variables:
  # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
  VERSION: "0.1.0-alpha4"
  # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
  OPENTOFU_VERSION: "1.6.0"
  # Job Image with `gitlab-tofu`
  GITLAB_OPENTOFU_IMAGE: registry.gitlab.com/components/opentofu/gitlab-opentofu:$VERSION-opentofu$OPENTOFU_VERSION
  # The relative path to the root directory of the OpenTofu project
  TF_ROOT: ${CI_PROJECT_DIR}
  # The name of the state file used by the GitLab Managed Terraform state backend
  TF_STATE_NAME: default

.opentofu:default:
  image:
    name: $GITLAB_OPENTOFU_IMAGE

  cache:
    key: "$TF_ROOT"
    paths:
      - $TF_ROOT/.terraform/

.opentofu:fmt:
  extends: .opentofu:default
  stage: validate
  needs: []
  script:
    - gitlab-tofu fmt
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:validate:
  extends: .opentofu:default
  stage: validate
  script:
    - gitlab-tofu validate
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:plan:
  extends: .opentofu:default
  stage: build
  script:
    - gitlab-tofu plan
    - gitlab-tofu plan-json
  environment: 
    name: $TF_STATE_NAME
    action: prepare
  resource_group: $TF_STATE_NAME
  artifacts:
    # Terraform's cache files can include secrets which can be accidentally exposed.
    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
    # consider limiting access to artifacts or take other security measures to protect sensitive information.
    #
    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
    public: false
    paths:
      - $TF_ROOT/plan.cache
    reports:
      terraform: $TF_ROOT/plan.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

.opentofu:apply:
  extends: .opentofu:default
  stage: deploy
  script:
    - gitlab-tofu apply
  environment:
    name: $TF_STATE_NAME
    action: start
  resource_group: $TF_STATE_NAME
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_APPLY == "true"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual

.opentofu:destroy:
  extends: .opentofu:default
  stage: cleanup
  script:
    - gitlab-tofu destroy
  environment:
    name: $TF_STATE_NAME
    action: stop
  resource_group: $TF_STATE_NAME
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DESTROY == "true"
    - when: manual

delete-state:
  extends: .opentofu:default
  stage: cleanup
  needs: [.opentofu:destroy]
  resource_group: $TF_STATE_NAME
  rules:
    - when: never
  script:
    - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"