Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
variables:
# OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
VERSION: "0.1.0-alpha4"
# Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
OPENTOFU_VERSION: "1.6.0"
TF_ROOT: ${CI_PROJECT_DIR} # The relative path to the root directory of the OpenTofu project
TF_STATE_NAME: default # The name of the state file used by the GitLab Managed Terraform state backend
.opentofu:default:
image:
name: registry.gitlab.com/components/opentofu/gitlab-opentofu:$VERSION-opentofu$OPENTOFU_VERSION
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
.opentofu:fmt:
extends: .opentofu:default
stage: validate
needs: []
script:
- gitlab-tofu fmt
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:validate:
extends: .opentofu:default
stage: validate
script:
- gitlab-tofu validate
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:plan:
extends: .opentofu:default
stage: build
script:
- gitlab-tofu plan
- gitlab-tofu plan-json
environment:
name: $TF_STATE_NAME
action: prepare
resource_group: $TF_STATE_NAME
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
- $TF_ROOT/plan.cache
reports:
terraform: $TF_ROOT/plan.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:apply:
extends: .opentofu:default
stage: deploy
script:
- gitlab-tofu apply
environment:
name: $TF_STATE_NAME
action: start
resource_group: $TF_STATE_NAME
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_APPLY == "true"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
.opentofu:destroy:
extends: .opentofu:default
stage: cleanup
script:
- gitlab-tofu destroy
environment:
name: $TF_STATE_NAME
action: stop
resource_group: $TF_STATE_NAME
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DESTROY == "true"
- when: manual
delete-state:
extends: .opentofu:default
stage: cleanup
needs: [.opentofu:destroy]
resource_group: $TF_STATE_NAME
rules:
- when: never
script:
- curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"