From 70917ed2422aa432260a5bb02ad18bfaa286be22 Mon Sep 17 00:00:00 2001
From: Julie Ng <me@julie.io>
Date: Sat, 21 Nov 2020 18:33:31 +0100
Subject: [PATCH] pipeline(detect-drift): add pull request trigger, post result
 to GitHub

---
 azure-pipelines/detect-drift.yaml | 120 ++++++++++++++++++++++--------
 1 file changed, 91 insertions(+), 29 deletions(-)

diff --git a/azure-pipelines/detect-drift.yaml b/azure-pipelines/detect-drift.yaml
index 2f45c44..eb89c20 100644
--- a/azure-pipelines/detect-drift.yaml
+++ b/azure-pipelines/detect-drift.yaml
@@ -20,35 +20,97 @@ schedules:
 variables:
   - group: e2e-gov-demo-kv
 
-steps:
-- bash: terraform version
-  displayName: Terraform - Vsersion
+stages:
 
-- bash: |
-    terraform validate
-    terraform fmt -check
-  displayName: Terraform - Validate and Lint
+# Stage: Terraform Plan
+# ---------------------
+- stage: TFPlanStage
+  displayName: Detect Drift
+  jobs:
+  - job: DetectDriftJob
+    displayName: Terraform Plan
+    steps:
+    - bash: |
+        terraform init \
+          -backend-config="storage_account_name=$TF_STATE_BLOB_ACCOUNT_NAME" \
+          -backend-config="container_name=$TF_STATE_BLOB_CONTAINER_NAME" \
+          -backend-config="key=$TF_STATE_BLOB_FILE" \
+          -backend-config="sas_token=$TF_STATE_BLOB_SAS_TOKEN"
+      displayName: Terraform - Init
+      env:
+        TF_STATE_BLOB_ACCOUNT_NAME:   $(kv-tf-state-blob-account)
+        TF_STATE_BLOB_CONTAINER_NAME: $(kv-tf-state-blob-container)
+        TF_STATE_BLOB_FILE:           $(kv-tf-state-blob-file)
+        TF_STATE_BLOB_SAS_TOKEN:      $(kv-tf-state-sas-token)
 
-- bash: |
-    terraform init \
-      -backend-config="storage_account_name=$TF_STATE_BLOB_ACCOUNT_NAME" \
-      -backend-config="container_name=$TF_STATE_BLOB_CONTAINER_NAME" \
-      -backend-config="key=$TF_STATE_BLOB_FILE" \
-      -backend-config="sas_token=$TF_STATE_BLOB_SAS_TOKEN"
-  displayName: Terraform - Init
-  env:
-    TF_STATE_BLOB_ACCOUNT_NAME:   $(kv-tf-state-blob-account)
-    TF_STATE_BLOB_CONTAINER_NAME: $(kv-tf-state-blob-container)
-    TF_STATE_BLOB_FILE:           $(kv-tf-state-blob-file)
-    TF_STATE_BLOB_SAS_TOKEN:      $(kv-tf-state-sas-token)
+    - bash: |
+        # Remember Exit Code
+        set -o pipefail
 
-- bash: terraform plan -detailed-exitcode -var superadmins_aad_object_id=$AAD_SUPERADMINS_GROUP_ID
-  displayName: Terraform - Detect configuration drift
-  env:
-    ARM_SUBSCRIPTION_ID:        $(kv-arm-subscription-id)
-    ARM_CLIENT_ID:              $(kv-arm-client-id)
-    ARM_CLIENT_SECRET:          $(kv-arm-client-secret)
-    ARM_TENANT_ID:              $(kv-arm-tenant-id)
-    AZDO_ORG_SERVICE_URL:       $(kv-azure-devops-org-url)
-    AZDO_PERSONAL_ACCESS_TOKEN: $(kv-azure-devops-pat)
-    AAD_SUPERADMINS_GROUP_ID:   $(kv-aad-superadmins-group-id)
+        # Run `terraform plan` and save output
+        terraform plan \
+          -detailed-exitcode \
+          -var superadmins_aad_object_id=$AAD_SUPERADMINS_GROUP_ID \
+            | tee plan-output.txt
+
+        # Save Exit Code
+        STATUS=${PIPESTATUS[@]}
+        echo "##vso[task.setvariable variable=tfPlanExit;isOutput=true]$("echo $STATUS")"
+        [[ $STATUS == "0" ]] && exit 0 || exit 1
+      displayName: Terraform - Detect configuration drift
+      continueOnError: true  # so we can post result to Pull Request
+      name: planStep
+      env:
+        ARM_SUBSCRIPTION_ID:        $(kv-arm-subscription-id)
+        ARM_CLIENT_ID:              $(kv-arm-client-id)
+        ARM_CLIENT_SECRET:          $(kv-arm-client-secret)
+        ARM_TENANT_ID:              $(kv-arm-tenant-id)
+        AZDO_ORG_SERVICE_URL:       $(kv-azure-devops-org-url)
+        AZDO_PERSONAL_ACCESS_TOKEN: $(kv-azure-devops-pat)
+        AAD_SUPERADMINS_GROUP_ID:   $(kv-aad-superadmins-group-id)
+
+    # # Multiline variables are not supported in Azure DevOps 😕
+    # - bash: |
+    #     echo "##vso[task.setvariable variable=tfPlanOutput]$(cat ./plan-output.txt)"
+    #   displayName: Save terraform plan output
+
+    # - bash: echo $(tfPlanOutput)
+    #   displayName: debug tf plan output
+
+
+# Stage: Pull Request Comment
+# ---------------------------
+- stage: PRCommentStage
+  displayName: Pull Request Comment
+  condition: eq(variables['Build.Reason'], 'PullRequest')
+  variables:
+    github-repo-name:       Azure-Samples/devops-governance
+    github-connection-name: Azure-Samples
+    ado-org-name:           julie-msft
+    ado-project-name:       e2e-governance-demo
+    has-drift:              ne('0', $[ dependencies.DetectDriftJob.outputs['DetectDriftJob.planStep.tfPlanExit'] ])
+  jobs:
+  - job: PostCommentJob
+    displayName: Post to GitHub
+    steps:
+    - task: GitHubComment@0
+      condition: eq(variables['has-drift'], false)
+      displayName: Post - No Drift
+      inputs:
+        gitHubConnection: ${{ variables['github-connection-name'] }}
+        repositoryName: $(github-repo-name)
+        comment: |
+          🟢 No configuration drift detected
+
+    - task: GitHubComment@0
+      condition: variables['has-drift']
+      displayName: Post - Has Drift
+      inputs:
+        gitHubConnection: ${{ variables['github-connection-name'] }}
+        repositoryName: $(github-repo-name)
+        comment: |
+          ### ⚠️ &nbsp;Configuration Drift Detected
+
+          Approving this Pull Request may result in destructive changes to your Azure resources. Please review the `terraform plan` output diff at Azure Pipelines Build Result Page.
+
+          Proceed with caution!