deployment_auto_approve block reference

Use the deployment_auto_approve block to define rules that automatically approve deployment plans based on specific conditions.

Background

The deployment_auto_approve block defines rules that automatically approve deployment plans when specific conditions are met.

The deployment_group block can reference one or more deployment_auto_approve blocks. All checks within the deployment_auto_approve blocks must pass for the plans of a deployment group to automatically apply.

By default, each Stack has a deployment_auto_approve rule named empty_plan, which automatically approves a plan if it contains no changes.

Configuration model

The deployment_auto_approve block supports the following arguments:

deployment_auto_approve "<LABEL>" block
- check block
  - condition expression
  - reason string

Complete configuration

All available arguments are defined in the following deployment_auto_approve block:

deployment_auto_approve "<LABEL>" {
  check {
    condition = <EXPRESSION>
    reason    = "<ERROR_MESSAGE>"
  }
}

Specification

A deployment_auto_approve block supports the following configuration.

`deployment_auto_approve "<LABEL>"`

The deployment_auto_approve block requires a label that serves as a unique name for the auto-approval rule within the Stack.

The following arguments are supported in a deployment_auto_approve block:

Argument	Description	Type	Required?
`check`	A block containing conditions and reasons for the rule.	Block	Required

`check`

The check block contains the conditions that must be met for the deployment_auto_approve block to automatically approve plans. A deployment_auto_approve block must contain at least one check block.

deployment_auto_approve "<LABEL>" {
  check {
    condition = <EXPRESSION>
    reason    = "<ERROR_MESSAGE>"
  }

  check {
    condition = <EXPRESSION_TWO>
    reason    = "<ERROR_MESSAGE_TWO>"
  }
}

The check block supports the following arguments:

Argument	Description	Type	Required?
`condition`	Expression that Terraform evaluates. If the expression evaluates to `true`, then the `check` block passes.	Expression	Required
`reason`	Message to display if the condition evaluates to `false`. The error message is displayed in HCP Terraform when manual approval is required.	String	Required

`condition`

The condition argument contains an expression that must evaluate to true for the check to pass. The condition argument has access to a context variable that includes information about the current deployment plan.

deployment_auto_approve "<LABEL>" {
  check {
    condition = context.<PLAN_ATTRIBUTE>
    # ...
  }
}

Deployment plan context

The condition argument has access to a context variable that contains information about the current deployment plan. The context variable contains the following arguments:

Argument	Description	Type
`operation`	The operation that HCP Terraform performs, either "plan" or "apply".	String
`success`	Whether the operation succeeds. When `false`, the `errors` argument contains diagnostic messages explaining the failure.	Boolean
`plan`	An object containing data about the current plan.	Object
`errors`	Diagnostic error message objects from the operation.	Set of objects
`warnings`	Diagnostic warning message objects from the operation.	Set of objects

The diagnostic message objects in context.errors and context.warnings contain the following arguments:

Argument	Description	Type
`summary`	A brief summary of the diagnostic message.	String
`detail`	Detailed information about the diagnostic message.	String

The context.plan object contains the following arguments:

Argument	Description	Type
`mode`	The plan mode, either "normal", "refresh-only", "import", or "destroy".	String
`applyable`	Whether Terraform can apply the plan.	Boolean
`changes`	A summary object of all changes in the plan.	Object
`component_changes`	Change summary objects for each component instance.	Map of objects
`replans`	The number of replans in this sequence, starting at `0`.	Integer
`deployment`	A reference to the current deployment.	Object

The objects in context.plan.component_changes contain the following arguments:

Argument	Description	Type
`add`	Number of resources to add.	Integer
`change`	Number of resources to change.	Integer
`import`	Number of resources to import.	Integer
`remove`	Number of resources to remove.	Integer
`total`	Total number of resource actions.	Integer

The object in context.plan.deployment contains the following arguments:

Argument	Description	Type
`deployment_name`	The name of the deployment running this plan. You can use this argument to check which deployment runs this plan. For example: `context.plan.deployment.deployment_name == "production"`.	String

Summary

Data type: Expression
Default: None
Required: Yes

`reason`

The reason argument provides a human-readable message that explains why the check failed. HCP Terraform displays this message when the condition evaluates to false and manual approval is required.

check {
  condition = <EXPRESSION>
  reason    = "<ERROR_MESSAGE_TO_DISPLAY>"
}

Summary

Data type: String
Default: None
Required: Yes

Examples

The following examples demonstrate common use cases for deployment_auto_approve blocks.

Fundamental auto-approve example

In the following example, the no_changes rule verifies whether context.plan.changes.total is equal to 0:

deployment_auto_approve "no_changes" {
  check {
    condition = context.plan.changes.total == 0
    reason    = "Plan contains too many changes for automatic approval."
  }
}

deployment_group "production" {
  auto_approve_checks = [
    deployment_auto_approve.no_changes
  ]
}

If context.plan.changes.total value is 0, a plan does not include updating resources. If a plan for a deployment in the production group does not include any changes, then the no_changes auto-approval rule automatically approves those plans.

Auto-approve when specific components unchanged

In the following example, the no_database_changes auto-approval rule checks whether context.plan.component_changes["component.database"].total equals 0 and automatically approves plans only when the database component has no resource changes:

deployment_auto_approve "no_database_changes" {
  check {
    condition = context.plan.component_changes["component.database"].total == 0
    reason    = "Database component has changes that require manual review."
  }
}

Auto-approve successful operations only

In the following example, the successful_plans auto-approval rule checks whether context.success equals true and automatically approves plans only when the operation succeeds without errors:

deployment_auto_approve "successful_plans" {
  check {
    condition = context.success == true
    reason    = "Operation failed and requires manual intervention."
  }
}

Multiple conditions

In the following example, the safe_production_changes auto-approval rule evaluates three conditions: context.plan.changes.total must be less than 5, context.plan.changes.remove must equal 0, and context.plan.deployment.deployment_name must not equal "production", requiring all three checks to pass for automatic approval:

deployment_auto_approve "safe_production_changes" {
  check {
    condition = context.plan.changes.total < 5
    reason    = "Too many changes for automatic approval."
  }

  check {
    condition = context.plan.changes.remove == 0
    reason    = "Resource removal requires manual approval."
  }

  check {
    condition = context.plan.deployment.deployment_name != "production"
    reason    = "Production deployments require manual approval."
  }
}