Task 03: Review Plan Stage
Objective: Review Terraform plan to verify expected resource changes Duration: ~3 minutes
DOCUMENT CATEGORY: Runbook SCOPE: Review Terraform execution plan showing resource changes PURPOSE: Review Terraform execution plan showing resource changes MASTER REFERENCE: Terraform Plan Documentation
Status: Active
What Happens
The plan stage:
- Authenticates to Azure using CI/CD service principal
- Initializes Terraform backend (Azure Storage)
- Generates execution plan showing all resource changes
- Displays plan output in pipeline logs
Procedure
1. Click Plan Job
In CI/CD pipeline view, click the plan job.
2. Review Plan Output
Scroll through the Terraform plan looking for:
Terraform will perform the following actions:
# Resource groups
+ azurerm_resource_group.management
# Networking
+ azurerm_virtual_network.hub
+ azurerm_subnet.gateway
+ azurerm_subnet.azrl
+ azurerm_subnet.bastion
+ azurerm_subnet.endpoints
+ azurerm_subnet.dns
# VPN Gateway (longest deployment time)
+ azurerm_virtual_network_gateway.vpn
# Security
+ azurerm_key_vault.management
# Monitoring
+ azurerm_log_analytics_workspace.management
# Bastion
+ azurerm_bastion_host.management
Plan: 45 to add, 0 to change, 0 to destroy.
3. Verify Resource Counts
Check the summary line matches expectations:
- Management mode: ~30-40 resources
- Cluster mode: ~8-12 resources
4. Check for Unexpected Changes
Look for:
- ❌ Resources being destroyed (should be 0 on initial deployment)
- ❌ Unexpected resource modifications
- ✅ Only additions expected
Key Resources to Verify
| Resource Type | What to Check |
|---|---|
| VNet | Correct address space (e.g., 10.100.1.0/24) |
| Subnets | Correct CIDRs, proper sizing |
| VPN Gateway | Correct SKU (VpnGw2AZ), BGP configuration |
| Key Vault | Correct name, access policies |
| Storage Account | Correct name (lowercase, no hyphens) |
| Log Analytics | Correct retention settings |
Validation
- Plan stage completed successfully
- Resource count matches expectations
- No unexpected destroys or changes
- VPN Gateway configuration correct
- Network configuration matches planning
- Key Vault and storage naming valid
- GitHub
- GitLab
- Azure DevOps
When to use: Use this tab if your CI/CD pipeline runs on GitHub Actions.
See procedure steps above for GitHub-specific guidance.
When to use: Use this tab if your CI/CD pipeline runs on GitLab CI/CD.
See procedure steps for GitLab-specific guidance.
When to use: Use this tab if your CI/CD pipeline runs on Azure DevOps Pipelines.
See procedure steps for Azure DevOps-specific guidance.
Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.
Alternatives
The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.
| Method | Description |
|---|---|
| Azure CLI | PowerShell-based Azure CLI scripts for Azure resource operations |
| Bash | Linux/macOS compatible shell scripts for pipeline environments |
Navigation
| Previous | Up | Next |
|---|---|---|
| Task 02 - Validate Stage | Phase 02 - Execution | Task 04 - Approve |
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
| Plan Output Path | cicd.pipeline.plan_output | ./tfplan |
| State Backend | cicd.pipeline.state_backend | azurerm |
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| Plan shows unexpected changes | State file drift from manual changes | Reconcile state with actual infrastructure |
| Plan stage fails | Provider authentication issues | Verify service principal credentials and permissions |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2026-03-24 | Azure Local Cloud | Initial release |