* (type here the used build & test tools/frameworks)
* [ ] mapped to the `build` stage
*[ ] declare a common `.test-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs
*[ ] unit tests report integration using [JUnit test report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit)
*[ ] code coverage computing and [integration](https://docs.gitlab.com/ee/ci/yaml/#coverage)
* must be executed on non-`master`, non-`develop` branches only
* must be associated to the [`environment:action:stop`](https://docs.gitlab.com/ee/ci/yaml/#environmentaction) event
* must be associated to the [`environment:action:stop`](https://docs.gitlab.com/ci/yaml/#environmentaction) event
* (optional) Analysis job(s) (linters, dependency checks, ...) depending on the technologies:
* [ ] mapped to the `test` stage
*[ ] declare a common `.test-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs
*[ ] declare a common `.acceptance-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs
*[ ] tests report integration using [JUnit test report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit)
*[ ] tests report integration using [JUnit test report](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsjunit)
* [ ] auto-evaluating the environment url to test based on the possible upstream `$environment_url` variable or via
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed.
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
When enabled, it deploys the result from upstream build stages to a dedicated and temporary environment.
It is only active for non-production, non-integration branches.
It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/) feature.
It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ci/review_apps/) feature.
It also comes with a _cleanup_ job (accessible either from the _environments_ page, or from the pipeline view).
@@ -96,7 +96,7 @@ You're free to enable whichever or both, and you can also choose your deployment
The Azure template supports two kinds of authentication:
1. service principal authentication with credentials (user & password),
2. or [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/).
2. or [federated authentication using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/).
#### Service principal authentication with credentials
@@ -107,7 +107,7 @@ Can be provided globally and/or per environment.
#### Federated authentication using OpenID Connect
The Azure template supports [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ee/ci/cloud_services/azure/).
The Azure template supports [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ci/cloud_services/azure/).
If you wish to use this authentication mode, please activate and configure the [OIDC variant](#oidc-variant).
@@ -167,8 +167,8 @@ The cleanup script is searched as follows:
> * `${environment_type}`: the current environment type (`review`, `integration`, `staging` or `production`)
> * `${environment_name}`: the application name to use for the current environment (ex: `myproject-review-fix-bug-12` or `myproject-staging`)
> * `${hostname}`: the environment hostname, extracted from the current environment url (after late variable expansion - see below)
> 2. any [GitLab CI variable](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)
> 3. any [custom variable](https://docs.gitlab.com/ee/ci/variables/#for-a-project)
> 2. any [GitLab CI variable](https://docs.gitlab.com/ci/variables/predefined_variables/)
> 3. any [custom variable](https://docs.gitlab.com/ci/variables/#for-a-project)
> (ex: `${SECRET_TOKEN}` that you have set in your project CI/CD variables)
### Environments URL management
@@ -176,7 +176,7 @@ The cleanup script is searched as follows:
The Azure template supports two ways of providing your environments url:
* a **static way**: when the environments url can be determined in advance, probably because you're exposing your routes through a DNS you manage,
* a [**dynamic way**](https://docs.gitlab.com/ee/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the
* a [**dynamic way**](https://docs.gitlab.com/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the
deployment job is executed.
The **static way** can be implemented simply by setting the appropriate configuration variable(s) depending on the environment (see environments configuration chapters):
@@ -205,7 +205,7 @@ the dynamically generated url. When detected by the template, it will use it as
### Deployment output variables
Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
*`$environment_type`: set to the type of environment (`review`, `integration`, `staging` or `production`),
*`$environment_name`: the application name (see below),
@@ -221,12 +221,12 @@ You may also add and propagate your own custom variables, by pushing them to the
Here are some advices about your **secrets** (variables marked with a :lock:):
1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project):
*[**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):
*[**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
displayed in your job logs,
*[**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets
*[**protected**](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets
you don't want everyone in the project to have access to (for instance production secrets).
2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable),
2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable),
simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`).
@@ -238,7 +238,7 @@ The Azure template uses some global configuration used throughout all jobs and e
| Input / Variable | Description | Default value |
| `cli-image` / `AZURE_CLI_IMAGE` | the Docker image used to run Azure CLI commands| `mcr.microsoft.com/azure-cli:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-AZURE_CLI_IMAGE) |
| `base-app-name` / `AZURE_BASE_APP_NAME` | Base application name | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |
| `base-app-name` / `AZURE_BASE_APP_NAME` | Base application name | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |
| `scripts-dir` / `AZURE_SCRIPTS_DIR` | Directory where Azure scripts (deploy & cleanup) are located | `.` _(root project dir)_ |
| `sp-client-id` / `AZURE_SP_CLIENT_ID` | Default Service Principal client ID _(only define if using Service Principal authentication with credentials)_ | _none_ |
@@ -323,9 +323,9 @@ The Azure template can be used in conjunction with template variants to cover sp
### OIDC variant
This variant enables [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ee/ci/cloud_services/azure/).
