deployment_group block reference

Use the deployment_group block to define a group that can manage deployments and add orchestration rules for those deployments.

Background

Note

Deployment groups only support one deployment per group at this time.

The deployment_group block defines a new group that you can assign individual deployments to join. You can assign a deployment to a group using the deployment_group argument in a deployment block. If you don't assign a deployment to a group, Terraform automatically creates a default deployment group for that deployment.

Deployment groups let you enforce orchestration rules on the deployments within the group. To learn more, refer to Set conditions for deployment runs.

Configuration model

The deployment_group block supports the following arguments:

deployment_group "<LABEL>" block
- auto_approve_checks list of references

Complete configuration

All available arguments are defined in the following deployment_group block:

deployment_group "<LABEL>" {
  auto_approve_checks = [
    deployment_auto_approve.<LABEL>,
    deployment_auto_approve.<LABEL_TWO>
  ]
}

Specification

A deployment_group block supports the following configuration.

`deployment_group "<LABEL>"`

The label after the deployment_group keyword is a name for the group, which must be unique among all deployment groups in the same deployment configuration file. The name of a deployment group can be any valid identifier.

The deployment_group block supports the following arguments:

Argument	Description	Type	Required?
`auto_approve_checks`	A list of references to `deployment_auto_approve` blocks. If all the checks in the `deployment_auto_approve` blocks pass, then plans for the deployments in this group automatically apply.	List of references	Required

`auto_approve_checks`

The auto_approve_checks argument specifies a list of references to deployment_auto_approve blocks. Terraform evaluates each deployment_auto_approve block to determine whether a deployment's plan automatically applies without manual approval.

deployment_group "<LABEL>" {
  auto_approve_checks = [
    deployment_auto_approve.<LABEL>
  ]
}

When you reference multiple deployment_auto_approve blocks, every check must pass for the deployment's plan to automatically apply. If any deployment_auto_approve check fails, then the plan requires manual approval.

Summary

Data type: List of references
Default: Empty list (no auto-approval)
Required: Yes

Examples

The following examples demonstrate common use cases for deployment_group blocks.

Using deployment groups with deployments

In the following example, the production_group deployment group contains the production deployment:

deployment_group "production_group" {
  auto_approve_checks = [
    deployment_auto_approve.no_destroys
  ]
}

deployment "production" {
  inputs = {
    environment = "production"
    instance_count = 5
  }

  deployment_group = deployment_group.production_group
}

Each deployment can only belong to one deployment group. If you don't specify a deployment group, Terraform automatically creates a default group for that deployment.

Fundamental deployment group with auto-approval

In the following example, the web deployment is in the production deployment group. The production group references the no_destroys rule, which lets plans automatically apply if they do not plan to destroy resources:

deployment_auto_approve "no_destroys" {
  check {
    condition = context.plan.changes.remove == 0
    reason    = "Plan removes ${context.plan.changes.remove} resources."
  }
}

deployment_group "production" {
  auto_approve_checks = [
    deployment_auto_approve.no_destroys
  ]
}

deployment "web" {
  inputs = {
    environment = "production"
    region      = "us-west-2"
  }

  deployment_group = deployment_group.production
}

HCP Terraform now automatically approves any plan on the web deployment that does not remove resources. If a plan does include destroying resources, then it requires manual approval.

Multiple auto-approval checks

In the following example, the staging deployment group references two deployment_auto_approve blocks, allow_plans and apply_staging:

deployment_auto_approve "allow_plans" {
  check {
    condition = context.operation == "plan"
    reason    = "Apply operations need manual approval."
  }
}

deployment_auto_approve "apply_staging" {
  check {
    condition = context.plan.deployment == deployment.staging
    reason = "Automatically applying staging deployment."
  }
}

deployment_group "staging" {
  auto_approve_checks = [
    deployment_auto_approve.no_destroys,
    deployment_auto_approve.cost_limit
  ]
}

deployment "staging" {
  inputs = {
    environment = "staging"
    region      = "us-east-1"
  }

  deployment_group = deployment_group.staging
}

The staging deployment group now automatically approves planning runs that target the staging deployment. If either of these checks fails, then the plan requires manual approval.