Terraform

Terraform CI/CD with Azure DevOps Pipelines

Automate Terraform with Azure DevOps Pipelines. YAML pipelines, service connections, environment approvals, and Azure backend state configuration.

LLuca BertonMay 1, 20261 min read

Quick Answer

trigger:
  branches:
    include: [main]
 
pool:
  vmImage: 'ubuntu-latest'
 
steps:
  - task: TerraformInstaller@1
    inputs:
      terraformVersion: '1.8.5'
  - script: terraform init
  - script: terraform plan -out=tfplan
  - script: terraform apply -auto-approve tfplan
    condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')

Production Pipeline

# azure-pipelines.yml
trigger:
  branches:
    include: [main]
  paths:
    include: [terraform/**]
 
pr:
  branches:
    include: [main]
 
variables:
  - group: terraform-vars
  - name: TF_IN_AUTOMATION
    value: 'true'
 
stages:
  - stage: Validate
    jobs:
      - job: Validate
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: TerraformInstaller@1
            inputs:
              terraformVersion: '1.8.5'
          - script: |
              cd terraform
              terraform init -backend=false
              terraform validate
              terraform fmt -check
            displayName: 'Validate & Format'
 
  - stage: Plan
    dependsOn: Validate
    jobs:
      - job: Plan
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: TerraformInstaller@1
            inputs:
              terraformVersion: '1.8.5'
          - task: AzureCLI@2
            inputs:
              azureSubscription: 'terraform-service-connection'
              scriptType: 'bash'
              scriptLocation: 'inlineScript'
              inlineScript: |
                cd terraform
                export ARM_CLIENT_ID=$servicePrincipalId
                export ARM_CLIENT_SECRET=$servicePrincipalKey
                export ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
                export ARM_TENANT_ID=$tenantId
                terraform init
                terraform plan -out=tfplan -no-color
            addSpnToEnvironment: true
          - publish: terraform/tfplan
            artifact: tfplan
 
  - stage: Apply
    dependsOn: Plan
    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
    jobs:
      - deployment: Apply
        pool:
          vmImage: 'ubuntu-latest'
        environment: 'production'  # Requires approval
        strategy:
          runOnce:
            deploy:
              steps:
                - download: current
                  artifact: tfplan
                - task: TerraformInstaller@1
                  inputs:
                    terraformVersion: '1.8.5'
                - task: AzureCLI@2
                  inputs:
                    azureSubscription: 'terraform-service-connection'
                    scriptType: 'bash'
                    scriptLocation: 'inlineScript'
                    inlineScript: |
                      cd terraform
                      export ARM_CLIENT_ID=$servicePrincipalId
                      export ARM_CLIENT_SECRET=$servicePrincipalKey
                      export ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
                      export ARM_TENANT_ID=$tenantId
                      terraform init
                      terraform apply -auto-approve $(Pipeline.Workspace)/tfplan/tfplan
                  addSpnToEnvironment: true

Azure Backend Configuration

terraform {
  backend "azurerm" {
    resource_group_name  = "terraform-state-rg"
    storage_account_name = "tfstate12345"
    container_name       = "tfstate"
    key                  = "production.tfstate"
  }
}

Service Connection Setup

Project Settings → Service connections → New
Choose Azure Resource Manager
Select Service principal (automatic)
Name it terraform-service-connection

Environment Approvals

Pipelines → Environments → production
Click Approvals and checks
Add Approvals → select approvers
Add Business hours (optional)

Variable Groups

# Create variable group in Azure DevOps
# Project Settings → Pipelines → Library → Variable groups
# Add: ARM_CLIENT_ID, ARM_CLIENT_SECRET (secret), ARM_SUBSCRIPTION_ID, ARM_TENANT_ID

Conclusion

Use Azure DevOps service connections for authentication, the azurerm backend for state, Environment approvals for production gates, and the AzureCLI task to inject service principal credentials. Publish plan artifacts between stages and use deployment jobs for apply.

#Terraform#Azure DevOps#CI/CD#DevOps#Infrastructure as Code

Share this article

Terraform

Terraform CI/CD with GitHub Actions - Complete Pipeline

Automate Terraform with GitHub Actions. Plan on PR, apply on merge, OIDC authentication, environment protection, and drift detection workflows.

May 1, 20262 min read

Terraform

Terraform CI/CD with GitLab CI - Complete Pipeline

Automate Terraform with GitLab CI/CD. Plan on merge requests, apply on main, remote state with HTTP backend, and environment-specific pipelines.

May 1, 20262 min read

Terraform

Terraform CI/CD with Jenkins - Complete Pipeline

Automate Terraform with Jenkins pipelines. Declarative and scripted pipelines, credentials management, approval gates, and multi-environment deployments.

May 1, 20262 min read

Terraform

Install Terraform in Docker Containers

Run Terraform in Docker containers for consistent CI/CD environments. Official HashiCorp image, custom Dockerfiles, and Docker Compose workflows.

May 1, 20262 min read

Quick Answer

Production Pipeline

Azure Backend Configuration

Service Connection Setup

Environment Approvals

Variable Groups

Related Articles

Conclusion

Related articles

Terraform CI/CD with GitHub Actions - Complete Pipeline

Terraform CI/CD with GitLab CI - Complete Pipeline

Terraform CI/CD with Jenkins - Complete Pipeline

Install Terraform in Docker Containers