# This template is a port of the OpenTofu CI/CD component at # https://gitlab.com/components/opentofu # It is generated with the `make backports` command from that project. # # Please make sure to use the component when your project is hosted on GitLab.com # or when you are willing to mirror the component project into your self-managed # instance and use it from there. # # Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components # are available for self-managed instances. # # This specific template is located at: # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.latest.gitlab-ci.yml variables: # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases VERSION: "latest" # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases OPENTOFU_VERSION: "1.6.0" # Job Image with `gitlab-tofu` GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE: $CI_REGISTRY/components/opentofu # The relative path to the root directory of the OpenTofu project TF_ROOT: ${CI_PROJECT_DIR} # The name of the state file used by the GitLab Managed Terraform state backend TF_STATE_NAME: default .opentofu:use-component-instead-of-template: stage: .pre needs: [] allow_failure: true rules: - if: '$CI_SERVER_HOST == "gitlab.com"' image: alpine:3.19 script: - | echo "You are using the OpenTofu CI/CD template on GitLab.com which is not recommended." echo "This template is available for self-managed customers until CI/CD components are available to them and it will be removed asap." echo " " echo "We recommend that you migrate to the OpenTofu CI/CD component instead." echo "The OpenTofu CI/CD component with a default configuration can be included as follows:" echo " " echo "include:" echo " - component: gitlab.com/components/opentofu/full-pipeline@~latest" echo " inputs:" echo " version: latest" echo " opentofu_version: 1.6.0" echo "" echo "stages: [validate, build, deploy, cleanup]" echo " " echo "You can read about more about the OpenTofu CI/CD component here:" echo "https://gitlab.com/components/opentofu" - 'false' '.opentofu:fmt': stage: validate needs: [] rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. when: never - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. #allow_failure: true allow_failure: true cache: key: "$TF_ROOT" paths: - $TF_ROOT/.terraform/ image: name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION' script: - gitlab-tofu fmt '.opentofu:validate': stage: validate rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. when: never - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. cache: key: "$TF_ROOT" paths: - $TF_ROOT/.terraform/ image: name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION' script: - gitlab-tofu validate '.opentofu:plan': stage: build environment: name: $TF_STATE_NAME action: prepare resource_group: $TF_STATE_NAME artifacts: # Terraform's cache files can include secrets which can be accidentally exposed. # Please exercise caution when utilizing secrets in your Terraform infrastructure and # consider limiting access to artifacts or take other security measures to protect sensitive information. # # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com. # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic public: false paths: - $TF_ROOT/plan.cache reports: terraform: $TF_ROOT/plan.json rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. when: never - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. cache: key: "$TF_ROOT" paths: - $TF_ROOT/.terraform/ image: name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION' script: - gitlab-tofu plan - gitlab-tofu plan-json '.opentofu:apply': stage: deploy environment: name: $TF_STATE_NAME action: start resource_group: $TF_STATE_NAME rules: - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_APPLY" == "true"' - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: manual cache: key: "$TF_ROOT" paths: - $TF_ROOT/.terraform/ image: name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION' script: - gitlab-tofu apply '.opentofu:destroy': stage: cleanup environment: name: $TF_STATE_NAME action: stop resource_group: $TF_STATE_NAME rules: - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_DESTROY" == "true"' - when: manual cache: key: "$TF_ROOT" paths: - $TF_ROOT/.terraform/ image: name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION' script: - gitlab-tofu destroy '.opentofu:delete-state': stage: cleanup resource_group: $TF_STATE_NAME image: curlimages/curl:latest script: - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME" rules: - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - when: manual