Introduce input to allow Developer role to plan

Closes https://gitlab.com/components/opentofu/-/issues/95

Changelog: added

README.md

@@ -322,6 +322,7 @@ The following environment variables are respected by the `gitlab-tofu` script:
 - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
 - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
 - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
+- `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
 
 #### Respected OpenTofu Environment Variables
 

src/gitlab-tofu.sh

@@ -30,6 +30,7 @@
 # - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
 # - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
 # - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
+# - `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
 #
 # #### Respected OpenTofu Environment Variables
 #
@@ -199,6 +200,7 @@ plan_jq_filter='
     "delete":(map(select(.=="delete")) | length)
   }
 '
+allow_developer_role=${GITLAB_TOFU_ALLOW_DEVELOPER_ROLE:-false}
 
 # auto encryption related variables
 auto_encryption_enabled=${GITLAB_TOFU_AUTO_ENCRYPTION:-false}
@@ -389,6 +391,9 @@ if [ $sourced -eq 0 ]; then
       if $plan_with_detailed_exitcode; then
         plan_args='-detailed-exitcode'
       fi
+      if $allow_developer_role; then
+        plan_args="$plan_args -lock=false"
+      fi
 
       $should_do_implicit_init && tofu_init
       # shellcheck disable=SC2086

templates/full-pipeline.yml

@@ -201,6 +201,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -284,6 +288,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -409,6 +414,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true

templates/job-templates.yml

@@ -106,6 +106,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -185,6 +189,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]apply'

templates/plan.yml

@@ -112,6 +112,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -177,6 +181,7 @@ spec:
     GITLAB_TOFU_AUTO_ENCRYPTION: '$[[ inputs.auto_encryption ]]'
     GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE: '$[[ inputs.auto_encryption_passphrase ]]'
     GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED: '$[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]'
+    GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: '$[[ inputs.allow_developer_role ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

templates/validate-plan-apply.yml

@@ -165,6 +165,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -227,6 +231,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/apply.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -304,6 +309,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true

templates/validate-plan-destroy.yml

@@ -171,6 +171,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -234,6 +238,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
   - local: '/templates/destroy.yml'
     rules:
       - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
@@ -337,6 +342,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true

templates/validate-plan.yml

@@ -149,6 +149,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
+    allow_developer_role_to_plan:
+      default: false
+      type: boolean
+      description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
 
 ---
 
@@ -211,6 +215,7 @@ include:
       auto_encryption: $[[ inputs.auto_encryption ]]
       auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
       auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+      allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
 
 
 # NOTE: the following configuration is only used if `trigger_in_child_pipeline` is enabled.
@@ -264,6 +269,7 @@ stages:
           auto_encryption: $[[ inputs.auto_encryption ]]
           auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
           auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
+          allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
           trigger_in_child_pipeline: false
     forward:
       yaml_variables: true