azure-pipelines-terraform.yml

parameters:
  - name: environment
    type: string
    default: stage
    
  - name: environmentDisplayName
    type: string
    default: stage

  - name: provisionStorage
    type: boolean
    default: false

  - name: TerraformVersion
    type: string
    default: 0.14.8

  - name: TerraformDirectory
    type: string
    default: terraform_aks

  - name: TerraformBackendServiceConnection
    type: string
    default: MSDN

  - name: TerraformBackendResourceGroup
    type: string
    default: terraformstate

  - name: TerraformBackendStorageAccount
    type: string
    default: terraformstatemsalem

  - name: TerraformBackendStorageContainer
    type: string
    default: terraformstateaks
  
  - name: TerraformBackendLocation
    type: string
    default: northeurope

variables:
- group: terraform

stages:
- stage: Terraform_${{ parameters.environment }}
  displayName: Terraform ${{ parameters.environmentDisplayName }}
  pool:
    vmImage: ubuntu-latest
  jobs:

  - job: TerraformAKS 
    displayName: Terraform init and apply AKS
    # Avoid concurrent Terraform runs on PRs, which would result in failures due to exclusive lock on remote state file.
    condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), variables['RUN_FLAG_TERRAFORM']))
    steps:
    - task: AzureCLI@1
      displayName: Set Terraform backend
      condition: and(succeeded(), ${{ parameters.provisionStorage }})
      inputs:
        azureSubscription: ${{ parameters.TerraformBackendServiceConnection }}
        scriptLocation: inlineScript
        inlineScript: |
          set -eu  # fail on error
          RG='${{ parameters.TerraformBackendResourceGroup }}'
          export AZURE_STORAGE_ACCOUNT='${{ parameters.TerraformBackendStorageAccount }}'
          export AZURE_STORAGE_KEY="$(az storage account keys list -g "$RG" -n "$AZURE_STORAGE_ACCOUNT" --query '[0].value' -o tsv)"
          if test -z "$AZURE_STORAGE_KEY"; then
            az configure --defaults group="$RG" location='${{ parameters.TerraformBackendLocation }}'
            az group create -n "$RG" -o none
            az storage account create -n "$AZURE_STORAGE_ACCOUNT" -o none
            export AZURE_STORAGE_KEY="$(az storage account keys list -g "$RG" -n "$AZURE_STORAGE_ACCOUNT" --query '[0].value' -o tsv)"
          fi

          container='${{ parameters.TerraformBackendStorageContainer }}'
          if ! az storage container show -n "$container" -o none 2>/dev/null; then
            az storage container create -n "$container" -o none
          fi
          blob='${{ parameters.environment }}.tfstate'
          if [[ $(az storage blob exists -c "$container" -n "$blob" --query exists) = "true" ]]; then
            if [[ $(az storage blob show -c "$container" -n "$blob" --query "properties.lease.status=='locked'") = "true" ]]; then
              echo "State is leased"
              lock_jwt=$(az storage blob show -c "$container" -n "$blob" --query metadata.terraformlockid -o tsv)
              if [ "$lock_jwt" != "" ]; then
                lock_json=$(base64 -d <<< "$lock_jwt")
                echo "State is locked"
                jq . <<< "$lock_json"
              fi
              if [ "${TERRAFORM_BREAK_LEASE:-}" != "" ]; then
                az storage blob lease break -c "$container" -b "$blob"
              else
                echo "If you're really sure you want to break the lease, rerun the pipeline with variable TERRAFORM_BREAK_LEASE set to 1."
                exit 1
              fi
            fi
          fi
        addSpnToEnvironment: true

    - task: ms-devlabs.custom-terraform-tasks.custom-terraform-installer-task.TerraformInstaller@0
      displayName: Install Terraform
      inputs:
        terraformVersion: ${{ parameters.TerraformVersion }}

    - task: AzureCLI@1
      displayName: Terraform credentials
      inputs:
        azureSubscription: ${{ parameters.TerraformBackendServiceConnection }}
        scriptLocation: inlineScript
        inlineScript: |
          set -eu
          subscriptionId=$(az account show --query id -o tsv)
          echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
          echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET;issecret=true]$servicePrincipalKey"
          echo "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$subscriptionId"
          echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
        addSpnToEnvironment: true

    # Using bash instead of Terraform extension because of following issue:
    # - https://github.com/microsoft/azure-pipelines-extensions/issues/738
    - task: AzureCLI@1
      displayName: Terraform init
      inputs:
        azureSubscription: ${{ parameters.TerraformBackendServiceConnection }}
        scriptLocation: inlineScript
        inlineScript: |
          set -eux  # fail on error
          subscriptionId=$(az account show --query id -o tsv)
          terraform init \
            -backend-config=storage_account_name=${{ parameters.TerraformBackendStorageAccount }} \
            -backend-config=container_name=${{ parameters.TerraformBackendStorageContainer }} \
            -backend-config=key=${{ parameters.environment }}.tfstate \
            -backend-config=resource_group_name=${{ parameters.TerraformBackendResourceGroup }} \
            -backend-config=subscription_id=$subscriptionId \
            -backend-config=tenant_id=$tenantId \
            -backend-config=client_id=$servicePrincipalId \
            -backend-config=client_secret="$servicePrincipalKey"
        workingDirectory: ${{ parameters.TerraformDirectory }}
        addSpnToEnvironment: true
    
    - bash: |
        set -eu
        export ARM_CLIENT_SECRET=$(ARM_CLIENT_SECRET)
        terraform apply -input=false -auto-approve -var aks-aad-srv-id=$(aks-aad-srv-id) -var aks-aad-srv-secret=$(aks-aad-srv-secret) -var aks-aad-client-id=$(aks-aad-client-id)
      displayName: Terraform apply
      workingDirectory:  ${{ parameters.TerraformDirectory }}