Azure DevOps Terraform Pipeline with Checkov & Approvals

Pipeline Overview

A diagram of the workflow which is being executed as part of the pipeline
Azure DevOps Pipeline Workflow

The Stages

Stage: Checkov Scan

The code for the Checkov Scan stage
docker run \
--volume $(pwd):/tf \
bridgecrew/checkov \
--directory /tf \
--output junitxml \
--soft-fail \
> $(pwd)/CheckovReport.xml

Stage: Terraform Validate

Stage: Terraform Plan

Stage: Terraform Apply (Auto Approval)

condition: |
and
(
succeeded(),
eq(dependencies.planTerraform.outputs['TerraformJobs.setvar.HAS_CHANGES_ONLY'], 'true')
)
echo "##vso[task.setvariable variable=HAS_CHANGES_ONLY;isOutput=true]true"
dependencies.STAGE_NAME.outputs['JOB_NAME.TASK_NAME.VARIABLE_NAME']

Stage: Terraform Apply (Manual Approval)

Running the Pipeline

Initial Run

The initial deployment
Warnings and the Terraform Plan

No ChangesRun

Nothing to change

Introducing some mistakes

Viewing the report
Getting a little more information
Crisis averted !!!

Manual Approval

The Email
Reviewing and OK’ing the deployment

Summary

Geek, Lover Of Shiny Things and Grump.