Skip to content
Snippets Groups Projects
Commit a42014c0 authored by Timo Furrer's avatar Timo Furrer
Browse files

Merge branch 'plan-for-developers' into 'main'

Introduce input to allow Developer role to plan

Closes #95

See merge request components/opentofu!212
parents 296ff938 89f7672c
No related branches found
No related tags found
No related merge requests found
......@@ -322,6 +322,7 @@ The following environment variables are respected by the `gitlab-tofu` script:
- `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
- `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
- `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
- `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
#### Respected OpenTofu Environment Variables
......
......@@ -30,6 +30,7 @@
# - `GITLAB_TOFU_AUTO_ENCRYPTION`: if set to true, enables auto state and plan encryption. Defaults to `false`.
# - `GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE`: the passphrase to use for state and plan encryption. Required if `GITLAB_TOFU_AUTO_ENCRYPTION` is true.
# - `GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED_ENABLED`: if set to true, enables a fallback for state and plan encryption to migrate unencrypted plans and states to encrypted ones. Defaults to `false`.
# - `GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.
#
# #### Respected OpenTofu Environment Variables
#
......@@ -199,6 +200,7 @@ plan_jq_filter='
"delete":(map(select(.=="delete")) | length)
}
'
allow_developer_role=${GITLAB_TOFU_ALLOW_DEVELOPER_ROLE:-false}
# auto encryption related variables
auto_encryption_enabled=${GITLAB_TOFU_AUTO_ENCRYPTION:-false}
......@@ -389,6 +391,9 @@ if [ $sourced -eq 0 ]; then
if $plan_with_detailed_exitcode; then
plan_args='-detailed-exitcode'
fi
if $allow_developer_role; then
plan_args="$plan_args -lock=false"
fi
$should_do_implicit_init && tofu_init
# shellcheck disable=SC2086
......
......@@ -201,6 +201,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -284,6 +288,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -409,6 +414,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -106,6 +106,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -185,6 +189,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
inputs:
as: '$[[ inputs.job_name_prefix ]]apply'
......
......@@ -112,6 +112,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -177,6 +181,7 @@ spec:
GITLAB_TOFU_AUTO_ENCRYPTION: '$[[ inputs.auto_encryption ]]'
GITLAB_TOFU_AUTO_ENCRYPTION_PASSPHRASE: '$[[ inputs.auto_encryption_passphrase ]]'
GITLAB_TOFU_AUTO_ENCRYPTION_ENABLE_MIGRATION_FROM_UNENCRYPTED: '$[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]'
GITLAB_TOFU_ALLOW_DEVELOPER_ROLE: '$[[ inputs.allow_developer_role ]]'
image:
name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
......
......@@ -165,6 +165,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -227,6 +231,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/apply.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -304,6 +309,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -171,6 +171,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -234,6 +238,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
- local: '/templates/destroy.yml'
rules:
- if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
......@@ -337,6 +342,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
......@@ -149,6 +149,10 @@ spec:
default: false
type: boolean
description: 'Whether to setup automatic state and plan encryption for currently unencrypted state. This is only temporarily useful when migrating from an unencrypted state.'
allow_developer_role_to_plan:
default: false
type: boolean
description: 'Users with the Developer role are not able to lock the state. Thus a regular `tofu plan` fails. When set to `true` a `-lock=false` is passed to plan.'
---
......@@ -211,6 +215,7 @@ include:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role: $[[ inputs.allow_developer_role_to_plan ]]
# NOTE: the following configuration is only used if `trigger_in_child_pipeline` is enabled.
......@@ -264,6 +269,7 @@ stages:
auto_encryption: $[[ inputs.auto_encryption ]]
auto_encryption_passphrase: $[[ inputs.auto_encryption_passphrase ]]
auto_encryption_enable_migration_from_unencrypted: $[[ inputs.auto_encryption_enable_migration_from_unencrypted ]]
allow_developer_role_to_plan: $[[ inputs.allow_developer_role_to_plan ]]
trigger_in_child_pipeline: false
forward:
yaml_variables: true
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment