Search code examples
azure-devopsazure-pipelines-yamlazure-devops-pipelines

Require just One Approval for Devops Multistage Pipeline

I have a multi-stage YAML pipeline:

Build Solution
     |
     ▼
Terraform DEV         \
     |                 |
     ▼                 |
Deploy Function App    |  DEV Environment (No Approval Required)
     |                 |
     ▼                 |
Provision API Mgmt    /
     |
     ▼
Terraform TEST        \
     |                 |
     ▼                 |
Deploy Function App    |  TEST Environment (Approval Required)
     |                 |
     ▼                 |
Provision API Mgmt    /

I have two environments configured (DEV and TEST) with an Approval configured on the TEST environment and the Terraform TEST stage has a deployment job configured to use the TEST environment. This means that when the pipeline reaches the Terraform TEST stage an email is sent to the approvers for the TEST environment and it waits.

When that stage is then approved the build continues.

The Deploy Function App stage also has a deployment job targetting the environment for that part of the pipeline. My issue is that when it reaches the Deploy Function App for the TEST environment it again asks for approval to deploy to the TEST environment.

My question is: Is this fixed behaviour? i.e. whenever a deployment is made to an environment with an approval is a new approval required? Or is there a way to change it so a pipeline only needs one approval to deploy (as many times as required) to a specific environment?

Solution

  • This is by design. One such scenario for this if rolling back changes to a previous pipeline run it would be best practice to have an approval before redeploying code to the environment. As for the scenario where you have 3 stages and each one requires an approval this is by design:

    A stage can consist of many jobs, and each job can consume several resources. Before the execution of a stage can begin, all checks on all the resources used in that stage must be satisfied. Azure Pipelines pauses the execution of a pipeline prior to each stage, and waits for all pending checks to be completed. Checks are re-evaluation based on the retry interval specified in each check. If all checks are not successful till the timeout specified, then that stage is not executed. If any of the checks terminally fails (for example, if you reject an approval on one of the resources), then that stage is not executed.

    In your given scenario may I suggest the Terraform, function app and APIM deployments be part of the same stage? Each one of these jobs could also be templatized so can reuse them in your additional environments. This would eliminate the possibility a user approves these incorrectly (Unless you have dependsOn outlined) or the possibility that the Terraform Apply is the only one that is release.