From dadf991638c37724d150bb4a75da0a21f1a73d1f Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Fri, 31 May 2024 16:21:31 +0200
Subject: [PATCH] Lock down plan artifacts access to none by default

This change set locks down the access to the plan artifacts to `none` by
default. This can be changed by setting the `artifcats_access` or
`plan_artifacts_access` input.

Changelog: changed

Closes https://gitlab.com/components/opentofu/-/issues/29
---
 README.md                           | 1 +
 templates/full-pipeline.yml         | 4 ++++
 templates/plan.yml                  | 9 +++++----
 templates/validate-plan-apply.yml   | 4 ++++
 templates/validate-plan-destroy.yml | 4 ++++
 templates/validate-plan.yml         | 4 ++++
 6 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 44a2267..919043a 100644
--- a/README.md
+++ b/README.md
@@ -182,6 +182,7 @@ Have a look at the individual template spec to learn about the available inputs.
 | `state_name` | `default` | Remote OpenTofu state name. |
 | `auto_apply` | `false` | Whether the apply job is manual or automatically run. |
 | `auto_destroy` | `false` | Whether the destroy job is manual or automatically run. |
+| `plan_artifacts_access` | `none` | Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values. |
 
 ### Available OpenTofu Versions
 
diff --git a/templates/full-pipeline.yml b/templates/full-pipeline.yml
index ccc7b46..f0e4dd4 100644
--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -67,6 +67,9 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
 
 ---
 
@@ -113,6 +116,7 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
   - local: '/templates/apply.yml'
     inputs:
       as: 'apply'
diff --git a/templates/plan.yml b/templates/plan.yml
index a28b9c6..08d0110 100644
--- a/templates/plan.yml
+++ b/templates/plan.yml
@@ -57,6 +57,9 @@ spec:
       default: false
       type: boolean
       description: 'Indicate if the plan should be a destroy plan. You may want to change the `plan_name` input to `destroy-plan` which is the default for the destroy job.'
+    artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
 
 ---
 
@@ -70,10 +73,8 @@ spec:
     # Terraform's cache files can include secrets which can be accidentally exposed.
     # Please exercise caution when utilizing secrets in your Terraform infrastructure and
     # consider limiting access to artifacts or take other security measures to protect sensitive information.
-    #
-    # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com.
-    # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
-    public: false
+    # See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.
+    access: '$[[ inputs.artifacts_access ]]'
     paths:
       - $TF_ROOT/$[[ inputs.plan_name ]].cache
     reports:
diff --git a/templates/validate-plan-apply.yml b/templates/validate-plan-apply.yml
index 5d670f5..7608be9 100644
--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -57,6 +57,9 @@ spec:
       default: false
       type: boolean
       description: 'Whether the apply job is manual or automatically run.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
 
 ---
 
@@ -90,6 +93,7 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
   - local: '/templates/apply.yml'
     inputs:
       as: 'apply'
diff --git a/templates/validate-plan-destroy.yml b/templates/validate-plan-destroy.yml
index b94fc54..35c51a9 100644
--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -56,6 +56,9 @@ spec:
     plan_name:
       default: 'destroy-plan'
       description: 'Destroy plan file name.'
+    plan_artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
     auto_destroy:
       default: false
       type: boolean
@@ -94,6 +97,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       plan_name: $[[ inputs.plan_name ]]
+      artifacts_access: $[[ inputs.plan_artifacts_access ]]
       destroy: true
   - local: '/templates/destroy.yml'
     inputs:
diff --git a/templates/validate-plan.yml b/templates/validate-plan.yml
index 2bd9f33..145e858 100644
--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -50,6 +50,9 @@ spec:
     state_name:
       default: default
       description: 'Remote OpenTofu state name.'
+    artifacts_access:
+      default: 'none'
+      description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
 
 ---
 
@@ -83,3 +86,4 @@ include:
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      artifacts_access: $[[ inputs.artifacts_access ]]
-- 
GitLab