diff --git a/README.md b/README.md index e8a61637f1dcc9ce14ec2249bbb6e92cebfd1420..ab147d3ccd9d969425f21908d61781595dff12b8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Terraform Images +**This product is not officially supported by GitLab. We provide it on a community support bases to allow Terraform users to continue using Terraform with GitLab.** + > 🚨 This repository won't upgrade to any new Terraform releases with the BSL license. > Please follow [this issue](https://gitlab.com/gitlab-org/terraform-images/-/issues/114) for updates. > diff --git a/templates/Terraform.gitlab-ci.yml b/templates/Terraform.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..c276584058151bbc829bc53185530199c4acd63f --- /dev/null +++ b/templates/Terraform.gitlab-ci.yml @@ -0,0 +1,37 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml + +include: + - local: Terraform/Base.gitlab-ci.yml + - template: Jobs/SAST-IaC.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml + +stages: + - validate + - test + - build + - deploy + - cleanup + +fmt: + extends: .terraform:fmt + needs: [] + +validate: + extends: .terraform:validate + needs: [] + +build: + extends: .terraform:build + environment: + name: $TF_STATE_NAME + action: prepare + +deploy: + extends: .terraform:deploy + dependencies: + - build + environment: + name: $TF_STATE_NAME + action: start diff --git a/templates/Terraform.latest.gitlab-ci.yml b/templates/Terraform.latest.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..6c96e58301c2ef6c3ba35b771ee3159b5274a094 --- /dev/null +++ b/templates/Terraform.latest.gitlab-ci.yml @@ -0,0 +1,37 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml + +include: + - local: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml + - template: Jobs/SAST-IaC.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml + +stages: + - validate + - test + - build + - deploy + - cleanup + +fmt: + extends: .terraform:fmt + needs: [] + +validate: + extends: .terraform:validate + needs: [] + +build: + extends: .terraform:build + environment: + name: $TF_STATE_NAME + action: prepare + +deploy: + extends: .terraform:deploy + dependencies: + - build + environment: + name: $TF_STATE_NAME + action: start diff --git a/templates/Terraform/Base.gitlab-ci.yml b/templates/Terraform/Base.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..f516a22257f4a533c04080e6966cd478c2afffe1 --- /dev/null +++ b/templates/Terraform/Base.gitlab-ci.yml @@ -0,0 +1,66 @@ +# Terraform/Base +# +# The purpose of this template is to provide flexibility to the user so +# they are able to only include the jobs that they find interesting. +# +# Therefore, this template is not supposed to run any jobs. The idea is to only +# create hidden jobs. See: https://docs.gitlab.com/ee/ci/jobs/#hide-jobs +# +# There is a more opinionated template which we suggest the users to abide, +# which is the lib/gitlab/ci/templates/Terraform.gitlab-ci.yml + +# NOTE: the image is required to be set by the user. +#image: +# name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/releases/1.4:v1.0.0" + +variables: + TF_ROOT: ${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project + TF_STATE_NAME: default # The name of the state file used by the GitLab Managed Terraform state backend + +cache: + key: "${TF_ROOT}" + paths: + - ${TF_ROOT}/.terraform/ + +.terraform:fmt: + stage: validate + script: + - gitlab-terraform fmt + allow_failure: true + +.terraform:validate: + stage: validate + script: + - gitlab-terraform validate + +.terraform:build: + stage: build + script: + - gitlab-terraform plan + - gitlab-terraform plan-json + resource_group: ${TF_STATE_NAME} + artifacts: + # The next line, which disables public access to pipeline artifacts, may not be available everywhere. + # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic + public: false + paths: + - ${TF_ROOT}/plan.cache + reports: + terraform: ${TF_ROOT}/plan.json + +.terraform:deploy: + stage: deploy + script: + - gitlab-terraform apply + resource_group: ${TF_STATE_NAME} + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DEPLOY == "true" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + when: manual + +.terraform:destroy: + stage: cleanup + script: + - gitlab-terraform destroy + resource_group: ${TF_STATE_NAME} + when: manual diff --git a/templates/Terraform/Base.latest.gitlab-ci.yml b/templates/Terraform/Base.latest.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..b0915a0da11c7fd47aa9b5dca667968526cc10f5 --- /dev/null +++ b/templates/Terraform/Base.latest.gitlab-ci.yml @@ -0,0 +1,86 @@ +# Terraform/Base.latest +# +# The purpose of this template is to provide flexibility to the user so +# they are able to only include the jobs that they find interesting. +# +# Therefore, this template is not supposed to run any jobs. The idea is to only +# create hidden jobs. See: https://docs.gitlab.com/ee/ci/yaml/#hide-jobs +# +# There is a more opinionated template which we suggest the users to abide, +# which is the lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml + +default: + # NOTE: the image is required to be set by the user. + # image: + # name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/stable:latest" + + cache: + key: "${TF_ROOT}" + paths: + - ${TF_ROOT}/.terraform/ + +variables: + TF_ROOT: ${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project + TF_STATE_NAME: default # The name of the state file used by the GitLab Managed Terraform state backend + +.terraform:fmt: + stage: validate + script: + - gitlab-terraform fmt + allow_failure: true + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + when: never + - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. + +.terraform:validate: + stage: validate + script: + - gitlab-terraform validate + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + when: never + - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. + +.terraform:build: + stage: build + script: + - gitlab-terraform plan + - gitlab-terraform plan-json + resource_group: ${TF_STATE_NAME} + artifacts: + # Terraform's cache files can include secrets which can be accidentally exposed. + # Please exercise caution when utilizing secrets in your Terraform infrastructure and + # consider limiting access to artifacts or take other security measures to protect sensitive information. + # + # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com. + # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic + public: false + paths: + - ${TF_ROOT}/plan.cache + reports: + terraform: ${TF_ROOT}/plan.json + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + when: never + - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. + +.terraform:deploy: + stage: deploy + script: + - gitlab-terraform apply + resource_group: ${TF_STATE_NAME} + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DEPLOY == "true" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + when: manual + +.terraform:destroy: + stage: cleanup + script: + - gitlab-terraform destroy + resource_group: ${TF_STATE_NAME} + when: manual