DevOps template with conditional manual approval job

Question

I am trying to add approval job based on the stage, I am using template and want to skip approval for some stages:

parameters:
- name: Stage
  type: string
- name: Environment
  type: string
- name: WebAppName
  type: string
- name: ArtifactName
  type: string
- name: DependsOn
  type: object
  default: [] 
- name: Subscription
  type: string
- name: isApproval
  type: boolean
  default: false 

stages:

############################################################
# Deploy stages
############################################################

- stage: ${{ parameters.Stage }}  
  displayName: '${{ parameters.Stage }} Stage'
  dependsOn: '${{ parameters.DependsOn }}' # this will execute based on the stage that is passed.

  jobs:
  - job: approval
    condition: eq('${{ parameters.isApproval }}', true)
    pool:
      vmImage: 'windows-latest'
    steps:
    - task: ManualIntervention@8
      timeoutInMinutes: 1440 # task times out in 1 day
      inputs:
        emailRecipients: '[email protected]'
        instructions: 'Please validate the build configuration and resume'
            
  - deployment: ${{ parameters.Environment }} 
    ${{ if eq('${{ parameters.isApproval }}', true)}}:
      dependsOn: approval
    timeoutInMinutes: 70
    environment: '${{ parameters.Environment }} Environment'
    pool:
      vmImage: 'windows-latest'
    strategy:
      runOnce:
        deploy:
          steps:
          - task: DownloadBuildArtifacts@0
            inputs:
              buildType: 'current'
              downloadType: 'single'
              artifactName: ${{ parameters.ArtifactName }}
              downloadPath: '$(System.ArtifactsDirectory)'
          - task: AzureRmWebAppDeployment@4
            inputs:
              ConnectionType: 'AzureRM'
              azureSubscription: ${{ parameters.Subscription }} 
              appType: 'webApp'
              WebAppName: ${{ parameters.WebAppName }}
              package: '$(System.ArtifactsDirectory)/**/*.zip'

And now from the release pipeline, I am passing values to the template:

- template: stages\deploy.yml 
    parameters:
      Environment: 'Dev'
      WebAppName: 'azureappservicehelloworldapp-dev'
      Stage: 'Dev'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      # empty DependsOn, as Dev depends on nothing
      DependsOn:
      - Build

  - template: stages\deploy.yml 
    parameters:
      Environment: 'UAT'
      WebAppName: 'azureappservicehelloworld-uat'
      Stage: 'UAT'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      DependsOn:
      - Dev
      isApproval: true

  - template: stages\deploy.yml 
    parameters:
      Environment: 'Prod'
      WebAppName: 'azureappservicehelloworld'
      Stage: 'Prod'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      DependsOn:
      - UAT
      isApproval: true

If you see IsApproval is sent as true from UAT & Prod templates, so I should be able to validate approval for UAT & prod and DEV should be deploy without any approval.

But I am getting below error for the approval job in the template:

Manualintervention task is giving error, any suggestions plz.

Answer 1

The ManualIntervention task has a runOn: "server" set on it, so you can't run it on an agent, it runs on the application tier.

This means you can't use:

    pool:
      vmImage: 'windows-latest'

But you can set the pool to 'server' and use the 'ManualValidation' task

jobs:
- job: 
  pool: 'server'
  steps:
  - task: ManualValidation@0
    inputs:
      notifyUsers: '[email protected]'
      instructions: 'check stuff'

The result is that it triggers a review. As expected.

For whatever reason, the ManualIntervention@8 task has an unsupported task execution handler in the context of YAML. So you can use ManualValidation@0, but not ManualIntervention@8.

Answer 2

the Manual Intervention task is only available for Classic releases, and there only for an agentless job phase of a release.

In your case, what I would do is to inject two new placeholder environments into the pipeline, each of which has an approval requirement, but which deploys nothing:

  - template: stages\deploy.yml 
    parameters:
      Environment: 'Dev'
      WebAppName: 'azureappservicehelloworldapp-dev'
      Stage: 'Dev'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      # empty DependsOn, as Dev depends on nothing
      DependsOn:
      - Build

  - stage: UATApproval  
    displayName: 'UAT Approval Stage'
    dependsOn: 'Dev'
    jobs:
    - deployment: UATApproval
      environment: 'UAT Approval Environment'
      pool:
        vmImage: 'windows-latest'
      strategy:
        runOnce:
          deploy:
            steps:
            - pwsh: Write-Host "Placeholder approval deployment."

  - template: stages\deploy.yml 
    parameters:
      Environment: 'UAT'
      WebAppName: 'azureappservicehelloworld-uat'
      Stage: 'UAT'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      DependsOn:
      - UATApproval
      isApproval: true

  - stage: PRODApproval  
    displayName: 'PROD Approval Stage'
    dependsOn: 'UAT'
    jobs:
    - deployment: PRODApproval
      environment: 'PROD Approval Environment'
      pool:
        vmImage: 'windows-latest'
      strategy:
        runOnce:
          deploy:
            steps:
            - pwsh: Write-Host "Placeholder approval deployment."

  - template: stages\deploy.yml 
    parameters:
      Environment: 'Prod'
      WebAppName: 'azureappservicehelloworld'
      Stage: 'Prod'
      ArtifactName : '$(ArtifactName)'
      Subscription: 'AzureConnectionSC'
      DependsOn:
      - PRODApproval
      isApproval: true

If you like, you could "templatize" those stages as you did your other deployment stages.