We have all AWS resources managed in a CodeCommit repository with terraform. This includes the CodePipeline that performs an actual deployment of changed terraform code. Is it possible to safely update that pipeline by modifying involved terraform code without manual apply outside of the automation?
According to the documentation,
If a revision is running through your pipeline when you save your changes, the run is not completed.
I don't think that any code is worth posting here. The pipeline has a Source step (retrieving repository contents) followed by two stages of the same shape:
plan (CodeBuild) -> manual review -> apply (CodeBuild)
There are two such stages for separate components (say, shared infra like PR validation, and then staging/production environment - staging and production are deployed via separate pipelines to ensure access separation). Terraform pipeline belongs to the second stage.