From 89f7672cf6ac0735970820c7e5ba37271513b2c5 Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Wed, 11 Dec 2024 17:06:09 +0100
Subject: [PATCH] Introduce input to allow Developer role to plan

Closes https://gitlab.com/components/opentofu/-/issues/95

Changelog: added
---
 README.md                           | 1 +
 src/gitlab-tofu.sh                  | 5 +++++
 templates/full-pipeline.yml         | 6 ++++++
 templates/job-templates.yml         | 5 +++++
 templates/plan.yml                  | 5 +++++
 templates/validate-plan-apply.yml   | 6 ++++++
 templates/validate-plan-destroy.yml | 6 ++++++
 templates/validate-plan.yml         | 6 ++++++
 8 files changed, 40 insertions(+)

diff --git a/README.md b/README.md
index a61c903..8b0fd8f 100644
--- a/README.md
+++ b/README.md
@@ -322,6 +322,7 @@ The following environment variables are respected by the `gitlab-tofu` script:
 - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
 - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
 - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
+- `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
 
 #### Respected OpenTofu Environment Variables
 
diff --git a/src/gitlab-tofu.sh b/src/gitlab-tofu.sh
index 4b98d61..408e43c 100644
--- a/src/gitlab-tofu.sh
+++ b/src/gitlab-tofu.sh
@@ -30,6 +30,7 @@
 # - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
 # - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
 # - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
+# - `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
 #
 # #### Respected OpenTofu Environment Variables
 #
@@ -199,6 +200,7 @@ plan_jq_filter='
     "delete":(map(select(.=="delete")) | length)
   }
 '
+allow_developer_role=${GITLAB_TOFU_ALLOW_DEVELOPER_ROLE:-false}
 
 # auto encryption related variables
 auto_encryption_enabled=${GITLAB_TOFU_AUTO_ENCRYPTION:-false}
@@ -389,6 +391,9 @@ if [ $sourced -eq 0 ]; then
       if $plan_with_detailed_exitcode; then
         plan_args='-detailed-exitcode'
       fi
+      if $allow_developer_role; then
+        plan_args="$plan_args -lock=false"
+      fi
 
       $should_do_implicit_init && tofu_init
       # shellcheck disable=SC2086
diff --git a/templates/full-pipeline.yml b/templates/full-pipeline.yml
index 4830ac3..0f4b27f 100644
--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -201,6 +201,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -284,6 +288,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -409,6 +414,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true
diff --git a/templates/job-templates.yml b/templates/job-templates.yml
index 5657e95..b64ecd4 100644
--- a/templates/job-templates.yml
+++ b/templates/job-templates.yml
@@ -106,6 +106,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -185,6 +189,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]apply'
diff --git a/templates/plan.yml b/templates/plan.yml
index 02461ee..69dae95 100644
--- a/templates/plan.yml
+++ b/templates/plan.yml
@@ -112,6 +112,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -177,6 +181,7 @@ spec:
     GITLAB_TOFU_AUTO_ENCRYPTION: '$[[ inputs.auto_encryption ]]'
     GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE: '$[[ inputs.auto_encryption_passphrase ]]'
     GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED: '$[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]'
+    GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: '$[[ inputs.allow_developer_role ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:
diff --git a/templates/validate-plan-apply.yml b/templates/validate-plan-apply.yml
index a643819..b89116f 100644
--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -165,6 +165,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -227,6 +231,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -304,6 +309,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true
diff --git a/templates/validate-plan-destroy.yml b/templates/validate-plan-destroy.yml
index 76f942e..5fc8a72 100644
--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -171,6 +171,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -234,6 +238,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/destroy.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -337,6 +342,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true
diff --git a/templates/validate-plan.yml b/templates/validate-plan.yml
index 99fd465..8262da9 100644
--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -149,6 +149,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -211,6 +215,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
 
 
 # NOTE: the following configuration is only used if `trigger_in_child_pipeline` is enabled.
@@ -264,6 +269,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true
-- 
GitLab