Newer
Older
spec:
inputs:
# Job and Stage name
as:
default: 'plan'
description: 'Defines the name of this job.'
stage:
default: 'build'
description: 'Defines the stage that this job will belong to.'
# Versions
# This version is only required, because we cannot access the context of the component,
# see https://gitlab.com/gitlab-org/gitlab/-/issues/438275
version:
default: 'latest'
description: 'Version of this component. Has to be the same as the one in the component include entry.'
base_os:
default: 'alpine'
options:
- 'alpine'
- 'debian'
- '$GITLAB_OPENTOFU_BASE_IMAGE_OS'
description: 'Base OS of GitLab OpenTofu image.'
- '1.8.4'
- '1.8.3'
- '1.8.2'
- '1.8.1'
- '1.8.0'
- '1.7.3'
description: 'OpenTofu version that should be used.'
# Images
image_registry_base:
Thomas de Grenier de Latour
committed
default: '$CI_TEMPLATE_REGISTRY_HOST/components/opentofu'
description: 'Host URI to the job images. Will be combined with `image_name` to construct the actual image URI.'
# FIXME: not yet possible because of https://gitlab.com/gitlab-org/gitlab/-/issues/438722
# gitlab_opentofu_image:
# # FIXME: This should reference the component tag that is used.
# # Currently, blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/438275
Thomas de Grenier de Latour
committed
# # default: '$CI_TEMPLATE_REGISTRY_HOST/components/opentofu/gitlab-opentofu:$[[ inputs.opentofu_version ]]'
# default: '$CI_TEMPLATE_REGISTRY_HOST/components/opentofu/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
image_name:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
# FIXME: we cannot use regex yet because of a bug that rejects
# empty strings from ever being checked against the regex.
# see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
# regex: '^(@sha256:[a-z0-9]{64})?$'
description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
default: ${CI_PROJECT_DIR}
description: 'Root directory for the OpenTofu project.'
state_name:
default: default
description: 'Remote OpenTofu state name.'
plan_name:
default: 'plan'
description: 'The name of the plan cache and plan json file.'
destroy:
default: false
type: boolean
description: 'Indicate if the plan should be a destroy plan. You may want to change the `plan_name` input to `destroy-plan` which is the default for the destroy job.'
artifacts_access:
default: 'none'
description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
var_file:
default: ''
type: string
description: 'Path to a variables files relative to root_dir.'
rules:
# FIXME: eventually, we'll want to define `null` as the default,
# but this is NOT support yet, see
# https://gitlab.com/gitlab-org/gitlab/-/issues/440468
type: array
description: 'Defines the `rules` of the job.'
cache_policy:
default: pull-push
type: string
description: 'Defines the cache policy of the job.'
warning_on_none_empty_plan:
default: false
type: boolean
description: 'Whether to mark the job with a warning if the plan contains a diff.'
# NOTE: the two following jobs are necessary to implement the abstraction logic
# required for the `warning_on_none_empty_plan` input.
# Without any kind of flow control support for the GitLab CI YAML we cannot infer
# another value from the input. However, we can clearly apply "inheritance" to
# customize behavior related to the CI keywords that have otherwise nothing
# in common with the inputs value.
'.$[[ inputs.as ]]:detailed_exitcode:warning:false':
extends: null
'.$[[ inputs.as ]]:detailed_exitcode:warning:true':
allow_failure:
exit_codes: [2]
'$[[ inputs.as ]]':
stage: $[[ inputs.stage ]]
extends:
# NOTE: see the comment above. This is to support the `warning_on_none_empty_plan` input.
- '.$[[ inputs.as ]]:detailed_exitcode:warning:$[[ inputs.warning_on_none_empty_plan ]]'
name: $[[ inputs.state_name ]]
action: prepare
resource_group: $[[ inputs.state_name ]]
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
# See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.
access: '$[[ inputs.artifacts_access ]]'
policy: $[[ inputs.cache_policy ]]
# FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898
__CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
TF_ROOT: $[[ inputs.root_dir ]]
TF_STATE_NAME: $[[ inputs.state_name ]]
OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
OPENTOFU_COMPONENT_USE_DETAILED_EXITCODE: '$[[ inputs.warning_on_none_empty_plan ]]'
# NOTE: we rely on correct exitcode reporting behavior for the `warning_on_none_empty_plan` input
# behavior. However, when using bash the runner does not work properly without setting
# the feature flag below to `true`.
FF_USE_NEW_BASH_EVAL_STRATEGY: 'true'
name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
- "args=\"\"\nif [ \"$[[ inputs.destroy ]]\" == \"true\" ]; then \n echo \"Planning for a destroy\"\n args=\"-destroy\"\nfi\n"