I’m trying to create a pipeline (in Azure Devops) that runs some Terraform code. The logic of what I’m trying to do is:

• Run terraform plan
• Check if terraform plan has changes
• If so, prompt user to manually review the changes and then accept / reject
• Proceed to terraform apply if accepted

I have the terraform plan stage all working, but I'm struggling to identify how to programmatically identify if the output of terraform plan has changes to review or not.

I was trying to use the following environment variables that are supposedly set to true/false after running ‘terraform plan’

TERRAFORM_PLAN_HAS_CHANGES
TERRAFORM_PLAN_HAS_DESTROY_CHANGES

But it doesn’t appear that they are being set, at least in the Terraform version that I’m using (v1.4.2).

What would be the best way of programmatically checking if changes are there to review? Or should I shift my logic?

Environment variables are not automatically saved between steps in Azure Pipelines.

You have to use the ##vso logging commands to set output variables if you want to persist information between tasks. If you want to persist it across jobs or stages, you additionally have to set isOutput=true.

terraform plan -input=false -no-color -detailed-exitcode  

retVal=$?
if [ $retVal -eq 2 ]; then
    echo "##vso[task.setvariable variable=planChanged;isOutput=true]true"
else
    echo "##vso[task.setvariable variable=planChanged;isOutput=true]false"
fi 

Then, down-stream in another job, you'd set the condition:

condition: and(succeeded(), eq(coalesce(dependencies.Plan_${{ parameters.stage }}.outputs['Plan_${{ parameters.stage }}.planstep.planChanged'], 'true'), 'true'))

where Plan_${{ parameters.stage }} is the name of the job, and planstep is the name of the step in which you set the output variable.

You can run terraform plan like this

terraform plan -detailed-exitcode 

If the exit code == 2, then there are changes present.

Source