Add make target to generate template backports

535ba258 · Timo Furrer · bace4f93 · 535ba258 · 535ba258 · 535ba258
Unverified Commit 535ba258 authored 1 year ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -74,6 +74,16 @@ check-readme:
    - make docs
    - git diff --exit-code
+check-backports:
+  stage: test
+  needs: []
+  image: alpine:latest
+  before_script:
+    - apk add coreutils make git sed
+  script:
+    - make backports
+    - git diff --exit-code
 container_scanning:
  extends: .opentofu-versions
  needs: ['gitlab-opentofu-image:build']

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,3 +19,13 @@ When adding new OpenTofu versions the following places need to be updated:
 All of the above definitions have to match each other.
 We currently need to change it in multiple places, because there is not a good way to share information
 from the templates and the components pipeline defintion - at least in the features we'd like to use them.
+## Backports
+The OpenTofu CI/CD component needs to be backported as OpenTofu CI/CD template, 
+because components are not yet properly supported in self-managed instances.
+That is, they are not bundled and it's not possible to use a component across instances.
+The OpenTofu CI/CD job and pipeline templates can be generated using `make backports`.
+The output is generated into the `backports` folder. Please contribute those files
+only upon manual inspection to the canonical GitLab repository.
--- a/Makefile
+++ b/Makefile
@@ -12,3 +12,35 @@ docs:
 	yq -r '.spec.inputs.opentofu_version.options | .[] | "- [`" + . + "`](https://github.com/opentofu/opentofu/releases/tag/v" + . + ")"' templates/full-pipeline.yml >> README.md
 	tail -n+2 readme1 >> README.md
 	rm -f readme0 readme1 readme_inputs.md
+BACKPORTS_DIR := backports
+BACKPORTS_BASE_FILE := $(BACKPORTS_DIR)/Base.gitlab-ci.yml
+.PHONY: backports
+backports:
+	@mkdir -p $(BACKPORTS_DIR)
+	@echo 'variables:' > $(BACKPORTS_BASE_FILE)
+	@echo '  # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases' >> $(BACKPORTS_BASE_FILE)
+	@echo '  VERSION: "0.1.0-alpha4"' >> $(BACKPORTS_BASE_FILE)
+	@echo '  # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases' >> $(BACKPORTS_BASE_FILE)
+	@echo '  OPENTOFU_VERSION: "1.6.0"' >> $(BACKPORTS_BASE_FILE)
+	@echo '  TF_ROOT: $${CI_PROJECT_DIR}  # The relative path to the root directory of the OpenTofu project' >> $(BACKPORTS_BASE_FILE)
+	@echo '  TF_STATE_NAME: default  # The name of the state file used by the GitLab Managed Terraform state backend'>> $(BACKPORTS_BASE_FILE)
+	@sed '1,/^---$$/d' templates/full-pipeline.yml >> $(BACKPORTS_BASE_FILE)
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.stage_validate \]\]/validate/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.stage_build \]\]/build/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.stage_deploy \]\]/deploy/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.stage_cleanup \]\]/cleanup/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's#$$\[\[ inputs.gitlab_opentofu_image \]\]#registry.gitlab.com/components/opentofu/gitlab-opentofu:$$VERSION-opentofu$$OPENTOFU_VERSION#'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.root_dir \]\]/$$TF_ROOT/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.state_name \]\]/$$TF_STATE_NAME/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.auto_apply \]\]/$$TF_AUTO_APPLY/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/$$\[\[ inputs.auto_destroy \]\]/$$TF_AUTO_DESTROY/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/\.default/.opentofu:default/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/^fmt:$$/.opentofu:fmt:/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/^validate:$$/.opentofu:validate:/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/^plan:$$/.opentofu:plan:/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/^apply:$$/.opentofu:apply:/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/destroy:/.opentofu:destroy:/'
+	@sed -i $(BACKPORTS_BASE_FILE) -e 's/\[destroy\]/[.opentofu:destroy]/'
--- a/backports/Base.gitlab-ci.yml
+++ b/backports/Base.gitlab-ci.yml
+variables:
+  # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
+  VERSION: "0.1.0-alpha4"
+  # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
+  OPENTOFU_VERSION: "1.6.0"
+  TF_ROOT: ${CI_PROJECT_DIR}  # The relative path to the root directory of the OpenTofu project
+  TF_STATE_NAME: default  # The name of the state file used by the GitLab Managed Terraform state backend
+.opentofu:default:
+  image:
+    name: registry.gitlab.com/components/opentofu/gitlab-opentofu:$VERSION-opentofu$OPENTOFU_VERSION
+  cache:
+    key: "$TF_ROOT"
+    paths:
+      - $TF_ROOT/.terraform/
+.opentofu:fmt:
+  extends: .opentofu:default
+  stage: validate
+  needs: []
+  script:
+    - gitlab-tofu fmt
+  allow_failure: true
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+      when: never
+    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+.opentofu:validate:
+  extends: .opentofu:default
+  stage: validate
+  script:
+    - gitlab-tofu validate
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+      when: never
+    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+.opentofu:plan:
+  extends: .opentofu:default
+  stage: build
+  script:
+    - gitlab-tofu plan
+    - gitlab-tofu plan-json
+  environment: 
+    name: $TF_STATE_NAME
+    action: prepare
+  resource_group: $TF_STATE_NAME
+  artifacts:
+    # Terraform's cache files can include secrets which can be accidentally exposed.
+    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
+    # consider limiting access to artifacts or take other security measures to protect sensitive information.
+    #
+    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
+    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
+    public: false
+    paths:
+      - $TF_ROOT/plan.cache
+    reports:
+      terraform: $TF_ROOT/plan.json
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+      when: never
+    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
+.opentofu:apply:
+  extends: .opentofu:default
+  stage: deploy
+  script:
+    - gitlab-tofu apply
+  environment:
+    name: $TF_STATE_NAME
+    action: start
+  resource_group: $TF_STATE_NAME
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_APPLY == "true"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+.opentofu:destroy:
+  extends: .opentofu:default
+  stage: cleanup
+  script:
+    - gitlab-tofu destroy
+  environment:
+    name: $TF_STATE_NAME
+    action: stop
+  resource_group: $TF_STATE_NAME
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $TF_AUTO_DESTROY == "true"
+    - when: manual
+delete-state:
+  extends: .opentofu:default
+  stage: cleanup
+  needs: [.opentofu:destroy]
+  resource_group: $TF_STATE_NAME
+  rules:
+    - when: never
+  script:
+    - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
--- a/backports/OpenTofu.gitlab-ci.yml
+++ b/backports/OpenTofu.gitlab-ci.yml
+# This template is a port of the OpenTofu CI/CD component at
+# https://gitlab.com/components/opentofu
+# Please make sure to use the component when your project is hosted on GitLab.com
+# or when you are willing to mirror the component project into your self-managed
+# instance and use it from there.
+#
+# Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components
+#            are available for self-managed instances.
+#
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu.gitlab-ci.yml
+include:
+  - template: OpenTofu/Base.latest.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.latest.gitlab-ci.yml
+  - template: Jobs/SAST-IaC.latest.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+stages: [validate, test, build, deploy]
+fmt:
+  extends: .opentofu:fmt
+validate:
+  extends: .opentofu:validate
+build:
+  extends: .opentofu:build
+apply:
+  extends: .opentofu:apply
--- a/backports/README.md
+++ b/backports/README.md
+# OpenTofu CI/CD template backports
+See [CONTRIBUTING.md](CONTRIBUTING.md#backports)