FAQ | This is a LIVE service | Changelog

Skip to content

Update terraform pipeline based on work on API gateway

Dr Rich Wareham requested to merge make-tf-autodevops-friendly into master

This MR collects together some changes made when trying to apply the terraform pipeline template to the API Gateway repo.

The gitlab-ci.yml file used for testing is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/blob/4a69a0a6b1ac0b54261f92345e938ca47e2cc495/.gitlab-ci.yml#L12

The commit pipeline resulting is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/pipelines/342473

The merge request pipeline resulting is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/pipelines/342472

The changes are broken out into separate commits for ease of review. The following is the concatenation of each commit message:

Express the indent and line-length restrictions for the YAML files in this repo by means of an editorconfig file.

The workflow configuration's scope extends beyond a given template and so adding a workflow configuration disables AutoDevOps for ordinary commits.

Remove the workflow configuration because duplication is a) not terrible and b) may be useful since merge request pipelines run post merge and commit pipelines run pre merge. Depending on the state of the default branch, there may be terraform regressions introduced post merge.

The stage configuration is not limited in scope to the current template and so re-defining the list of stages breaks AutoDevOps. For better or for worse we are de facto stuck with the list of stages AutoDevOps brings in because GitLab does not merge stage lists.

Although naming jobs "tf-..." makes sense within the context of this template, when looking at the jobs in the wider sense of all of the test jobs it is not immediately clear that "tf" means "terraform".

Move to more explicit naming so tf-apply-... -> terraform-apply-..., etc.

The tf-lint and tf-sec jobs are renamed to tflint and tfsec respectively since those are the actual names of the tools.

The terraform jobs do not need the AutoDevOps "build" job to be completed and so explicitly note their lack of dependency via an empty needs keyword. The practical upshot of this is that terraform fmt, etc. jobs start immediately rather than waiting for a needless build stage.

Copying the approach used by AutoDevOps, allow jobs to be disabled explicitly by setting a ..._DISABLED variable. This is useful for, e.g., legacy terraform codebases where we want to incrementally make the linters happy or terraform codebases not yet migrated to make use of the GKE GitLab runners but where we still want linting checks.

The ..._DISABLED variables are used in the example pipelines above.

The tflint tool now checks the current directory by default and prints a deprecation warning if one passes . directly. Fix the deprecation warning.

In the comments at the top of the file, a ref is specified for including the template. Make this reflect the most recent tag (once this is merged).

Merge request reports