Ryan Kowalewski · Ryan Kowalewski · Ryan Kowalewski · Roy Harrington · 158b62e2 · 158b62e2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [2.5.0] - 2023-07-17
+
+### Added
+
+- terraform-pipeline: Add `resource_group` to Terraform jobs to avoid concurrent pipelines for each
+  environment.
+
+### Fixed
+
+- terraform-pipeline: Add docker-in-docker service now that the GKE runner does not mount
+  `docker.sock` from the host (see
+  https://gitlab.developers.cam.ac.uk/uis/devops/devhub/gitlab-runner-infrastructure/-/merge_requests/14).
+
 ## [2.4.4] - 2023-07-07

 ### Fixed

--- a/auto-devops/terraform-pipeline.yml
+++ b/auto-devops/terraform-pipeline.yml
@@ -79,6 +79,18 @@ variables:
    when: never
  - if: "$CI_COMMIT_BRANCH || $CI_COMMIT_TAG"

+# These variables are required when using docker-in-docker with TLS enabled via the Kubernetes executor for GitLab
+# runner. For more information see
+# https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#docker-in-docker-with-tls-enabled-in-kubernetes.
+.docker-in-docker:
+  services:
+    - docker:24-dind
+  variables:
+    DOCKER_HOST: tcp://docker:2376
+    DOCKER_TLS_CERTDIR: "/certs"
+    DOCKER_TLS_VERIFY: 1
+    DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
+
 # This job generates a plan and stores it as an artifact for consumption by a related apply job. It uses the
 # -detailed-exitcode flag to enable the additional exit code 2, meaning that the plan executed successfully but
 # that changes are required (see https://developer.hashicorp.com/terraform/cli/commands/plan#detailed-exitcode).
@@ -88,9 +100,14 @@ variables:
 #
 # Plans only run when MRs have actually been opened or on the default branch.
 .terraform-plan:
+  extends: .docker-in-docker
  image: ${TERRAFORM_DEPLOY_IMAGE}:${TERRAFORM_DEPLOY_VERSION}
  variables:
    TF_WORKSPACE: $DEPLOYMENT_ENVIRONMENT
+  environment:
+    name: $DEPLOYMENT_ENVIRONMENT
+    action: prepare
+  resource_group: $DEPLOYMENT_ENVIRONMENT
  script: |
    unset GOOGLE_APPLICATION_CREDENTIALS
    terraform init
@@ -127,10 +144,14 @@ variables:
 # The job only runs if the commit branch is the default branch. If the deployment environment is "staging", the job
 # will run automatically, otherwise it will require a manual trigger in the pipeline UI.
 .terraform-apply:
-  environment: ${DEPLOYMENT_ENVIRONMENT}
+  extends: .docker-in-docker
  image: ${TERRAFORM_DEPLOY_IMAGE}:${TERRAFORM_DEPLOY_VERSION}
  variables:
    TF_WORKSPACE: $DEPLOYMENT_ENVIRONMENT
+  environment:
+    name: $DEPLOYMENT_ENVIRONMENT
+    action: start
+  resource_group: $DEPLOYMENT_ENVIRONMENT
  script: |
    unset GOOGLE_APPLICATION_CREDENTIALS
    terraform init