5041
Remove tfswitch calls from ado-terraform-nagger.py - use pre-installe…
Kamil-Biegaj-HM Jan 28, 2026
d9da0cc
removing if statement logic, in commandOptions
Kamil-Biegaj-HM Jan 28, 2026
e776da7
switching order of subscription id
Kamil-Biegaj-HM Jan 28, 2026
acf21ab
Fix init commandOptions: correct parameter order and remove unsupport…
Kamil-Biegaj-HM Jan 28, 2026
e80e36e
Use backendAzureRmOverrideSubscriptionID to always override backend s…
Kamil-Biegaj-HM Jan 28, 2026
030491c
Fix: use variable syntax for terraformInitSubscription instead of par…
Kamil-Biegaj-HM Jan 28, 2026
e1cde01
Support backendServiceConnection parameter for separate backend servi…
Kamil-Biegaj-HM Jan 28, 2026
6836025
Add backendAzureRmOverrideSubscriptionID when terraformInitSubscripti…
Kamil-Biegaj-HM Jan 28, 2026
e08bf4f
Use backendAzureRmSubscriptionId instead of backendAzureRmOverrideSub…
Kamil-Biegaj-HM Jan 28, 2026
c91697a
Pass subscription_id via commandOptions to override extension's auto-…
Kamil-Biegaj-HM Jan 28, 2026
dc8e82c
Use backendServiceConnection parameter when provided for backend auth…
Kamil-Biegaj-HM Jan 28, 2026
9f63d64
Use backendServiceConnection from pipeline variable instead of parameter
Kamil-Biegaj-HM Jan 28, 2026
2331515
Revert to using backendServiceConnection parameter (compile-time check)
Kamil-Biegaj-HM Jan 28, 2026
1a168e6
Add debug logging for backend configuration values
Kamil-Biegaj-HM Jan 28, 2026
0347536
Setting servicearm to bachenServiceConnection
Kamil-Biegaj-HM Jan 28, 2026
2445241
Setting servicearm to bachenServiceConnection
Kamil-Biegaj-HM Jan 28, 2026
f92d9a5
remove spacing
Kamil-Biegaj-HM Jan 28, 2026
54f1a58
service Connection variable insterted
Kamil-Biegaj-HM Jan 28, 2026
207c968
service Connection variable insterted
Kamil-Biegaj-HM Jan 28, 2026
f6a7e89
service Connection variable insterted through bash script
Kamil-Biegaj-HM Feb 17, 2026
1d96e8f
service Connection variable insterted through bash script
Kamil-Biegaj-HM Feb 17, 2026
0e627f4
Setting backendServiceArm dynamically through the terraformSubscripti…
Kamil-Biegaj-HM Feb 17, 2026
278226e
Reverting back to adding backendserviceconnection, and defaulting to …
Kamil-Biegaj-HM Feb 18, 2026
8dd46bb
Only set backend parameters if initCommandOptions doesn't contain bac…
Kamil-Biegaj-HM Feb 18, 2026
086a7cc
Always provide backendServiceArm for authentication
Kamil-Biegaj-HM Feb 18, 2026
e2dd94e
Revert changes to always authenticate
Kamil-Biegaj-HM Feb 18, 2026
340f03a
Added in deafult values for group and storage account names
Kamil-Biegaj-HM Feb 23, 2026
e18dd9e
Added in deafult values for group and storage account names
Kamil-Biegaj-HM Feb 23, 2026
9089bc3
Removing terraform install and reverting back to tfstate
Kamil-Biegaj-HM Feb 23, 2026
dea8157
Fix to tfswitch not finding a version
Kamil-Biegaj-HM Feb 23, 2026
b3c12ce
tfswitch runs in repo root even when repo_name isn’t provided
Kamil-Biegaj-HM Feb 23, 2026
f792b86
Reverting ado-terraform-nagger changes
Kamil-Biegaj-HM Feb 24, 2026
a348b27
Revert changes to install-use-tfswitch
Kamil-Biegaj-HM Feb 24, 2026
52f079c
Revert changes to terraform-precheck
Kamil-Biegaj-HM Feb 24, 2026
c092188
Revert changes to tfstate logic
Kamil-Biegaj-HM Feb 24, 2026
474790a
Revert changes to tfstate logic
Kamil-Biegaj-HM Feb 25, 2026
2efa12c
retryCountOnTaskFailure added in terraform.yaml
Kamil-Biegaj-HM Feb 25, 2026
7a834a5
backendAzureRmKey in terraform.yaml logic switch to use string interp…
Kamil-Biegaj-HM Feb 25, 2026
ec4a293
Changing logic for backendAzureRmKey from coalesce to if
Kamil-Biegaj-HM Feb 25, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions scripts/ado-terraform-nagger.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,6 @@ def run_command(command, working_directory, is_tf_switch=False):
command = ["tfswitch", "--latest"]
run_command = subprocess.run(command, capture_output=True, timeout=15)
return run_command.stdout.decode("utf-8")

except TypeError:
run_command = subprocess.run(
command, stdout=subprocess.PIPE, stderr=subprocess.PIPE
Expand Down Expand Up @@ -671,10 +670,12 @@ def main():
try:
print(f'component: {component}')
full_path = f'{working_directory}{component}'

# fail out loop if terraform version <= 0.13.0
# fail out loop if terraform version <= 0.13.0
command = ["tfswitch", "-b", terraform_binary_path]
run_command(command, full_path, True)

# Get terraform version
command = ["terraform", "version", "--json"]
result = json.loads(run_command(command, full_path))

Expand Down
1 change: 1 addition & 0 deletions steps/install-use-tfswitch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ steps:
inputs:
targetType: 'inline'
script: |
set -euo pipefail
curl -L https://raw.githubusercontent.com/warrensbox/terraform-switcher/release/install.sh | bash -s -- -b ${{ parameters.tfswitchPath }} ${{ parameters.tfswitchVersion }}
set -x
# Make sure ~/.local/bin is set for both root and non-root based agents (self-hosted etc)
Expand Down
88 changes: 51 additions & 37 deletions steps/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,21 @@ parameters:
- name: serviceConnection
default: ''

- name: backendServiceConnection
default: ''

- name: backendResourceGroupName
default: ''

- name: backendStorageAccountName
default: ''

- name: backendContainerName
default: ''

- name: backendKey
default: ''

- name: terraformInitSubscription
default: ''

Expand Down Expand Up @@ -91,6 +106,13 @@ steps:
serviceConnection: ${{ parameters.serviceConnection }}
environment: ${{ parameters.environment }}

- template: ./install-use-tfswitch.yaml
parameters:
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'

- task: Bash@3
displayName: Install tfcmt
condition: ne(variables['System.PullRequest.PullRequestNumber'], '')
Expand All @@ -107,14 +129,6 @@ steps:
keyVaultName: 'infra-vault-nonprod'
secretsFilter: 'github-api-token'

- template: ./install-use-tfswitch.yaml
parameters:
tfswitchArgs: -b ~/.local/bin/terraform
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'

- task: Bash@3
displayName: Build resource values
env:
Expand All @@ -127,49 +141,49 @@ steps:
filePath: $(System.DefaultWorkingDirectory)/cnp-azuredevops-libraries/scripts/build-resource-values.sh
workingDirectory: $(System.DefaultWorkingDirectory)/$(buildRepoSuffix)

- task: TerraformCLI@2
- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
displayName: Terraform init ${{ parameters.component }}
inputs:
command: init
provider: 'azurerm'
command: 'init'
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'
backendType: azurerm
ensureBackend: false
backendServiceArm: ${{ parameters.serviceConnection }}
backendAzureRmResourceGroupName: 'azure-control-${{ parameters.environment }}-rg'
backendAzureRmResourceGroupLocation: ${{ parameters.location }}
backendAzureRmStorageAccountName: $(controlStorageAccount)
backendAzureRmStorageAccountSku: Standard_LRS
backendAzureRmContainerName: subscription-tfstate
backendAzureRmKey: '${{ parameters.location }}/${{ parameters.product }}/$(buildRepoSuffix)/${{ parameters.environment }}/${{ parameters.component }}/terraform.tfstate'
commandOptions: '-backend-config=subscription_id=${{ parameters.terraformInitSubscription }} ${{ parameters.initCommandOptions }}'

- task: TerraformCLI@2
backendServiceArm: ${{ coalesce(parameters.backendServiceConnection, 'HMCTS-CONTROL') }}
backendAzureRmResourceGroupName: ${{ coalesce(parameters.backendResourceGroupName, format('azure-control-{0}-rg', parameters.environment)) }}
backendAzureRmStorageAccountName: ${{ coalesce(parameters.backendStorageAccountName, '$(controlStorageAccount)') }}
backendAzureRmContainerName: ${{ coalesce(parameters.backendContainerName, 'subscription-tfstate') }}
${{ if parameters.backendKey }}:
backendAzureRmKey: ${{ parameters.backendKey }}
${{ else }}:
backendAzureRmKey: ${{ parameters.location }}/${{ parameters.product }}/$(buildRepoSuffix)/${{ parameters.environment }}/${{ parameters.component }}/terraform.tfstate
commandOptions: '${{ parameters.initCommandOptions }}'

- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
displayName: Terraform validate
inputs:
command: validate
provider: 'azurerm'
command: 'validate'
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'

- task: TerraformCLI@2
- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
# retryCountOnFailure: 2
displayName: Terraform plan ${{ parameters.component }}
condition: and(succeeded(), in('${{ parameters.overrideAction }}', 'plan', 'apply'))
${{ if parameters.terraformEnvironmentVariables }}:
env: ${{ parameters.terraformEnvironmentVariables }}
inputs:
command: plan
provider: 'azurerm'
command: 'plan'
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'
environmentServiceName: ${{ parameters.serviceConnection }}
runAzLogin: true
publishPlanResults: "$(tfPlanName)"
environmentServiceNameAzureRM: ${{ parameters.serviceConnection }}
${{ if eq(parameters['tfVarsFile'], '') }}:
commandOptions: >
-out tfplan-$(tfPlanName)
Expand All @@ -193,7 +207,7 @@ steps:
-var product=${{ parameters.product }} ${{ parameters.planCommandOptions }}
-var-file "${{ parameters.tfVarsFile }}"
-lock=false
retryCountOnTaskFailure: 3 # This is at the correct level, aligned with 'displayName' and 'inputs'
Comment thread
ieuanb74 marked this conversation as resolved.
retryCountOnTaskFailure: 3 # This is at the correct level, aligned with 'displayName' and 'inputs'

- task: Bash@3
displayName: Publish Plan to GitHub - ${{ parameters.component }}
Expand Down Expand Up @@ -248,7 +262,7 @@ steps:
az storage azcopy blob upload -c plan-json --account-name tfplanviewersa -s $(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}/tfplan-$(tfPlanName).json -d "$(Build.Repository.Name)/$(System.PullRequest.PullRequestNumber)/tfplan-$(tfPlanName).json" --subscription ${{ parameters.savePlanResultsServiceConnection }} --account-key $(storage-account-primary-key)
azureSubscription: ${{ parameters.serviceConnection }}

- task: TerraformCLI@2
- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
displayName: Terraform apply ${{ parameters.component }}
${{ if parameters.terraformEnvironmentVariables }}:
env: ${{ parameters.terraformEnvironmentVariables }}
Expand All @@ -258,29 +272,30 @@ steps:
and(succeeded(), eq(variables['isMain'], true), eq(variables['isAutoTriggered'], true))
)
inputs:
runAzLogin: true
command: apply
provider: 'azurerm'
command: 'apply'
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'
environmentServiceName: ${{ parameters.serviceConnection }}
environmentServiceNameAzureRM: ${{ parameters.serviceConnection }}
commandOptions: "${{ parameters.applyCommandOptions }} -auto-approve tfplan-$(tfPlanName)"
retryCountOnTaskFailure: 3 # This is at the correct level, aligned with 'displayName' and 'inputs'
Comment thread
ieuanb74 marked this conversation as resolved.

- ${{ if eq(parameters.overrideAction, 'destroy') }}:
- task: TerraformCLI@2
- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
displayName: Terraform destroy ${{ parameters.component }}
${{ if parameters.terraformEnvironmentVariables }}:
env: ${{ parameters.terraformEnvironmentVariables }}
condition: and(succeeded(), eq(variables['isMain'], true), eq('${{ parameters.overrideAction }}', 'destroy'))
inputs:
command: destroy
provider: 'azurerm'
command: 'destroy'
${{ if eq( parameters['baseDirectory'], '') }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/components/${{ parameters.component }}'
${{ else }}:
workingDirectory: '$(System.DefaultWorkingDirectory)/$(buildRepoSuffix)/${{ parameters.baseDirectory }}/${{ parameters.component }}'
environmentServiceName: ${{ parameters.serviceConnection }}
environmentServiceNameAzureRM: ${{ parameters.serviceConnection }}
${{ if eq(parameters['tfVarsFile'], '') }}:
commandOptions: >
-var env=${{ parameters.environment }}
Expand All @@ -298,7 +313,6 @@ steps:
-var builtFrom=$(Build.Repository.Name)
-var product=${{ parameters.product }} ${{ parameters.destroyCommandOptions }}
-var-file "${{ parameters.tfVarsFile }}"

- task: AzureCLI@2
displayName: 'Unlock TF state if required'
condition: |
Expand Down