Move terraform jobs to branch pipelines
Note
This issue describes work which must be done if we elect not to adopt the approach outlined in uis/devops/infra/gitlab-project-factory#286. One or other of these approaches must be taken since current behaviour in infrastructure projects is broken.
Tasks
The following need to land simultaneously:
-
Switch CI jobs for terraform to be branch pipeline friendly (!208) -
Remove AST_ENABLE_MR_PIPELINESfrom gitlab project factory (uis/devops/infra/gitlab-project-factory!565) -
Remove AST_ENABLE_MR_PIPELINESfrom GCP boilerplate (https://gitlab.developers.cam.ac.uk/uis/devops/gcp-deploy-boilerplate/-/merge_requests/135)
We need to ensure:
-
Update guidebook docs to make sure changes are reflected -
Make sure any comments in CI templates reflecst reality -
Make sure the GitLab factory readme reflects reality
We need to do some comms:
-
A week before merging, tell people via Team Updates / General post -
On the day tell people that they will need to be on top of merging tomorrow's renovatebot MRs.
Description
As noted in uis/devops/gcp-deploy-boilerplate#89, the fact that terraform jobs and, as I understand it, terraform jobs alone require Merge Request pipelines be enabled causes some confusion for developers.
Currently an infrastructure project must have the AST_ENABLE_MR_PIPELINES variable set in the project factory. Although documented, this cannot easily be enforced.
I understand that the reason we wish to gate terraform apply/plan jobs to MR pipelines is to avoid the overhead of running them if no MR is open. (@rk725 may wish to educate me on this point though.)
If instead we changed the rules of the terraform job to something like the following, we may be able to have our cake and eat it:
rules:
# Terraform jobs run on MR pipelines if the project is so configured.
- if: ($AST_ENABLE_MR_PIPELINES == "true") && $CI_PIPELINE_SOURCE == "merge_request_event"
# Otherwise, only run if a MR is open.
- if: ($AST_ENABLE_MR_PIPELINES != "true") && $CI_OPEN_MERGE_REQUESTS
# Always run on the default branch or for tagged commits.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG
- when: neverThis would retain the current behaviour for projects with AST_ENABLE_MR_PIPELINES set but allow us to remove the setting of AST_ENABLE_MR_PIPELINES by default in the gcp boilerplate CI configuration.
Project which wish to retain the use of dedicated MR pipelines may opt to do so by setting AST_ENABLE_MR_PIPELINES in the GitLab project factory. We can document that procedure in the guidebook.