Refactor rules in all jobs

templates/apply.yml

@@ -62,7 +62,11 @@ spec:
     auto_apply:
       default: false
       type: boolean
-      description: 'Whether the apply job is manual or automatically run.'
+      description: 'Whether the apply job is manual or automatically run. Prepend to the `rules` input array.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
@@ -73,9 +77,8 @@ spec:
     action: start
   resource_group: $TF_STATE_NAME
   rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$[[ inputs.auto_apply ]]" == "true"'
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: manual
+    - if: '"[[ inputs.auto_apply ]]" == "true"'
+    - $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths:

templates/custom-command.yml

@@ -53,11 +53,17 @@ spec:
     command:
       description: 'The gitlab-tofu command to run.'
 
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
+
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
   needs: []
+  rules: $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths:

templates/delete-state.yml

@@ -15,17 +15,19 @@ spec:
     create_delete_state_job:
       default: 'true'
       description: 'Wheather the delete-state job should be created or not.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
+  rules: $[[ inputs.rules ]]
   resource_group: $TF_STATE_NAME
   image: curlimages/curl:latest
   variables:
     TF_STATE_NAME: $[[ inputs.state_name ]]
   script:
     - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
-  rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-    - when: manual

templates/destroy.yml

@@ -63,6 +63,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
@@ -72,9 +76,7 @@ spec:
     name: $TF_STATE_NAME
     action: stop
   resource_group: $TF_STATE_NAME
-  rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$[[ inputs.auto_destroy ]]" == "true"'
-    - when: manual
+  rules: $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths:

templates/fmt.yml

@@ -49,22 +49,21 @@ spec:
     root_dir:
       default: ${CI_PROJECT_DIR}
       description: 'Root directory for the OpenTofu project.'
-
     allow_failure:
       default: true
       type: boolean
       description: 'If the job is allowed to fail or not.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
   needs: []
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+  rules: $[[ inputs.rules ]]
   allow_failure: $[[ inputs.allow_failure ]]
   cache:
     key: "$__CACHE_KEY_HACK"

templates/full-pipeline.yml

@@ -85,6 +85,11 @@ include:
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/validate.yml'
     inputs:
       as: 'validate'
@@ -95,6 +100,11 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/test.yml'
     inputs:
       as: 'test'
@@ -105,6 +115,11 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
     rules:
       - exists:
           - $[[ inputs.root_dir ]]/**/*.tftest.hcl
@@ -119,6 +134,11 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/apply.yml'
     inputs:
       as: 'apply'
@@ -130,6 +150,9 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      rules:
+        - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+          when: manual
   - local: '/templates/destroy.yml'
     inputs:
       as: 'destroy'
@@ -141,11 +164,17 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      rules:
+        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$[[ inputs.auto_destroy ]]" == "true"'
+        - when: manual
   - local: '/templates/delete-state.yml'
     inputs:
       as: 'delete-state'
       stage: $[[ inputs.stage_cleanup ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+        - when: manual
 
 # NOTE: we have to define this `needs` here, because inputs don't support arrays, yet.
 delete-state:

templates/module-release.yml

@@ -30,10 +30,16 @@ spec:
         e.g. '0.1.0'
       default: ${CI_COMMIT_TAG}
 
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
+
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
+  rules: $[[ inputs.rules ]]
   image: curlimages/curl:8.8.0
   variables:
     TAR_FILENAME: /tmp/${CI_PROJECT_NAME}-${CI_COMMIT_SHA}.tgz

templates/plan.yml

@@ -62,6 +62,10 @@ spec:
     artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
@@ -81,11 +85,7 @@ spec:
       - $TF_ROOT/$[[ inputs.plan_name ]].cache
     reports:
       terraform: $TF_ROOT/$[[ inputs.plan_name]].json
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+  rules: $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths:

templates/test.yml

@@ -52,17 +52,17 @@ spec:
     state_name:
       default: default
       description: 'Remote OpenTofu state name.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
   needs: []
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+  rules: $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths:

templates/validate-plan-apply.yml

@@ -75,6 +75,11 @@ include:
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/validate.yml'
     inputs:
       as: 'validate'
@@ -85,6 +90,11 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/plan.yml'
     inputs:
       as: 'plan'
@@ -96,6 +106,11 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/apply.yml'
     inputs:
       as: 'apply'
@@ -107,3 +122,6 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      rules:
+        - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+          when: manual

templates/validate-plan-destroy.yml

@@ -78,6 +78,11 @@ include:
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/validate.yml'
     inputs:
       as: 'validate'
@@ -88,6 +93,11 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/plan.yml'
     inputs:
       as: 'plan'
@@ -101,6 +111,11 @@ include:
       plan_name: $[[ inputs.plan_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
       destroy: true
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/destroy.yml'
     inputs:
       as: 'destroy'
@@ -114,11 +129,17 @@ include:
       no_plan: false
       plan_name: $[[ inputs.plan_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      rules:
+        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$[[ inputs.auto_destroy ]]" == "true"'
+        - when: manual
   - local: '/templates/delete-state.yml'
     inputs:
       as: 'delete-state'
       stage: $[[ inputs.stage_cleanup ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+        - when: manual
 
 # NOTE: we have to define this `needs` here, because inputs don't support arrays, yet.
 delete-state:

templates/validate-plan.yml

@@ -68,6 +68,11 @@ include:
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/validate.yml'
     inputs:
       as: 'validate'
@@ -78,6 +83,11 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
   - local: '/templates/plan.yml'
     inputs:
       as: 'plan'
@@ -89,3 +99,8 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.artifacts_access ]]
+      rules:
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+          when: never
+        - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

templates/validate.yml

@@ -52,16 +52,16 @@ spec:
     state_name:
       default: default
       description: 'Remote OpenTofu state name.'
+    rules:
+      type: array
+      default: []
+      description: 'An array of rules for the conditional creation of the apply job.'
 
 ---
 
 '$[[ inputs.as ]]':
   stage: $[[ inputs.stage ]]
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+  rules: $[[ inputs.rules ]]
   cache:
     key: "$__CACHE_KEY_HACK"
     paths: