Skip to content

apply_requirements

The apply_requirements configuration allow you to define a set of conditions that must be met before an apply operation can be executed on a pull request. These requirements help ensure that changes to your infrastructure are properly reviewed and approved before being applied.

Default Configuration

apply_requirements:
create_completed_apply_check_on_noop: false
create_pending_apply_check: true
checks:
- tag_query: ''
approved:
enabled: false
any_of: []
any_of_count: 1
all_of: []
merge_conflicts:
enabled: true
status_checks:
enabled: true
ignore_matching: []

Keys

KeyTypeDescription
create_completed_apply_check_on_noopbooleanAutomatically create and mark the terrateam apply status check as complete on noop. Default is false.
create_pending_apply_checkbooleanAutomatically create a pending apply check. Default is true.
checksarrayA set of checks that must be passed before an apply operation can proceed.

Create Completed Apply Check on No Operations

The create_completed_apply_check_on_noop is used to toggle the completed status of the terrateam apply status check driven by create_pending_apply_check.

Create Pending Apply Check

The create_pending_apply_check key is used to toggle the creation of a terrateam apply GitHub status check.

Checks

Checks are a nested configuration within apply_requirements that specify various conditions that must be met before an apply can proceed.

Tag Query

The tag_query key is used to specify a tag query that determines which directories and workspaces the apply requirements should be applied to. This allows you to have different apply requirements for different parts of your infrastructure.

KeyTypeDescription
tag_querystringA tag query that specifies which directories and workspaces the apply requirements should be applied to. Default is "", which matches all directories and workspaces.

Approved

The approved key is used to specify the approval requirements for the pull request before an apply operation can be executed.

KeyTypeDescription
enabledbooleanSpecifies whether the approval requirement is enabled. Default is false.
any_oflistList of GitHub teams/users/roles, where any one of them is required to approve the pull request.
any_of_countintegerThe number of approvals required from the any_of list. Default is 1.
all_oflistList of GitHub teams/users/roles, where all of them are required to approve the pull request.

Merge Conflicts

The merge_conflicts key is used to specify whether the pull request must have no merge conflicts before an apply operation can be executed.

KeyTypeDescription
enabledbooleanSpecifies whether the merge conflict check is enabled. Default is true.

Status Checks

The status_checks key is used to specify whether all status checks associated with the pull request must pass before an apply operation can be executed.

KeyTypeDescription
enabledbooleanSpecifies whether the status checks requirement is enabled. Default is true.
ignore_matchinglistA list of regular expressions. Status checks matching any of these expressions will be ignored. Default is [].

Examples

Require Approvals from Specific Users Based on Directory

apply_requirements:
checks:
- tag_query: "dir:tf1"
approved:
enabled: true
all_of: ["user:alice"]
- tag_query: "dir:tf2"
approved:
enabled: true
all_of: ["user:bob"]

This configuration will require the pull request to have an approval from the user “alice” for changes in the “tf1” directory, and an approval from the user “bob” for changes in the “tf2” directory.

Require Any 2 Approvals from a List Of Users

apply_requirements:
checks:
- tag_query: ""
approved:
enabled: true
any_of: ["user:alice", "user:bob", "user:bender", "user:fry"]
any_of_count: 2

This configuration will require the pull request to have at least 2 approvals from any of the users in the any_of list before an apply operation can be executed.

Require Approvals from All Users in a List

apply_requirements:
checks:
- tag_query: ""
approved:
enabled: true
all_of: ["user:alice", "user:bob"]

This configuration will require the pull request to have approvals from both “alice” and “bob” before an apply operation can be executed.

The terrateam apply GitHub Status Check

The terrateam apply status check is created when a pull request contains Terraform or OpenTofu changes. It remains pending until all directories and workspaces in the changes have been applied, at which point it is marked as completed. By default, this check is only created if there are Terraform or OpenTofu changes. When create_completed_apply_check_on_noop is set to true, Terrateam will create the apply status check in a completed state if there are no Terraform or OpenTofu changes in the pull request. This setting allows the apply status check to be required for merging even when no changes have been made. By default, create_completed_apply_check_on_noop is set to false.

Considerations

When configuring apply requirements, keep the following in mind:

  • Apply requirements are evaluated whenever an apply operation is attempted, whether manually or through an autoapply trigger.
  • If any of the enabled requirements are not met, the apply operation will not be executed, and an error message will be displayed.
  • Apply requirements can be overridden using the terrateam apply-force command, which bypasses all requirements. This command should be used with caution and only by authorized users.
  • The tag_query key allows you to define different apply requirements for different parts of your infrastructure. This can be useful when you have different approval processes or requirements for different directories or workspaces.
  • The any_of and all_of keys in the approved section provide flexibility in defining approval requirements. You can require approvals from any number of users in a list, or require approvals from all users in a list.
  • Regularly review and update your apply requirements configuration to ensure it aligns with your organization’s policies and best practices for infrastructure changes.