As noted in the other answer there is not a first class way to do this, but I can suggest a way to get it done using the Rest API and powerShell. It involves a conditional set on an Agentless Job with a manual intervention step.
So release variables can't flow across Agent Jobs or Stages but what you can do is update a release variable, by updating the instance of the release itself via a Rest API call. Then you could use that variable in subsequent Jobs or stages.
In the job where you are getting the Terraform plan output, assuming you are capturing when there is an Add, Change, or Destroy operation you could then marshal that output back into the release, and use it further down the line.
So the example borrows from this post by Stefan Stranger. See also this post by Donavan Brown.
Assuming the below powerShell script runs in the first Agent phase and has access to your plan result.
I have predefined a variable in the Release Definition named TerraformPlanResult
.
$releaseurl = ('{0}{1}/_apis/release/releases/{2}?api-version=5.0' -f $($env:SYSTEM_TEAMFOUNDATIONSERVERURI), $($env:SYSTEM_TEAMPROJECTID), $($env:RELEASE_RELEASEID) )
Write-Host "URL: $releaseurl"
$Release = Invoke-RestMethod -Uri $releaseurl -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"}
#update the predefined $TerraformPlanResult variable
$Release.variables.TerraformPlanResult.value = $YourPlanResult
Write-Output ('Updating Release Definition Instance')
$json = @($Release) | ConvertTo-Json -Depth 99
Invoke-RestMethod -Uri $releaseurl -Method Put -Body $json -ContentType "application/json" -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }
Now that the $TerraformPlanResult
variable is available at the release level, you define a Agentless Job with this conditional.
and(succeeded(), in(variables['TerraformPlanResult'], 'Add', 'Change','Destroy'))
Now the manual intervention step will only run if the condition is met.
A couple of other notes: