plan.yml

spec:
  inputs:
    # Job and Stage name
    as:
      default: 'plan'
      description: 'Defines the name of this job.'
    stage:
      default: 'build'
      description: 'Defines the stage that this job will belong to.'

    # Versions
    # This version is only required, because we cannot access the context of the component,
    # see https://gitlab.com/gitlab-org/gitlab/-/issues/438275
    version:
      default: 'latest'
      description: 'Version of this component. Has to be the same as the one in the component include entry.'
      
    opentofu_version:
      default: '1.6.1'
      options:
        - '$OPENTOFU_VERSION'
        - '1.6.1'
        - '1.6.0'
        - '1.6.0-rc1'
      description: 'OpenTofu version that should be used.'

    # Images
    image_registry_base:
      default: '$CI_REGISTRY/components/opentofu'
    # FIXME: not yet possible because of https://gitlab.com/gitlab-org/gitlab/-/issues/438722
    # gitlab_opentofu_image:
    #   # FIXME: This should reference the component tag that is used.
    #   #        Currently, blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/438275
    #   # default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.opentofu_version ]]'
    #   default: '$CI_REGISTRY/components/opentofu/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
    #   description: 'Tag of the gitlab-opentofu image.'
    
    # Configuration
    root_dir: 
      default: ${CI_PROJECT_DIR}
      description: 'Root directory for the OpenTofu project.'
    state_name:
      default: default
      description: 'Remote OpenTofu state name.'
    destroy_plan:
      default: false
      type: boolean
      description: 'Set to `true` to generate a destroy instead of an apply plan.'

---

'$[[ inputs.as ]]':
  stage: $[[ inputs.stage ]]
  environment: 
    name: $[[ inputs.state_name ]]
    action: prepare
  resource_group: $[[ inputs.state_name ]]
  artifacts:
    # Terraform's cache files can include secrets which can be accidentally exposed.
    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
    # consider limiting access to artifacts or take other security measures to protect sensitive information.
    #
    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
    public: false
    paths:
      - $[[ inputs.root_dir ]]/plan.cache
    reports:
      terraform: $[[ inputs.root_dir ]]/plan.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
  cache:
    key: "$[[ inputs.root_dir ]]"
    paths:
      - $[[ inputs.root_dir ]]/.terraform/
  variables:
    TF_ROOT: $[[ inputs.root_dir ]]
    TF_STATE_NAME: $[[ inputs.state_name ]]
  image:
    name: '$[[ inputs.image_registry_base ]]/gitlab-opentofu:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]'
  script:
    - |
      if !$[[ inputs.destroy_plan ]]; then
        echo "gitlab-tofu plan"
        gitlab-tofu plan
      else
        echo "gitlab-tofu plan -destroy"
        gitlab-tofu plan -destroy
      fi
    - gitlab-tofu plan-json