Commit 480cb6d2 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/private-registry-authent' into 'master' 

feat: support private registries authentication

Closes #65

See merge request to-be-continuous/terraform!100
parents 463cad05 c544ee1d

README.md

+22 −3
Original line number Diff line number Diff line
@@ -193,7 +193,7 @@ Examples: 


### Terraform integration in Merge Requests



This template enables [Terraform integration in Merge Requests](https://docs.gitlab.com/ee/user/infrastructure/mr_integration.html).

This template enables [Terraform integration in Merge Requests](https://docs.gitlab.com/ee/user/infrastructure/iac/mr_integration.html).



As a result if you enabled your `production` environment, every merge request will compute and display infrastructure changes compared to `master` branch.
@@ -201,7 +201,7 @@ As a result if you enabled your `production` environment, every merge request wi 


#### GitLab managed Terraform State (default)



By default, this template enables [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html).

By default, this template enables [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html).



[As mentionned in GitLab's documentation](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html#initialize-a-terraform-state-as-a-backend-by-using-gitlab-cicd),

that requires that your Terraform scripts declare the (unconfigured)
@@ -285,6 +285,25 @@ Be aware of the following: 
* if the specified workspace doesn't exist, the template will create it,

* HTTP backend (default) doesn't support Workspaces. [See supported backends here](https://developer.hashicorp.com/terraform/language/state/workspaces#backends-supporting-multiple-workspaces).



### Using modules from private registries



The Terraform template supports using modules from private registries (GitLab's Registry or others).



Modules can be refered as usual in your Terraform code:



```terraform

module "<module>" {

  source = "tf.registry.address/organization/provider/module_name"

}

```



And finally authentication credentials shall be defined as secret [environment variable credentials](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials). 

In the above example, that would mean defining a :lock: `TF_TOKEN_tf_registry_address` project variable containing the authentication token.



:warning: by default the template automatically sets the authentication token for the GitLab Modules Registry using the `$CI_JOB_TOKEN` value.

If you want to use another credential (personal access token or else), just define explicitly :lock: `TF_TOKEN_gitlab_com` (or the right one for your GitLab server)

as a project variable with the desired credential.



### Terraform lock file



As explained in [Terraform documentation](https://developer.hashicorp.com/terraform/language/files/dependency-lock#lock-file-location), _you should include the `.terraform.lock.hcl` file in your version control repository_.
@@ -314,7 +333,7 @@ The Terraform template uses some global configuration used throughout all jobs. 
| Name                     | description                            | default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `TF_IMAGE`               | the Docker image used to run Terraform CLI commands <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/hashicorp/terraform:latest` |

| `TF_GITLAB_BACKEND_DISABLED`| Set to `true` to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html) | _none_ (enabled) |

| `TF_GITLAB_BACKEND_DISABLED`| Set to `true` to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html) | _none_ (enabled) |

| `TF_PROJECT_DIR`         | Terraform project root directory        | `.`               |

| `TF_SCRIPTS_DIR`         | Terraform (hook) scripts base directory (relative to `$TF_PROJECT_DIR`) | `.` |

| `TF_OUTPUT_DIR`          | Terraform output directory (relative to `$TF_PROJECT_DIR`). Everything generated in this directory will be kept as job artifacts. | `tf-output` |

kicker.json

+1 −1
Original line number Diff line number Diff line
@@ -12,7 +12,7 @@ 
    {

      "name": "TF_GITLAB_BACKEND_DISABLED",

      "type": "boolean",

      "description": "Set to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html)",

      "description": "Set to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html)",

      "advanced": true

    },

    {

templates/gitlab-ci-terraform.yml

+7 −0
Original line number Diff line number Diff line
@@ -407,6 +407,13 @@ stages: 
    export TF_VAR_environment_name=$environment_name

    export TF_VAR_environment_slug=$environment_slug



    # set auth token for GitLab (if not already set)

    token_var_for_gitlab="TF_TOKEN_${CI_SERVER_HOST//./_}"

    if [[ -z "$(eval echo \$"$token_var_for_gitlab")" ]]; then

      log_info "setting token for GitLab registry (\$$token_var_for_gitlab)..."

      export "$token_var_for_gitlab"="$CI_JOB_TOKEN"

    fi



    # make output dir

    mkdir -p "$TF_OUTPUT_DIR"