šŸ”„Azure DevOps YML Terraform Pipeline and Pre-Merge Pull Request Validation

Kyler Middleton
The Startup
Published in
9 min readJan 7, 2020

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

tl;dr: Here’s YML code that will build an Azure DevOps pipeline that can be run automatically as part of pull request validation (pre-merge) and requires manual approval by definable admin groups in order to proceed to modifing resources.

Microsoft’s Azure DevOps (ADO) is an incredibly powerful CI/CD platform that is being rapidly developed by $MSFT. However, as with any rapidly-evolving product, the documentation sometimes leaves something to be desired. I solved a few problems with the help of the Azure DevOps development team and I thought I’d share my solutions. Hope they help.

ADO is generalized to be able to run any language you’d like, rather than being committed to a single language like HashiCorp’s Terraform Enterprise (Terraform only) and can drive your own machines already embedded in your infrastructure, rather than requiring you to use their hosts.

It also permits something many other CI/CDs do, which is writing our pipelines in YML format, and tracking and updating their config via the text YML config. This is powerful for several reasons:

  • As with every other DevOps resource, tracking state and changes in text and with pull requests allows peer review before changes and identification of changes afterward
  • Despite a powerful GUI configuration interface, code will always have more options for configuration
  • Hundreds of pipelines can be much more easily managed in code than via any kind of GUI

Azure DevOps: The Old Way

I previously configured our Terraform pipelines within Azure DevOps using the GUI. I didn’t realize until after that once configured in the GUI, the pipelines are no longer convertible to YML, so we were stuck with the GUI version. And then we needed another and another, and suddenly I’m managing nearly a hundred GUI-based pipelines, and things are obviously becoming untenable.

Each pipeline has several stages — first, we have a build pipeline that generates artifacts (a collection of…

Kyler Middleton
The Startup

DevNetSecOps, DevRel, cloud security chick. I will teach you, it’s unavoidable. She/Her šŸ³ļøā€šŸŒˆšŸ³ļøā€šŸŒˆ, INFJ-A, support the EFF!