This variant enables [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ci/cloud_services/azure/).
If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ee/ci/cloud_services/azure/),
If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ci/cloud_services/azure/),
then configure appropriately the related variables:
* `AZURE_OIDC_CLIENT_ID`+`AZURE_OIDC_TENANT_ID` for any global/common access,
@@ -341,16 +341,16 @@ The variant supports the following configuration:
| Input / Variable | Description | Default value |
| `oidc-aud` / `AZURE_OIDC_AUD` | The `aud` claim for the JWT | `api://AzureADTokenExchange` ([recommended default value](https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#important-considerations-and-restrictions)) |
| `oidc-client-id` / `AZURE_OIDC_CLIENT_ID` | Default Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) | _none_ (disabled) |
| `oidc-tenant-id` / `AZURE_OIDC_TENANT_ID` | Default Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) | _none_ (disabled) |
| `review-oidc-client-id` / `AZURE_REVIEW_OIDC_CLIENT_ID`| Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `review` env _(only define to override default)_ | _none_ (disabled) |
| `review-oidc-tenant-id` / `AZURE_REVIEW_OIDC_TENANT_ID`| Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `review` env _(only define to override default)_ | _none_ (disabled) |
| `integ-oidc-client-id` / `AZURE_INTEG_OIDC_CLIENT_ID` | Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `integration` env _(only define to override default)_ | _none_ (disabled) |
| `integ-oidc-tenant-id` / `AZURE_INTEG_OIDC_TENANT_ID` | Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `integration` env _(only define to override default)_ | _none_ (disabled) |
| `staging-oidc-client-id` / `AZURE_STAGING_OIDC_CLIENT_ID`| Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `staging` env _(only define to override default)_ | _none_ (disabled) |
| `staging-oidc-tenant-id` / `AZURE_STAGING_OIDC_TENANT_ID`| Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `staging` env _(only define to override default)_ | _none_ (disabled) |
| `prod-oidc-client-id` / `AZURE_PROD_OIDC_CLIENT_ID` | Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `production` env _(only define to override default)_ | _none_ (disabled) |
| `prod-oidc-tenant-id` / `AZURE_PROD_OIDC_TENANT_ID` | Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/azure/) on `production` env _(only define to override default)_ | _none_ (disabled) |
| `oidc-client-id` / `AZURE_OIDC_CLIENT_ID` | Default Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) | _none_ (disabled) |
| `oidc-tenant-id` / `AZURE_OIDC_TENANT_ID` | Default Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) | _none_ (disabled) |
| `review-oidc-client-id` / `AZURE_REVIEW_OIDC_CLIENT_ID`| Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `review` env _(only define to override default)_ | _none_ (disabled) |
| `review-oidc-tenant-id` / `AZURE_REVIEW_OIDC_TENANT_ID`| Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `review` env _(only define to override default)_ | _none_ (disabled) |
| `integ-oidc-client-id` / `AZURE_INTEG_OIDC_CLIENT_ID` | Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `integration` env _(only define to override default)_ | _none_ (disabled) |
| `integ-oidc-tenant-id` / `AZURE_INTEG_OIDC_TENANT_ID` | Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `integration` env _(only define to override default)_ | _none_ (disabled) |
| `staging-oidc-client-id` / `AZURE_STAGING_OIDC_CLIENT_ID`| Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `staging` env _(only define to override default)_ | _none_ (disabled) |
| `staging-oidc-tenant-id` / `AZURE_STAGING_OIDC_TENANT_ID`| Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `staging` env _(only define to override default)_ | _none_ (disabled) |
| `prod-oidc-client-id` / `AZURE_PROD_OIDC_CLIENT_ID` | Service Principal client ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `production` env _(only define to override default)_ | _none_ (disabled) |
| `prod-oidc-tenant-id` / `AZURE_PROD_OIDC_TENANT_ID` | Service Principal tenant ID associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/azure/) on `production` env _(only define to override default)_ | _none_ (disabled) |
#### Example
@@ -384,7 +384,7 @@ In order to be able to communicate with the Vault server, the variant requires t
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
