Set conditions for deployment runs

Learn how to use deployment groups to create orchestration rules that automatically approve deployment runs, helping you manage your deployments at scale.

Create deployment groups

You can create deployment groups in your deployment configuration file to define rules that let you auto-approve deployment runs.

If you do not explicitly define a group for a deployment, Terraform automatically creates a default deployment group associated with that deployment. You cannot define custom rules on default deployment groups.

Add the deployment_group block to your deployment configuration to create a new group:

deployment_group "staging_group" {
   # ...
}

Deployment groups require you to define the rules that group enforces.

The deployment_auto_approve rule is helpful when you know you want a certain type of plan to go ahead without manual intervention. For example, Stacks have a default auto-approve rule named empty_plan, which automatically approves a plan if it has no changes.

Use the deployment_auto_approve block to define an auto-approval rule that automatically approves a deployment plan if the condition you set is met. In the the following example, the no_changes rule automatically approves a deployment plan if it has no changes:

deployment_auto_approve "no_changes" {
  check {
    condition = context.plan.changes.total == 0
    reason    = "Plan contains too many changes for automatic approval."
  }
}

The condition argument in the deployment_auto_approve block has access to the context of the current deployment run. To learn more about context, refer to the deployment_auto_approve reference.

After defining your auto-approval rule, add that rule to your deployment group using the auto_approve_checks argument. In the following example, the staging_group deployment group enforces the no_changes rule:

deployment_auto_approve "no_changes" {
  check {
    condition = context.plan.changes.total == 0
    reason    = "Plan contains too many changes for automatic approval."
  }
}

deployment_group "staging_group" {
  auto_approve_checks = [
    deployment_auto_approve.no_changes
  ]
}

After assigning auto-approve rules to your deployment group, you can add a deployment to that group. In the following example, the staging deployment is added to the staging_group deployment group:

deployment_auto_approve "no_changes" {
  check {
    condition = context.plan.changes.total == 0
    reason    = "Plan contains too many changes for automatic approval."
  }
}

deployment_group "staging_group" {
  auto_approve_checks = [
    deployment_auto_approve.no_changes
  ]
}

deployment "staging" {
  inputs = {
    environment = "production"
    region      = "us-west-2"
  }

  deployment_group = deployment_group.staging_group
}

The staging deployment now automatically approves all runs that do not change any resources in that deployment.

You can add multiple auto-approve rules to a deployment group to build more sophisticated conditions. The following example adds another auto-approve rule named successful_plans:

deployment_auto_approve "no_changes" {
  check {
    condition = context.plan.changes.total == 0
    reason    = "Plan contains too many changes for automatic approval."
  }
}

deployment_auto_approve "successful_plans" {
  check {
    condition = context.success == true
    reason    = "Operation failed and requires manual intervention."
  }
}

deployment_group "staging_group" {
  auto_approve_checks = [
    deployment_auto_approve.approve_staging,
    deployment_auto_approve.successful_plans
  ]
}

Now, the staging_group deployment group automatically approves all runs on the staging deployment if they are successful and do not change any resources.

Next steps

With your Stack and deployment configurations complete, your Stack is ready to be deployed by HCP Terraform. To learn more about creating a Stack in HCP Terraform, refer to Create a Stack.