Mike Knee · Dr Rich Wareham · Ryan Kowalewski · Ryan Kowalewski · Ryan Kowalewski · Ryan Kowalewski
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,8 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [3.3.0] - 2023-11-29
+
+### Fixed
+
+- `terraform-pipeline.yml`: allow plan and apply jobs to run on git tag actions.
+
+### Added
+
+- `terraform-pipeline.yml`: add `TF_PLAN_TARGET` variable to allow targeted plan
+  actions.
+
 ## [3.2.0] - 2023-11-07

+### Added
+
 - Add new `release-it.yml` template for automated release management.

 ## [3.1.1] - 2023-10-19

--- a/auto-devops/python.md
+++ b/auto-devops/python.md
@@ -71,6 +71,8 @@ Any other files present in `$TOXINI_ARTEFACT_DIR` are uploaded as artefacts.

 ### Customisation

+#### Isolating tox testenvs
+
 You can arrange for tox testenvs to run in isolated test jobs by extending the
 "python:tox" job.

@@ -140,6 +142,32 @@ commands=
    black --check .
 ```

+#### Extending the `before_script`
+
+Sometimes additional dependencies may need to be installed into the gitlab
+runner's container in order to run the tests. It is recommended in this case to
+overwrite the `before_script` for the `python:tox` job and use a reference to
+ensure the template `before_script` is preserved:
+
+```yaml
+include:
+  - project: 'uis/devops/continuous-delivery/ci-templates'
+    file: '/auto-devops/common-pipeline.yml'
+
+python:tox:
+  before_script:
+    # This runs the 'parent' before_script from the template job, important to
+    # include this so that any specified TOX_ADDITIONAL_REQUIREMENTS are still
+    # installed, and any other generic required setup is done.
+    - !reference [".python:tox", "before_script"]
+    # This is our new extension to the before_script:
+    - apk add pkgconf
+```
+
+The example above would install the alpine linux `pkgconf` package into the
+gitlab runner, and therefore make it available for use when installing the test
+dependencies.
+
 ## Publishing packages

 The [publish template](./python-publish.yml) supports building packages from

--- a/auto-devops/terraform-pipeline.yml
+++ b/auto-devops/terraform-pipeline.yml
@@ -110,14 +110,19 @@ variables:
  resource_group: $DEPLOYMENT_ENVIRONMENT
  script: |
    unset GOOGLE_APPLICATION_CREDENTIALS
+    
+    for target in $TF_PLAN_TARGET; do
+      TF_PLAN_ARGS="$TF_PLAN_ARGS --target $target"
+    done
+    
    terraform init
-    terraform plan -out=${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan -detailed-exitcode || exit_code=$?
+    terraform plan $TF_PLAN_ARGS -out=${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan -detailed-exitcode || exit_code=$?
    terraform show -json ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan > ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan.json
    cat ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan.json | jq -r '([.resource_changes[]?.change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan.report
    exit $exit_code
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG
    - when: never
  tags:
    - $GKE_RUNNER_TAG
@@ -157,8 +162,8 @@ variables:
    terraform init
    terraform apply ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-${DEPLOYMENT_ENVIRONMENT}.tfplan
  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $DEPLOYMENT_ENVIRONMENT == "staging"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG) && $DEPLOYMENT_ENVIRONMENT == "staging"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG
      when: manual
    - when: never
  tags:
@@ -278,7 +283,7 @@ terraform-apply-development:
  rules:
    - if: $TERRAFORM_APPLY_DEVELOPMENT_DISABLED
      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG
      when: manual
      # This is currently the only way to allow the pipeline to succeed if the optional manual development apply job was
      # not triggered. See the following issue for context - https://gitlab.com/gitlab-org/gitlab/-/issues/249524.