Newer
Older
# This template is a port of the OpenTofu CI/CD component at
# https://gitlab.com/components/opentofu
# It is generated with the `make backports` command from that project.
#
# Please make sure to use the component when your project is hosted on GitLab.com
# or when you are willing to mirror the component project into your self-managed
# instance and use it from there.
#
# Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components
# are available for self-managed instances.
#
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.gitlab-ci.yml
variables:
# OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
VERSION: "0.1.0-alpha4"
# Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
OPENTOFU_VERSION: "1.6.0"
GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE: $CI_REGISTRY/components/opentofu
# The relative path to the root directory of the OpenTofu project
# The name of the state file used by the GitLab Managed Terraform state backend
TF_STATE_NAME: default
.opentofu:suggest-component:
stage: validate
needs: []
allow_failure: true
rules:
image: alpine:3.19
script:
- |
echo "You are using the OpenTofu CI/CD template on GitLab.com which is not recommended."
echo "This template is available for self-managed customers until CI/CD components are available to them and it will be removed asap."
echo
echo "We recommed that you migrate to the OpenTofu CI/CD component instead."
echo "The OpenTofu CI/CD component with a default configuration can be included as follows:"
echo
echo "include:"
echo " - component: gitlab.com/components/opentofu/full-pipeline@0.1.0"
echo " inputs:"
echo " version: latest"
echo " opentofu_version: 1.6.0"
echo
echo "stages: [validate, test, build, deploy]"
echo
echo "You can read about more about the OpenTofu CI/CD component here:"
echo "https://gitlab.com/components/opentofu"
- false
.opentofu:default:
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
variables:
TF_ROOT: $TF_ROOT
TF_STATE_NAME: $TF_STATE_NAME
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
.opentofu:fmt:
extends: .opentofu:default
stage: validate
needs: []
script:
- gitlab-tofu fmt
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:validate:
extends: .opentofu:default
stage: validate
script:
- gitlab-tofu validate
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:plan:
extends: .opentofu:default
stage: build
script:
- gitlab-tofu plan
- gitlab-tofu plan-json
environment:
name: $TF_STATE_NAME
action: prepare
resource_group: $TF_STATE_NAME
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
- $TF_ROOT/plan.cache
reports:
terraform: $TF_ROOT/plan.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
.opentofu:apply:
extends: .opentofu:default
stage: deploy
script:
- gitlab-tofu apply
environment:
name: $TF_STATE_NAME
action: start
resource_group: $TF_STATE_NAME
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$TF_AUTO_APPLY" == "true"'
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
.opentofu:destroy:
extends: .opentofu:default
stage: cleanup
script:
- gitlab-tofu destroy
environment:
name: $TF_STATE_NAME
action: stop
resource_group: $TF_STATE_NAME
rules:
- if: '"$TF_CREATE_DESTROY_JOB" != "true"'
when: never
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$TF_AUTO_DESTROY" == "true"'
extends: .opentofu:default
stage: cleanup
resource_group: $TF_STATE_NAME
rules:
- when: never
script:
- curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
rules:
- if: '"$TF_CREATE_DELETE_STATE_JOB" != "true"'
when: never
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
- when: manual