// Terraform CI/CD Pipeline pipeline { agent any parameters { choice(name: 'ENVIRONMENT', choices: ['dev', 'staging', 'production']) choice(name: 'ACTION', choices: ['plan', 'apply', 'destroy']) booleanParam(name: 'AUTO_APPROVE', defaultValue: false) } environment { AWS_DEFAULT_REGION = 'us-east-1' TF_IN_AUTOMATION = 'true' TF_VAR_FILE = "environments/${params.ENVIRONMENT}.tfvars" } stages { stage('Checkout') { steps { echo "🔄 Checking out code..." checkout scm } } stage('Terraform Init') { steps { echo "🔧 Initializing Terraform..." withCredentials([ string(credentialsId: 'aws-access-key', variable: 'AWS_ACCESS_KEY_ID'), string(credentialsId: 'aws-secret-key', variable: 'AWS_SECRET_ACCESS_KEY') ]) { sh 'terraform init -upgrade' } } } stage('Terraform Validate') { steps { echo "✅ Validating configuration..." sh ''' terraform validate terraform fmt -check -recursive ''' } } stage('Terraform Plan') { when { expression { params.ACTION != 'destroy' } } steps { echo "📋 Planning changes..." withCredentials([ string(credentialsId: 'aws-access-key', variable: 'AWS_ACCESS_KEY_ID'), string(credentialsId: 'aws-secret-key', variable: 'AWS_SECRET_ACCESS_KEY') ]) { sh """ terraform plan \ -var-file=\"${TF_VAR_FILE}\" \ -out=tfplan """ } archiveArtifacts artifacts: 'tfplan', fingerprint: true } } stage('Security Scan') { steps { echo "🔒 Running security scan..." sh ''' docker run --rm -v $(pwd):/src aquasec/tfsec:latest /src \ --format json --soft-fail > tfsec-report.json || true ''' archiveArtifacts artifacts: 'tfsec-report.json', allowEmptyArchive: true } } stage('Approval') { when { allOf { expression { params.ACTION == 'apply' } expression { params.AUTO_APPROVE == false } expression { params.ENVIRONMENT == 'production' } } } steps { input message: "Apply changes to ${params.ENVIRONMENT}?", ok: 'Deploy' } } stage('Terraform Apply') { when { expression { params.ACTION == 'apply' } } steps { echo "🚀 Applying changes..." withCredentials([ string(credentialsId: 'aws-access-key', variable: 'AWS_ACCESS_KEY_ID'), string(credentialsId: 'aws-secret-key', variable: 'AWS_SECRET_ACCESS_KEY') ]) { sh 'terraform apply tfplan' } } } stage('Terraform Output') { when { expression { params.ACTION == 'apply' } } steps { echo "📊 Collecting outputs..." sh ''' terraform output -json > outputs.json terraform output ''' archiveArtifacts artifacts: 'outputs.json' } } } post { success { echo "✅ ${params.ACTION.toUpperCase()} SUCCESSFUL!" } failure { echo "❌ ${params.ACTION.toUpperCase()} FAILED!" } always { sh 'rm -f tfplan' cleanWs() } } }