Terraform Pull Request Automation using Bitbucket

Pull request automation ensures that any changes proposed to your Terraform configurations are reviewed and approved before being merged, reducing the risk of potential errors, improving security, and maintaining a consistent infrastructure state. By automating this process, you can streamline your workflows and minimize human intervention.

Stream Team

No items found.

TL;DR

Why Pull Request Automation?

Prerequisites:

Before diving into the setup process, make sure you have the following:

A Bitbucket account
Terraform installed on your local machine
A Terraform project hosted on Bitbucket

Setting Up Terraform Pull Request Automation with Bitbucket:To achieve this automation, we'll be using Bitbucket Pipelines, a powerful continuous integration and deployment feature built into Bitbucket.

Step 1: Enable Bitbucket Pipelines

Navigate to your Bitbucket repository
Click on the "Pipelines" tab in the left menu
Click on "Enable" to activate Bitbucket Pipelines for your repository

Step 2: Configure the Pipeline

Create a bitbucket-pipelines.yml file in the root directory of your Terraform repository
Add the following contents to the file:

image: hashicorp/terraform:latest

pipelines:
default:
- step:
name: Terraform Plan
script:
- terraform init
- terraform plan
- terraform plan -out=tfplan
- terraform show -no-color -json tfplan > tfplan.json
- terraform plan -detailed-exitcode || true

This configuration specifies that we want to use the latest Terraform image from the official HashiCorp Docker Hub, and it defines a pipeline with a single step that initializes, plans, and outputs the Terraform plan in JSON format.

Step 3: Add a Webhook for Pull Request Automation

Navigate to your repository's "Settings" in Bitbucket
Click on "Webhooks" in the left menu
Click "Add webhook" and fill in the following details:
Title: Terraform Pull Request Automation
URL: [your_webhook_url]
Triggers: Choose "Pull Request: Created" and "Pull Request: Updated"
Click "Save"

Now, whenever a pull request is created or updated, the webhook will be triggered, and the Terraform plan will run as a part of the pipeline.

Step 4: Integrating the Output into the Pull RequestTo display the output of the Terraform plan directly in the pull request, we'll use a custom Bitbucket app or integration. You can develop your app, or search for an existing one that suits your needs.

‍

About Stream Security

Stream Security is an AI Detection & Response (AI DR) company built for the era of AI-driven environments across cloud, on-prem, and SaaS. As AI agents operate with real permissions and attackers move at machine speed, Stream enables security teams to keep pace by continuously computing a real-time, deterministic model of their entire environment. Powered by its CloudTwin® technology, Stream instantly understands the full impact of every action across identities, permissions, networks, and resources, allowing organizations to detect, prioritize, and safely respond to threats before they propagate. This transforms security from reactive detection into a true control plane for modern infrastructure.