Terraform
Run Tasks
HCP Terraform run tasks let you directly integrate third-party tools and services at certain stages in the HCP Terraform run lifecycle. Use run tasks to validate Terraform configuration files, analyze execution plans before applying them, scan for security vulnerabilities, or perform other custom actions.
Run tasks send data about a run to an external service at specific run stages. The external service processes the data, evaluates whether the run passes or fails, and sends a response to HCP Terraform. HCP Terraform then uses this response and the run task enforcement level to determine if a run can proceed. Explore run tasks in the Terraform registry.
You can manage run tasks through the HCP Terraform UI or the Run Tasks API.
Hands-on: Try the HCP Packer validation run task tutorial.
Requirements
Terraform Version - You can assign run tasks to workspaces that use a Terraform version of 1.1.9 and later. You can downgrade a workspace with existing runs to use a prior Terraform version without causing an error. However, HCP Terraform no longer triggers the run tasks during plan and apply operations.
Permissions - To create a run task, you must have a user account with the Manage Run Tasks permission. To associate run tasks with a workspace, you need the Manage Workspace Run Tasks permission on that particular workspace.
Creating a Run Task
Explore the full list of run tasks in the Terraform Registry.
Run tasks send an API payload to an external service. The API payload contains run-related information, including a callback URL, which the service uses to return a pass or fail status to HCP Terraform.
For example, the HCP Packer integration checks image artifacts within a Terraform configuration for validity. If the configuration references images marked as unusable (revoked), then the run task fails and provides an error message.
To create a new run task:
Navigate to the desired workspace, open the Settings menu, and select Run Tasks.
Click Create a new run task. The Run Tasks page appears.
Enter the information about the run task to be configured:
- Enabled (optional): Whether the run task will run across all associated workspaces. New tasks are enabled by default.
- Name (required): A human-readable name for the run task. This will be displayed in workspace configuration pages and can contain letters, numbers, dashes and underscores.
- Endpoint URL (required): The URL for the external service. Run tasks will POST the run tasks payload to this URL.
- Description (optional): A human-readable description for the run task. This information can contain letters, numbers, spaces, and special characters.
- HMAC key (optional): A secret key that may be required by the external service to verify request authenticity.
Click Create run task. The run task is now available within the organization, and you can associate it with one or more workspaces.
Global Run Tasks
When you create a new run task, you can choose to apply it globally to every workspace in an organization. Your organization must have the global-run-task
entitlement to use global run tasks.
Select the Global checkbox
Choose when HCP Terraform should start the run task:
- Pre-plan: Before Terraform creates the plan.
- Post-plan: After Terraform creates the plan.
- Pre-apply: Before Terraform applies a plan.
- Post-apply: After Terraform applies a plan.
Choose an enforcement level:
- Advisory: Run tasks can not block a run from completing. If the task fails, the run proceeds with a warning in the user interface.
- Mandatory: Failed run tasks can block a run from completing. If the task fails (including timeouts or unexpected remote errors), the run stops and errors with a warning in the user interface.
Associating Run Tasks with a Workspace
Click Workspaces and then go to the workspace where you want to associate run tasks.
Open the Settings menu and select Run Tasks.
Click the + next to the task you want to add to the workspace.
Choose when HCP Terraform should start the run task:
- Pre-plan: Before Terraform creates the plan.
- Post-plan: After Terraform creates the plan.
- Pre-apply: Before Terraform applies a plan.
- Post-apply: After Terraform applies a plan.
Choose an enforcement level:
- Advisory: Run tasks can not block a run from completing. If the task fails, the run will proceed with a warning in the UI.
- Mandatory: Run tasks can block a run from completing. If the task fails (including a timeout or unexpected remote error condition), the run will transition to an Errored state with a warning in the UI.
Click Create. Your run task is now configured.
Understanding Run Tasks Within a Run
Run tasks perform actions before and after, the plan and apply stages of a Terraform run. Once all run tasks complete, the run ends based on the most restrictive enforcement level in each associated run task.
For example, if a mandatory task fails and an advisory task succeeds, the run fails. If an advisory task fails, but a mandatory task succeeds, the run succeeds and proceeds to the apply stage. Regardless of the exit status of a task, HCP Terraform displays the status and any related message data in the UI.
Removing a Run Task from a Workspace
Removing a run task from a workspace does not delete it from the organization. To remove a run task from a specific workspace:
Navigate to the desired workspace, open the Settings menu and select Run Tasks.
Click the ellipses (...) on the associated run task, and then click Remove. The run task will no longer be applied to runs within the workspace.
Deleting a Run Task
You must remove a run task from all associated workspaces before you can delete it. To delete a run task:
Navigate to Settings and click Run Tasks.
Click the ellipses (...) next to the run task you want to delete, and then click Edit.
Click Delete run task.
You cannot delete run tasks that are still associated with a workspace. If you attempt this, you will see a warning in the UI containing a list of all workspaces that are associated with the run task.