Skip to content
Snippets Groups Projects
Unverified Commit 89f7672c authored by Timo Furrer's avatar Timo Furrer
Browse files

Introduce input to allow Developer role to plan

parent 296ff938
Branches
Tags
No related merge requests found
......@@ -322,6 +322,7 @@ The following environment variables are respected by the `gitlab-tofu` script:
- `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
- `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
- `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
- `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
#### Respected OpenTofu Environment Variables
......
......@@ -30,6 +30,7 @@
# - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
# - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
# - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
# - `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
#
# #### Respected OpenTofu Environment Variables
#
......@@ -199,6 +200,7 @@ plan_jq_filter='
"delete":(map(select(.=="delete")) | length)
}
'
allow_developer_role=${GITLAB_TOFU_ALLOW_DEVELOPER_ROLE:-false}
# auto encryption related variables
auto_encryption_enabled=${GITLAB_TOFU_AUTO_ENCRYPTION:-false}
......@@ -389,6 +391,9 @@ if [ $sourced -eq 0 ]; then
if $plan_with_detailed_exitcode; then
plan_args='-detailed-exitcode'
fi
if $allow_developer_role; then
plan_args="$plan_args -lock=false"
fi
$should_do_implicit_init && tofu_init
# shellcheck disable=SC2086
......
......@@ -201,6 +201,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -284,6 +288,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -409,6 +414,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -106,6 +106,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -185,6 +189,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
inputs:
as: '$[[ inputs.job_name_prefix ]]apply'
......
......@@ -112,6 +112,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -177,6 +181,7 @@ spec:
GITLAB_TOFU_AUTO_ENCRYPTION: '$[[ inputs.auto_encryption ]]'
GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE: '$[[ inputs.auto_encryption_passphrase ]]'
GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED: '$[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]'
GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: '$[[ inputs.allow_developer_role ]]'
image:
name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
......
......@@ -165,6 +165,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -227,6 +231,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -304,6 +309,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -171,6 +171,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -234,6 +238,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/destroy.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -337,6 +342,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -149,6 +149,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -211,6 +215,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
# NOTE: the following configuration is only used if `trigger_in_child_pipeline` is enabled.
......@@ -264,6 +269,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment