Update terraform pipeline based on work on API gateway
This MR collects together some changes made when trying to apply the terraform pipeline template to the API Gateway repo.
The gitlab-ci.yml file used for testing is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/blob/4a69a0a6b1ac0b54261f92345e938ca47e2cc495/.gitlab-ci.yml#L12
The commit pipeline resulting is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/pipelines/342473
The merge request pipeline resulting is at https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/pipelines/342472
The changes are broken out into separate commits for ease of review. The following is the concatenation of each commit message:
Express the indent and line-length restrictions for the YAML files in this repo by means of an editorconfig file.
The workflow configuration's scope extends beyond a given template and so adding a workflow configuration disables AutoDevOps for ordinary commits.
Remove the workflow
configuration because duplication is a) not terrible and b) may be
useful since merge request pipelines run post merge and commit
pipelines run pre merge. Depending on the state of the default branch,
there may be terraform regressions introduced post merge.
The stage
configuration is not limited in scope to the current template
and so re-defining the list of stages breaks AutoDevOps. For better or
for worse we are de facto stuck with the list of stages AutoDevOps
brings in because GitLab does not merge stage lists.
Although naming jobs "tf-..." makes sense within the context of this template, when looking at the jobs in the wider sense of all of the test jobs it is not immediately clear that "tf" means "terraform".
Move to more explicit naming so tf-apply-...
-> terraform-apply-...
, etc.
The tf-lint
and tf-sec
jobs are renamed to tflint
and tfsec
respectively
since those are the actual names of the tools.
The terraform jobs do not need the AutoDevOps "build" job to be
completed and so explicitly note their lack of dependency via an empty
needs
keyword. The practical upshot of this is that terraform fmt, etc. jobs start
immediately rather than waiting for a needless build stage.
Copying the approach used by AutoDevOps, allow jobs to be disabled
explicitly by setting a ..._DISABLED
variable. This is useful for,
e.g., legacy terraform codebases where we want to incrementally make the
linters happy or terraform codebases not yet migrated to make use of the
GKE GitLab runners but where we still want linting checks.
The ..._DISABLED
variables are used in the example pipelines above.
The tflint
tool now checks the current directory by default and prints a
deprecation warning if one passes .
directly. Fix the deprecation
warning.
In the comments at the top of the file, a ref is specified for including the template. Make this reflect the most recent tag (once this is merged).