Use include rules to control destroy behavior in full pipeline

backports/OpenTofu/Base.gitlab-ci.yml

-# This template is a port of the OpenTofu CI/CD component at
-# https://gitlab.com/components/opentofu
-# It is generated with the `make backports` command from that project.
-#
-# Please make sure to use the component when your project is hosted on GitLab.com
-# or when you are willing to mirror the component project into your self-managed
-# instance and use it from there.
-#
-# Attention: This template will be removed in favor of the OpenTofu CI/CD component as soon as components
-#            are available for self-managed instances.
-#
-# This specific template is located at:
-# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/OpenTofu/Base.gitlab-ci.yml
-
-variables:
-  # OpenTofu CI/CD component version, see https://gitlab.com/components/opentofu/-/releases
-  VERSION: "latest"
-  # Compatible OpenTofu version, see https://gitlab.com/components/opentofu/-/releases
-  OPENTOFU_VERSION: "1.6.0"
-  # Job Image with `gitlab-tofu`
-  GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE: $CI_REGISTRY/components/opentofu
-  # The relative path to the root directory of the OpenTofu project
-  TF_ROOT: ${CI_PROJECT_DIR}
-  # The name of the state file used by the GitLab Managed Terraform state backend
-  TF_STATE_NAME: default
-
-.opentofu:use-component-instead-of-template:
-  stage: validate
-  needs: []
-  allow_failure: true
-  rules:
-    - if: '$CI_SERVER_HOST == "gitlab.com"'
-  image: alpine:3.19
-  script:
-    - |
-      echo "You are using the OpenTofu CI/CD template on GitLab.com which is not recommended."
-      echo "This template is available for self-managed customers until CI/CD components are available to them and it will be removed asap."
-      echo " "
-      echo "We recommend that you migrate to the OpenTofu CI/CD component instead."
-      echo "The OpenTofu CI/CD component with a default configuration can be included as follows:"
-      echo " "
-      echo "include:"
-      echo "  - component: gitlab.com/components/opentofu/full-pipeline@~latest"
-      echo "    inputs:"
-      echo "      version: latest"
-      echo "      opentofu_version: 1.6.0"
-      echo ""
-      echo "stages: [validate, build, deploy, cleanup]"
-      echo " "
-      echo "You can read about more about the OpenTofu CI/CD component here:"
-      echo "https://gitlab.com/components/opentofu"
-    - 'false'
-
-'.opentofu:fmt':
-  stage: validate
-  needs: []
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
-  #allow_failure: true
-  allow_failure: true
-  cache:
-    key: "$TF_ROOT"
-    paths:
-      - $TF_ROOT/.terraform/
-  image:
-    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
-  script:
-    - gitlab-tofu fmt
-
-'.opentofu:validate':
-  stage: validate
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
-  cache:
-    key: "$TF_ROOT"
-    paths:
-      - $TF_ROOT/.terraform/
-  image:
-    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
-  script:
-    - gitlab-tofu validate
-
-'.opentofu:plan':
-  stage: build
-  environment: 
-    name: $TF_STATE_NAME
-    action: prepare
-  resource_group: $TF_STATE_NAME
-  artifacts:
-    # Terraform's cache files can include secrets which can be accidentally exposed.
-    # Please exercise caution when utilizing secrets in your Terraform infrastructure and
-    # consider limiting access to artifacts or take other security measures to protect sensitive information.
-    #
-    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
-    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
-    public: false
-    paths:
-      - $TF_ROOT/plan.cache
-    reports:
-      terraform: $TF_ROOT/plan.json
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
-      when: never
-    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
-  cache:
-    key: "$TF_ROOT"
-    paths:
-      - $TF_ROOT/.terraform/
-  image:
-    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
-  script:
-    - gitlab-tofu plan
-    - gitlab-tofu plan-json
-
-'.opentofu:apply':
-  stage: deploy
-  environment:
-    name: $TF_STATE_NAME
-    action: start
-  resource_group: $TF_STATE_NAME
-  rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_APPLY" == "true"'
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: manual
-  cache:
-    key: "$TF_ROOT"
-    paths:
-      - $TF_ROOT/.terraform/
-  image:
-    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
-  script:
-    - gitlab-tofu apply
-
-'.opentofu:destroy':
-  stage: cleanup
-  environment:
-    name: $TF_STATE_NAME
-    action: stop
-  resource_group: $TF_STATE_NAME
-  rules:
-    - if: '"$TF_CREATE_DESTROY_JOB" != "true"'
-      when: never
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_DESTROY" == "true"'
-    - when: manual
-  cache:
-    key: "$TF_ROOT"
-    paths:
-      - $TF_ROOT/.terraform/
-  image:
-    name: '$GITLAB_OPENTOFU_IMAGE_REGISTRY_BASE/gitlab-opentofu:$GITLAB_OPENTOFU_VERSION-opentofu$OPENTOFU_VERSION'
-  script:
-    - gitlab-tofu destroy
-
-'.opentofu:delete-state':
-  stage: cleanup
-  resource_group: $TF_STATE_NAME
-  image: curlimages/curl:latest
-  script:
-    - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
-  rules:
-    - if: '"$TF_CREATE_DELETE_STATE_JOB" != "true"'
-      when: never
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-    - when: manual

