Allow manual step to run in a failed pipeline

Hi all,

I have create a pipeline to run a terraform deployment, and if this deployment fails I would like to be able to run the destroy manual step. Adding allow_failure: true to the terraform apply step allows me to run the next step, but the pipeline is in state passed with yellow exclamation mark. How do I make the pipeline to have failed state, but still allow me to do the manual destroy.

# Default output file for Terraform plan
variables:
  PLAN: plan.tfplan
  JSON_PLAN_FILE: tfplan.json
  TF_STATE_PATH: .terraform
  GITLAB_TF_ADDRESS: http://git.moorecap.com/api/v4/projects/${CI_PROJECT_ID}/terraform/state
  
cache:
  key: ${CI_COMMIT_REF_NAME}
  paths:
    - ${TF_STATE_PATH}

before_script:
  - if [ "$CI_COMMIT_REF_NAME" = "master" ]; then ENVIRONMENT="qa"; else ENVIRONMENT="$CI_COMMIT_REF_NAME"; fi
  - terraform --version
  - >
    terraform init -backend-config="address=${GITLAB_TF_ADDRESS}/${ENVIRONMENT}"
    -backend-config="lock_address=${GITLAB_TF_ADDRESS}/${ENVIRONMENT}/lock" 
    -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/${ENVIRONMENT}/lock"
    -backend-config="username=gitlab-ci-token"
    -backend-config="password=${CI_JOB_TOKEN}"
    -backend-config="lock_method=POST"
    -backend-config="unlock_method=DELETE"
    -backend-config="retry_wait_min=5"
    
  - echo "export ENVIRONMENT=${ENVIRONMENT};" > ${TF_STATE_PATH}/shared-vars.sh

stages:
  - validate
  - build
  - test
  - deploy
  - destroy

validate:
  stage: validate
  script:
    - terraform validate
    - terraform fmt -check=true

plan:
  stage: build
  before_script:
    - source ${TF_STATE_PATH}/shared-vars.sh
  script:
    - terraform plan -var-file=${ENVIRONMENT}.tfvars -out=$PLAN 
    - terraform show --json ${PLAN} | jq -r '([.resource_changes[]?.change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > ${JSON_PLAN_FILE}
  artifacts:
    paths:
      - $PLAN
    reports:
      terraform: $JSON_PLAN_FILE

# Separate apply job for manual launching Terraform as it can be destructive
# action.
apply:
  stage: deploy
  before_script:
    - source ${TF_STATE_PATH}/shared-vars.sh
  environment:
    name: ${ENVIRONMENT}
  script:
    - terraform apply -input=false $PLAN
  dependencies:
    - plan
  allow_failure: true
#  when: manual
#  only:
#    - prod

destroy:
    stage: destroy
    before_script:
      - source ${TF_STATE_PATH}/shared-vars.sh
    environment:
      name: ${ENVIRONMENT}
    script:
      - echo ${ENVIRONMENT}
      - terraform destroy -var-file=${ENVIRONMENT}.tfvars -auto-approve
    dependencies:
      - apply
    when: manual
2 Likes