Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
spec:
inputs:
# Job and Stage name
as:
default: 'plan'
description: 'Defines the name of this job.'
stage:
default: 'build'
description: 'Defines the stage that this job will belong to.'
# Versions
# This version is only required, because we cannot access the context of the component,
# see https://gitlab.com/gitlab-org/gitlab/-/issues/438275
version:
default: 'latest'
description: 'Version of this component. Has to be the same as the one in the component include entry.'
opentofu_version:
default: '1.6.0'
options:
- '$OPENTOFU_VERSION'
- '1.6.0'
- '1.6.0-rc1'
description: 'OpenTofu version that should be used.'
# Images
image_registry_base:
default: '$CI_REGISTRY/components/opentofu'
# FIXME: not yet possible because of https://gitlab.com/gitlab-org/gitlab/-/issues/438722
# gitlab_opentofu_image:
# # FIXME: This should reference the component tag that is used.
# # Currently, blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/438275
# # default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.opentofu_version ]]'
# default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
# description: 'Tag of the gitlab-opentofu image.'
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
description: 'Root directory for the OpenTofu project.'
state_name:
default: default
description: 'Remote OpenTofu state name.'
---
'$[[ inputs.as ]]':
stage: $[[ inputs.stage ]]
environment:
name: $[[ inputs.state_name ]]
action: prepare
resource_group: $[[ inputs.state_name ]]
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
- $[[ inputs.root_dir ]]/plan.cache
reports:
terraform: $[[ inputs.root_dir ]]/plan.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
cache:
key: "$[[ inputs.root_dir ]]"
paths:
- $[[ inputs.root_dir ]]/.terraform/
variables:
TF_ROOT: $[[ inputs.root_dir ]]
TF_STATE_NAME: $[[ inputs.state_name ]]
image:
name: '$[[ inputs.image_registry_base ]]/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
script:
- gitlab-tofu plan
- gitlab-tofu plan-json