backports/OpenTofu/Base.latest.gitlab-ci.yml

@@ -149,8 +149,6 @@ variables:
     action: stop
   resource_group: $TF_STATE_NAME
   rules:
-    - if: '"$TF_CREATE_DESTROY_JOB" != "true"'
-      when: never
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$_TF_AUTO_DESTROY" == "true"'
     - when: manual
   cache:
@@ -170,7 +168,5 @@ variables:
   script:
     - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME"
   rules:
-    - if: '"$TF_CREATE_DELETE_STATE_JOB" != "true"'
-      when: never
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
     - when: manual

templates/delete-state.yml

@@ -25,7 +25,5 @@ spec:
   script:
     - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$[[ inputs.state_name ]]"
   rules:
-    - if: '"$[[ inputs.create_delete_state_job ]]" != "true"'
-      when: never
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
     - when: manual

templates/destroy.yml

@@ -45,9 +45,6 @@ spec:
     auto_destroy:
       default: 'false'
       description: 'Whether the destroy job is manual or automatically run.'
-    create_destroy_job:
-      default: 'true'
-      description: 'Wheather the destroy job should be created or not.'
 
 ---
 
@@ -58,8 +55,6 @@ spec:
     action: stop
   resource_group: $[[ inputs.state_name ]]
   rules:
-    - if: '"$[[ inputs.create_destroy_job ]]" != "true"'
-      when: never
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && "$[[ inputs.auto_destroy ]]" == "true"'
     - when: manual
   cache:

templates/full-pipeline.yml

@@ -55,10 +55,12 @@ spec:
       default: 'false'
       description: 'Whether the destroy job is manual or automatically run.'
     create_destroy_job:
-      default: 'false'
+      default: false
+      type: boolean
       description: 'Wheather the destroy job should be created or not.'
     create_delete_state_job:
-      default: 'false'
+      default: false
+      type: boolean
       description: 'Wheather the delete-state job should be created or not.'
 
 ---
@@ -110,13 +112,19 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_destroy: $[[ inputs.auto_apply ]]
-      create_destroy_job: $[[ inputs.create_destroy_job ]]
+    rules:
+      - if: '"$[[ inputs.create_destroy_job ]]" == "true"'
+        when: always
+      - when: never
   - local: '/templates/delete-state.yml'
     inputs:
       as: 'delete-state'
       stage: $[[ inputs.stage_cleanup ]]
       state_name: $[[ inputs.state_name ]]
-      create_delete_state_job: $[[ inputs.create_delete_state_job ]]
+    rules:
+      - if: '"$[[ inputs.create_delete_state_job ]]" == "true"'
+        when: always
+      - when: never
 
 # NOTE: we have to define this `needs` here, because inputs don't support arrays, yet.
 delete-state:

tests/integration-tests/BackportTemplates.gitlab-ci.yml

 include:
-  - local: /backports/OpenTofu/Base.gitlab-ci.yml
+  - local: /backports/OpenTofu/Base.latest.gitlab-ci.yml
 
 stages: [validate, test, build, deploy, cleanup]
 

tests/integration-tests/Defaults.gitlab-ci.yml

@@ -6,6 +6,8 @@ include:
       opentofu_version: $OPENTOFU_VERSION
       root_dir: $TEST_TF_ROOT
       state_name: $TEST_TF_STATE_NAME
+      create_destroy_job: true
+      create_delete_state_job: true
 
 stages: [validate, test, build, deploy, cleanup]