Newer
Older
# This template is a port of the OpenTofu CI/CD component at
# https://gitlab.com/components/opentofu
# It is generated with the `make backports` command from that project.
#
# Please make sure to use the component when your project is hosted on GitLab.com
# or when you are willing to mirror the component project into your self-managed
# instance and use it from there.
#
# Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components
# are available for self-managed instances.
#
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.latest.gitlab-ci.yml
variables:
# OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
VERSION: "latest"
# Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
OPENTOFU_VERSION: "1.6.0"
# Job Image with `gitlab-tofu`
GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE: $CI_REGISTRY/components/opentofu
# The relative path to the root directory of the OpenTofu project
TF_ROOT: ${CI_PROJECT_DIR}
# The name of the state file used by the GitLab Managed Terraform state backend
TF_STATE_NAME: default
needs: []
allow_failure: true
rules:
- if: '$CI_SERVER_HOST == "gitlab.com"'
image: alpine:3.19
script:
- |
echo "You are using the OpenTofu CI/CD template on GitLab.com which is not recommended."
echo "This template is available for self-managed customers until CI/CD components are available to them and it will be removed asap."
echo " "
echo "We recommend that you migrate to the OpenTofu CI/CD component instead."
echo "The OpenTofu CI/CD component with a default configuration can be included as follows:"
echo " "
echo "include:"
echo " - component: gitlab.com/components/opentofu/full-pipeline@<VERSION>"
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
echo " opentofu_version: 1.6.0"
echo ""
echo "stages: [validate, build, deploy, cleanup]"
echo " "
echo "You can read about more about the OpenTofu CI/CD component here:"
echo "https://gitlab.com/components/opentofu"
- 'false'
'.opentofu:fmt':
stage: validate
needs: []
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
#allow_failure: true
allow_failure: true
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
script:
- gitlab-tofu fmt
'.opentofu:validate':
stage: validate
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
script:
- gitlab-tofu validate
'.opentofu:plan':
stage: build
environment:
name: $TF_STATE_NAME
action: prepare
resource_group: $TF_STATE_NAME
artifacts:
# Terraform's cache files can include secrets which can be accidentally exposed.
# Please exercise caution when utilizing secrets in your Terraform infrastructure and
# consider limiting access to artifacts or take other security measures to protect sensitive information.
#
# The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
# See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
public: false
paths:
- $TF_ROOT/plan.cache
reports:
terraform: $TF_ROOT/plan.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
script:
- gitlab-tofu plan
- gitlab-tofu plan-json
'.opentofu:apply':
stage: deploy
environment:
name: $TF_STATE_NAME
action: start
resource_group: $TF_STATE_NAME
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_APPLY" == "true"'
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
script:
- gitlab-tofu apply
'.opentofu:destroy':
stage: cleanup
environment:
name: $TF_STATE_NAME
action: stop
resource_group: $TF_STATE_NAME
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_DESTROY" == "true"'
- when: manual
cache:
key: "$TF_ROOT"
paths:
- $TF_ROOT/.terraform/
image:
name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
script:
- gitlab-tofu destroy
'.opentofu:delete-state':
stage: cleanup
resource_group: $TF_STATE_NAME
image: curlimages/curl:latest
script:
- curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
- when: manual