.gitlab-ci.yml

---
# Based on the template at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml
variables:
  TF_AUTO_DEPLOY: 'true'
include:
  - local: templates/tf/Base.latest.gitlab-ci.yml
  # See https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/
stages:
  - validate
  - test
  - build
  - deploy
  - postdeploy
  - configure
  - cleanup
fmt:
  extends: .terraform:fmt
  needs: []
validate:
  extends: .terraform:validate
  needs: []
  variables:
    KUBERNETES_MEMORY_LIMIT: 6G
sync-hpc-resource-provisioner-container:
  image: ubuntu:22.04
  script: [./.gitlab-ci-scripts/container_sync/sync_resource_provisioner.sh]
build:
  variables:
    KUBERNETES_CPU_REQUEST: 4000m
    KUBERNETES_CPU_LIMIT: 6000m
    KUBERNETES_MEMORY_REQUEST: 4G
    KUBERNETES_MEMORY_LIMIT: 6G
  before_script:
    - export TF_VAR_common_token_name=$COMMON_REPO_TOKEN_NAME
    - export TF_VAR_common_token_pass=$COMMON_REPO_TOKEN_PASS
  extends: .terraform:build
  artifacts:
    paths:
      - ${TF_ROOT}/on_demand_svc/src/*.zip
      - ${TF_ROOT}/bbp_workflow_svc/src/*.zip
      - ${TF_ROOT}/plan.cache
    reports:
      terraform: ${TF_ROOT}/plan.json
deploy:
  variables:
    KUBERNETES_MEMORY_LIMIT: 6G
  extends: .terraform:deploy
  dependencies: [build, sync-hpc-resource-provisioner-container]
  environment:
    name: $TF_STATE_NAME
1_verify_untagged:
  extends: .terraform:postdeploy
  dependencies: [deploy]
  script:
    - bash .gitlab-ci-scripts/resource_tagging/1_verify_untagged.sh $OUTPUT_UNTAGGED
      $OUTPUT_IGNORED
  artifacts:
    paths: [$OUTPUT_UNTAGGED, $OUTPUT_IGNORED]
    expire_in: 2 hrs
    public: false
2_tag_resources:
  extends: .terraform:postdeploy
  needs:
    - job: 1_verify_untagged
      artifacts: true
  script:
    - bash .gitlab-ci-scripts/resource_tagging/2_tag_resources.sh $OUTPUT_UNTAGGED
      $OUTPUT_MODIFIED
  artifacts:
    paths: [$OUTPUT_MODIFIED]
    expire_in: 2 hrs
    public: false
3_generate_report:
  extends: .terraform:postdeploy
  needs:
    - job: 1_verify_untagged
      artifacts: true
    - job: 2_tag_resources
      artifacts: true
  script:
    - bash .gitlab-ci-scripts/resource_tagging/3_generate_report.sh $OUTPUT_UNTAGGED
      $OUTPUT_IGNORED $OUTPUT_MODIFIED $OUTPUT_TAGGED
  artifacts:
    paths:
      - $OUTPUT_UNTAGGED
      - $OUTPUT_IGNORED
      - $OUTPUT_MODIFIED
      - $OUTPUT_TAGGED
    expire_in: 1 week
tfsec:
  image: aquasec/tfsec:v1.28.0
  stage: validate
  script:
    - cd "${TF_ROOT}"
    - rm -f import-statements.tf  # tfsec can't handle the new import statements
    - /usr/bin/tfsec
  allow_failure: false
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH  # If there's no open merge request, add it to a *branch* pipeline instead.
# terrascan:
#  image: tenable/terrascan
#  stage: validate
#  script:
#    - terrascan scan -i terraform --iac-version v14 --iac-dir ${TF_ROOT} --non-recursive --skip-rules=AC_AWS_0369
#  rules:
#    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
#    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
#      when: never
#    - if: $CI_COMMIT_BRANCH  # If there's no open merge request, add it to a *branch* pipeline instead.
check_compliance:
  image: eerkunt/terraform-compliance
  stage: validate
  allow_failure: true
  variables:
    KUBERNETES_CPU_REQUEST: 4000m
    KUBERNETES_CPU_LIMIT: 6000m
    KUBERNETES_MEMORY_REQUEST: 4G
    KUBERNETES_MEMORY_LIMIT: 6G
    TF_STATE_NAME: ${TF_STATE_NAME}
  before_script:
    - export TF_VAR_common_token_name=$COMMON_REPO_TOKEN_NAME
    - export TF_VAR_common_token_pass=$COMMON_REPO_TOKEN_PASS
  script:
    - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@bbpgitlab.epfl.ch/cs/cloud/aws/terraform-compliance
    - ls -la terraform-compliance
    - rm gitlab-config.tf
    - terraform init
    - terraform plan -parallelism=30 -out=plan.tfplan > /dev/null && terraform show
      -json plan.tfplan > plan.json
    - terraform-compliance -f ./terraform-compliance -p ./plan.json