Base.gitlab-ci.yml

# This template is a port of the OpenTofu CI/CD component at
# https://gitlab.com/components/opentofu
# It is generated with the `make backports` command from that project.
#
# Please make sure to use the component when your project is hosted on GitLab.com
# or when you are willing to mirror the component project into your self-managed
# instance and use it from there.
#
# Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components
#            are available for self-managed instances.
#
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.gitlab-ci.yml

variables:
  # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
  VERSION: "0.1.0-alpha4"
  # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
  OPENTOFU_VERSION: "1.6.0"
  # Job Image with `gitlab-tofu`
  GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE: $CI_REGISTRY/components/opentofu
  # The relative path to the root directory of the OpenTofu project
  TF_ROOT: ${CI_PROJECT_DIR}
  # The name of the state file used by the GitLab Managed Terraform state backend
  TF_STATE_NAME: default

.opentofu:suggest-component:
  stage: validate
  needs: []
  allow_failure: true
  rules:
    - if: '"$CI_SERVER_HOST" == "gitlab.com"'
  image: alpine:3.19
  script:
    - |
      echo "You are using the OpenTofu CI/CD template on GitLab.com which is not recommended."
      echo "This template is available for self-managed customers until CI/CD components are available to them and it will be removed asap."
      echo
      echo "We recommed that you migrate to the OpenTofu CI/CD component instead."
      echo "The OpenTofu CI/CD component with a default configuration can be included as follows:"
      echo
      echo "include:"
      echo "  - component: gitlab.com/components/opentofu/full-pipeline@0.1.0"
      echo "    inputs:"
      echo "      version: latest"
      echo "      opentofu_version: 1.6.0"
      echo
      echo "stages: [validate, test, build, deploy]"
      echo
      echo "You can read about more about the OpenTofu CI/CD component here:"
      echo "https://gitlab.com/components/opentofu"
    - false

.opentofu:default:
  image:
    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'

  variables:
    TF_ROOT: $TF_ROOT
    TF_STATE_NAME: $TF_STATE_NAME

  cache:
    key: "$TF_ROOT"
    paths:
      - $TF_ROOT/.terraform/

.opentofu:fmt:
  extends: .opentofu:default
  stage: validate
  needs: []
  script:
    - gitlab-tofu fmt
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:validate:
  extends: .opentofu:default
  stage: validate
  script:
    - gitlab-tofu validate
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:plan:
  extends: .opentofu:default
  stage: build
  script:
    - gitlab-tofu plan
    - gitlab-tofu plan-json
  environment: 
    name: $TF_STATE_NAME
    action: prepare
  resource_group: $TF_STATE_NAME
  artifacts:
    # Terraform's cache files can include secrets which can be accidentally exposed.
    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
    # consider limiting access to artifacts or take other security measures to protect sensitive information.
    #
    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
    public: false
    paths:
      - $TF_ROOT/plan.cache
    reports:
      terraform: $TF_ROOT/plan.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:apply:
  extends: .opentofu:default
  stage: deploy
  script:
    - gitlab-tofu apply
  environment:
    name: $TF_STATE_NAME
    action: start
  resource_group: $TF_STATE_NAME
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$TF_AUTO_APPLY" == "true"'
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual

.opentofu:destroy:
  extends: .opentofu:default
  stage: cleanup
  script:
    - gitlab-tofu destroy
  environment:
    name: $TF_STATE_NAME
    action: stop
  resource_group: $TF_STATE_NAME
  rules:
    - if: '"$TF_CREATE_DESTROY_JOB" != "true"'
      when: never
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$TF_AUTO_DESTROY" == "true"'
    - when: manual

.opentofu:delete-state:
  extends: .opentofu:default
  stage: cleanup
  resource_group: $TF_STATE_NAME
  rules:
    - when: never
  script:
    - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
  rules:
    - if: '"$TF_CREATE_DELETE_STATE_JOB" != "true"'
      when: never
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
    - when: manual