spec:
  inputs:
    stage_validate:
      default: 'validate'
      description: 'Defines the validate stage'  
    stage_test:
      default: 'test'
      description: 'Defines the test stage'
    stage_build:
      default: 'build'
      description: 'Defines the build stage'
    stage_deploy:
      default: 'deploy'
      description: 'Defines the deploy stage'
    stage_cleanup:
      default: 'cleanup'
      description: 'Defines the cleanup stage'
    enable_destroy_job:
      default: false
      description: 'Weather the destroy job should be created'
---

.default:
  image:
    name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/stable:latest"

  cache:
    key: "${TF_ROOT}"
    paths:
      - ${TF_ROOT}/.terraform/

variables:
  TF_ROOT: ${CI_PROJECT_DIR}  # The relative path to the root directory of the Terraform project
  TF_STATE_NAME: default      # The name of the state file used by the GitLab Managed Terraform state backend

fmt:
  extends: .default
  stage: $[[ inputs.stage_validate ]]
  needs: []
  script:
    - gitlab-opentofu fmt
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

validate:
  extends: .default
  stage: $[[ inputs.stage_validate ]]
  script:
    - gitlab-opentofu validate
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

plan:
  extends: .default
  stage: $[[ inputs.stage_build ]]
  script:
    - gitlab-opentofu plan
    - gitlab-opentofu plan-json
  environment: 
    name: ${TF_STATE_NAME}
    action: prepare
  resource_group: ${TF_STATE_NAME}
  artifacts:
    # Terraform's cache files can include secrets which can be accidentally exposed.
    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
    # consider limiting access to artifacts or take other security measures to protect sensitive information.
    #
    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
    public: false
    paths:
      - ${TF_ROOT}/plan.cache
    reports:
      terraform: ${TF_ROOT}/plan.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

apply:
  extends: .default
  stage: $[[ inputs.stage_deploy ]]
  script:
    - gitlab-opentofu apply
  environment:
    name: $TF_STATE_NAME
    action: start
  resource_group: ${TF_STATE_NAME}
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DEPLOY == "true"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual

destroy:
  extends: .default
  stage: $[[ inputs.stage_destroy ]]
  script:
    - gitlab-opentofu destroy
  resource_group: ${TF_STATE_NAME}
  when: manual
  rules:
    - if: $[[ inputs.enable_destroy_job ]]