From dadf991638c37724d150bb4a75da0a21f1a73d1f Mon Sep 17 00:00:00 2001 From: Timo Furrer <tfurrer@gitlab.com> Date: Fri, 31 May 2024 16:21:31 +0200 Subject: [PATCH] Lock down plan artifacts access to none by default This change set locks down the access to the plan artifacts to `none` by default. This can be changed by setting the `artifcats_access` or `plan_artifacts_access` input. Changelog: changed Closes https://gitlab.com/components/opentofu/-/issues/29 --- README.md | 1 + templates/full-pipeline.yml | 4 ++++ templates/plan.yml | 9 +++++---- templates/validate-plan-apply.yml | 4 ++++ templates/validate-plan-destroy.yml | 4 ++++ templates/validate-plan.yml | 4 ++++ 6 files changed, 22 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 44a2267..919043a 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,7 @@ Have a look at the individual template spec to learn about the available inputs. | `state_name` | `default` | Remote OpenTofu state name. | | `auto_apply` | `false` | Whether the apply job is manual or automatically run. | | `auto_destroy` | `false` | Whether the destroy job is manual or automatically run. | +| `plan_artifacts_access` | `none` | Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values. | ### Available OpenTofu Versions diff --git a/templates/full-pipeline.yml b/templates/full-pipeline.yml index ccc7b46..f0e4dd4 100644 --- a/templates/full-pipeline.yml +++ b/templates/full-pipeline.yml @@ -67,6 +67,9 @@ spec: default: false type: boolean description: 'Whether the destroy job is manual or automatically run.' + plan_artifacts_access: + default: 'none' + description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.' --- @@ -113,6 +116,7 @@ include: image_name: $[[ inputs.image_name ]] root_dir: $[[ inputs.root_dir ]] state_name: $[[ inputs.state_name ]] + artifacts_access: $[[ inputs.plan_artifacts_access ]] - local: '/templates/apply.yml' inputs: as: 'apply' diff --git a/templates/plan.yml b/templates/plan.yml index a28b9c6..08d0110 100644 --- a/templates/plan.yml +++ b/templates/plan.yml @@ -57,6 +57,9 @@ spec: default: false type: boolean description: 'Indicate if the plan should be a destroy plan. You may want to change the `plan_name` input to `destroy-plan` which is the default for the destroy job.' + artifacts_access: + default: 'none' + description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.' --- @@ -70,10 +73,8 @@ spec: # Terraform's cache files can include secrets which can be accidentally exposed. # Please exercise caution when utilizing secrets in your Terraform infrastructure and # consider limiting access to artifacts or take other security measures to protect sensitive information. - # - # The next line, which disables public access to pipeline artifacts, is not available on GitLab.com. - # See: https://docs.gitlab.com/ee/ci/yaml/#artifactspublic - public: false + # See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values. + access: '$[[ inputs.artifacts_access ]]' paths: - $TF_ROOT/$[[ inputs.plan_name ]].cache reports: diff --git a/templates/validate-plan-apply.yml b/templates/validate-plan-apply.yml index 5d670f5..7608be9 100644 --- a/templates/validate-plan-apply.yml +++ b/templates/validate-plan-apply.yml @@ -57,6 +57,9 @@ spec: default: false type: boolean description: 'Whether the apply job is manual or automatically run.' + plan_artifacts_access: + default: 'none' + description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.' --- @@ -90,6 +93,7 @@ include: image_name: $[[ inputs.image_name ]] root_dir: $[[ inputs.root_dir ]] state_name: $[[ inputs.state_name ]] + artifacts_access: $[[ inputs.plan_artifacts_access ]] - local: '/templates/apply.yml' inputs: as: 'apply' diff --git a/templates/validate-plan-destroy.yml b/templates/validate-plan-destroy.yml index b94fc54..35c51a9 100644 --- a/templates/validate-plan-destroy.yml +++ b/templates/validate-plan-destroy.yml @@ -56,6 +56,9 @@ spec: plan_name: default: 'destroy-plan' description: 'Destroy plan file name.' + plan_artifacts_access: + default: 'none' + description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.' auto_destroy: default: false type: boolean @@ -94,6 +97,7 @@ include: root_dir: $[[ inputs.root_dir ]] state_name: $[[ inputs.state_name ]] plan_name: $[[ inputs.plan_name ]] + artifacts_access: $[[ inputs.plan_artifacts_access ]] destroy: true - local: '/templates/destroy.yml' inputs: diff --git a/templates/validate-plan.yml b/templates/validate-plan.yml index 2bd9f33..145e858 100644 --- a/templates/validate-plan.yml +++ b/templates/validate-plan.yml @@ -50,6 +50,9 @@ spec: state_name: default: default description: 'Remote OpenTofu state name.' + artifacts_access: + default: 'none' + description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.' --- @@ -83,3 +86,4 @@ include: image_name: $[[ inputs.image_name ]] root_dir: $[[ inputs.root_dir ]] state_name: $[[ inputs.state_name ]] + artifacts_access: $[[ inputs.artifacts_access ]] -- GitLab