apply_requirements
The apply_requirements configuration allow you to define a set of conditions that must be met before an apply operation can be executed on a pull request. These requirements help ensure that changes to your infrastructure are properly reviewed and approved before being applied.
Default Configuration
apply_requirements: create_completed_apply_check_on_noop: false create_pending_apply_check: true checks: - tag_query: '' approved: enabled: false any_of: [] any_of_count: 1 all_of: [] merge_conflicts: enabled: true status_checks: enabled: true ignore_matching: []Keys
| Key | Type | Description |
|---|---|---|
| create_completed_apply_check_on_noop | boolean | Automatically create and mark the terrateam apply status check as complete on noop. Default is false. |
| create_pending_apply_check | boolean | Automatically create a pending apply check. Default is true. |
| checks | array | A set of checks that must be passed before an apply operation can proceed. |
Create Completed Apply Check on No Operations
The create_completed_apply_check_on_noop is used to toggle the completed status of the terrateam apply status check driven by create_pending_apply_check.
Create Pending Apply Check
The create_pending_apply_check key is used to toggle the creation of a terrateam apply GitHub status check.
Checks
Checks are a nested configuration within apply_requirements that specify various conditions that must be met before an apply can proceed.
Tag Query
The tag_query key is used to specify a tag query that determines which directories and workspaces the apply requirements should be applied to. This allows you to have different apply requirements for different parts of your infrastructure.
| Key | Type | Description |
|---|---|---|
| tag_query | string | A tag query that specifies which directories and workspaces the apply requirements should be applied to. Default is "", which matches all directories and workspaces. |
Approved
The approved key is used to specify the approval requirements for the pull request before an apply operation can be executed.
| Key | Type | Description |
|---|---|---|
| enabled | boolean | Specifies whether the approval requirement is enabled. Default is false. |
| any_of | list | List of GitHub teams/users/roles, where any one of them is required to approve the pull request. |
| any_of_count | integer | The number of approvals required from the any_of list. Default is 1. |
| all_of | list | List of GitHub teams/users/roles, where all of them are required to approve the pull request. |
Merge Conflicts
The merge_conflicts key is used to specify whether the pull request must have no merge conflicts before an apply operation can be executed.
| Key | Type | Description |
|---|---|---|
| enabled | boolean | Specifies whether the merge conflict check is enabled. Default is true. |
Status Checks
The status_checks key is used to specify whether all status checks associated with the pull request must pass before an apply operation can be executed.
| Key | Type | Description |
|---|---|---|
| enabled | boolean | Specifies whether the status checks requirement is enabled. Default is true. |
| ignore_matching | list | A list of regular expressions. Status checks matching any of these expressions will be ignored. Default is []. |
Examples
Require Approvals from Specific Users Based on Directory
apply_requirements: checks: - tag_query: "dir:tf1" approved: enabled: true all_of: ["user:alice"] - tag_query: "dir:tf2" approved: enabled: true all_of: ["user:bob"]This configuration will require the pull request to have an approval from the user “alice” for changes in the “tf1” directory, and an approval from the user “bob” for changes in the “tf2” directory.
Require Any 2 Approvals from a List Of Users
apply_requirements: checks: - tag_query: "" approved: enabled: true any_of: ["user:alice", "user:bob", "user:bender", "user:fry"] any_of_count: 2This configuration will require the pull request to have at least 2 approvals from any of the users in the any_of list before an apply operation can be executed.
Require Approvals from All Users in a List
apply_requirements: checks: - tag_query: "" approved: enabled: true all_of: ["user:alice", "user:bob"]This configuration will require the pull request to have approvals from both “alice” and “bob” before an apply operation can be executed.
The terrateam apply GitHub Status Check
The terrateam apply status check is created when a pull request contains Terraform or OpenTofu changes. It remains pending until all directories and workspaces in the changes have been applied, at which point it is marked as completed. By default, this check is only created if there are Terraform or OpenTofu changes. When create_completed_apply_check_on_noop is set to true, Terrateam will create the apply status check in a completed state if there are no Terraform or OpenTofu changes in the pull request. This setting allows the apply status check to be required for merging even when no changes have been made. By default, create_completed_apply_check_on_noop is set to false.
Considerations
When configuring apply requirements, keep the following in mind:
- Apply requirements are evaluated whenever an apply operation is attempted, whether manually or through an autoapply trigger.
- If any of the enabled requirements are not met, the apply operation will not be executed, and an error message will be displayed.
- Apply requirements can be overridden using the
terrateam apply-forcecommand, which bypasses all requirements. This command should be used with caution and only by authorized users. - The
tag_querykey allows you to define different apply requirements for different parts of your infrastructure. This can be useful when you have different approval processes or requirements for different directories or workspaces. - The
any_ofandall_ofkeys in theapprovedsection provide flexibility in defining approval requirements. You can require approvals from any number of users in a list, or require approvals from all users in a list. - Regularly review and update your apply requirements configuration to ensure it aligns with your organization’s policies and best practices for infrastructure changes.