Newer
Older
spec:
inputs:
stage_validate:
default: 'validate'
description: 'Defines the validate stage'
stage_test:
default: 'test'
description: 'Defines the test stage'
stage_build:
default: 'build'
description: 'Defines the build stage'
stage_deploy:
default: 'deploy'
description: 'Defines the deploy stage'
stage_cleanup:
default: 'cleanup'
description: 'Defines the cleanup stage'
# This version is only required, because we cannot access the context of the component,
# see https://gitlab.com/gitlab-org/gitlab/-/issues/438275
version:
default: 'latest'
description: 'Version of this component'
opentofu_version:
default: '1.6.0'
options:
- '1.6.0'
- '1.6.0-rc1'
description: 'Released version of upstream OpenTofu'
# Images
gitlab_opentofu_image:
# FIXME: This should reference the component tag that is used.
# Currently, blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/438275
# default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.opentofu_version ]]'
default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
description: 'Image name of the gitlab-opentofu image'
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
description: 'Root directory for the OpenTofu project'
state_name:
default: default
description: 'State name'
---
.default:
image:
fmt:
extends: .default
stage: $[[ inputs.stage_validate ]]
needs: []
script:
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
validate:
extends: .default
stage: $[[ inputs.stage_validate ]]
script:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
plan:
extends: .default
stage: $[[ inputs.stage_build ]]
script:
action: prepare
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
apply:
extends: .default
stage: $[[ inputs.stage_deploy ]]
script:
environment:
action: start
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DEPLOY == "true"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
destroy:
extends: .default
environment:
name: $[[ inputs.state_name ]]
action: stop
when: manual