Merge branch 'artifacts-access' into 'main'

Lock down plan artifacts access Closes #29 See merge request components/opentofu!80

Merge branch 'artifacts-access' into 'main'
492fe792 · Timo Furrer · d7b564bb · dadf9916 · 492fe792 · 492fe792
Commit 492fe792 authored 1 year ago by Timo Furrer
--- a/README.md
+++ b/README.md
@@ -182,6 +182,7 @@ Have a look at the individual template spec to learn about the available inputs.
 | `state_name` | `default` | Remote OpenTofu state name. |
 | `auto_apply` | `false` | Whether the apply job is manual or automatically run. |
 | `auto_destroy` | `false` | Whether the destroy job is manual or automatically run. |
+| `plan_artifacts_access` | `none` | Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values. |

 ### Available OpenTofu Versions


--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -67,6 +67,9 @@ spec:
      default: false
      type: boolean
      description: 'Whether the destroy job is manual or automatically run.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'

 ---

@@ -113,6 +116,7 @@ include:
      image_name: $[[ inputs.image_name ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
  - local: '/templates/apply.yml'
    inputs:
      as: 'apply'

--- a/templates/plan.yml
+++ b/templates/plan.yml
@@ -57,6 +57,9 @@ spec:
      default: false
      type: boolean
      description: 'Indicate if the plan should be a destroy plan. You may want to change the `plan_name` input to `destroy-plan` which is the default for the destroy job.'
+    artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'

 ---

@@ -70,10 +73,8 @@ spec:
    # Terraform's cache files can include secrets which can be accidentally exposed.
    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
    # consider limiting access to artifacts or take other security measures to protect sensitive information.
-    #
-    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
-    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
-    public: false
+    # See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.
+    access: '$[[ inputs.artifacts_access ]]'
    paths:
      - $TF_ROOT/$[[ inputs.plan_name ]].cache
    reports:

--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -57,6 +57,9 @@ spec:
      default: false
      type: boolean
      description: 'Whether the apply job is manual or automatically run.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'

 ---

@@ -90,6 +93,7 @@ include:
      image_name: $[[ inputs.image_name ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
  - local: '/templates/apply.yml'
    inputs:
      as: 'apply'

--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -56,6 +56,9 @@ spec:
    plan_name:
      default: 'destroy-plan'
      description: 'Destroy plan file name.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
    auto_destroy:
      default: false
      type: boolean
@@ -94,6 +97,7 @@ include:
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      plan_name: $[[ inputs.plan_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
      destroy: true
  - local: '/templates/destroy.yml'
    inputs:

--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -50,6 +50,9 @@ spec:
    state_name:
      default: default
      description: 'Remote OpenTofu state name.'
+    artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'

 ---

@@ -83,3 +86,4 @@ include:
      image_name: $[[ inputs.image_name ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.artifacts_access ]]