Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
spec:
inputs:
stage_validate:
default: 'validate'
description: 'Defines the validate stage'
stage_test:
default: 'test'
description: 'Defines the test stage'
stage_build:
default: 'build'
description: 'Defines the build stage'
stage_deploy:
default: 'deploy'
description: 'Defines the deploy stage'
stage_cleanup:
default: 'cleanup'
description: 'Defines the cleanup stage'
enable_destroy_job:
default: false
description: 'Weather the destroy job should be created'
---
.default:
image:
name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/stable:latest"
cache:
key: "${TF_ROOT}"
paths:
- ${TF_ROOT}/.terraform/
variables:
TF_ROOT: ${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
TF_STATE_NAME: default # The name of the state file used by the GitLab Managed Terraform state backend
fmt:
extends: .default
stage: $[[ inputs.stage_validate ]]
needs: []
script:
- gitlab-opentofu fmt
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
validate:
extends: .default
stage: $[[ inputs.stage_validate ]]
script:
- gitlab-opentofu validate
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
plan:
extends: .default
stage: $[[ inputs.stage_build ]]
script:
- gitlab-opentofu plan
- gitlab-opentofu plan-json
environment:
name: ${TF_STATE_NAME}
action: prepare
resource_group: ${TF_STATE_NAME}
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
- ${TF_ROOT}/plan.cache
reports:
terraform: ${TF_ROOT}/plan.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
apply:
extends: .default
stage: $[[ inputs.stage_deploy ]]
script:
- gitlab-opentofu apply
environment:
name: $TF_STATE_NAME
action: start
resource_group: ${TF_STATE_NAME}
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DEPLOY == "true"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
destroy:
extends: .default
stage: $[[ inputs.stage_destroy ]]
script:
- gitlab-opentofu destroy
resource_group: ${TF_STATE_NAME}
when: manual
rules:
- if: $[[ inputs.enable_destroy_job ]]