Untitled

image: registry.example.com/devops/ansible:latest
stages:
  - mask_var
  - init
  - validate
  - plan
  - deploy

variables:
  TF_ROOT: ${CI_PROJECT_DIR}  # The relative path to the root directory of the Terraform project
  TF_STATE_NAME: ${TF_STATE_NAME:-default}  # The name of the state file used by the GitLab Managed Terraform state backend
  PHASE:
    value: BUILD
    description: "Set the phase you're running (BUILD or DESTROY)"
  TF_GITLAB_USERNAME:
    value: mici
    description: "Your Gitlab user name"
  TF_GITLAB_TOKEN:
    value: super_secrET_Token
    description: "Your Gitlab access token"
  TF_VAULT_PASSWORD:
    value: another_super_secrET_pw
    description: "The ansible-vault key to decypher variables and SA"

MaskVariable:
  stage: mask_var
  script:
    - |
      curl -s --request POST --header "PRIVATE-TOKEN: $TF_GITLAB_TOKEN" \
      https://gitlab.example.com/api/v4/projects/$CI_PROJECT_ID/variables --form "key=ANSIBLE_VAULT_KEY_MASKED" \
      --form "value=$TF_VAULT_PASSWORD" --form "masked=true" --form "variable_type=env_var" > /dev/nul

Init:
  stage: init
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform -version
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"

Validate:
  stage: validate
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"
    - terraform validate

Plan:
  stage: plan
  artifacts:
    paths:
    - plan.bin
    expire_in: 2h
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"
    - terraform plan -input=false -out=plan.bin
  only:
    variables:
      - $PHASE == "BUILD"

DestroyPlan:
  stage: plan
  artifacts:
    paths:
    - destroy_plan.bin
    expire_in: 2h
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"
    - terraform plan -destroy -input=false -out=destroy_plan.bin
  only:
    variables:
      - $PHASE == "DESTROY"

Apply:
  stage: deploy
  when: manual
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"
    - terraform apply -auto-approve -input=false plan.bin
    - |
      curl -s --request DELETE --header "PRIVATE-TOKEN: $TF_GITLAB_TOKEN" \
      https://gitlab.example.com/api/v4/projects/$CI_PROJECT_ID/variables/ANSIBLE_VAULT_KEY_MASKED > /dev/nul
  only:
    variables:
      - $PHASE == "BUILD"
  environment:
    name: snunv

Destroy:
  stage: deploy
  when: manual
  script:
    - cd "${TF_ROOT}"
    - echo $ANSIBLE_VAULT_KEY_MASKED > vault_pw.ansible
    - ansible-vault decrypt serviceaccount.json terraform.tfvars --vault-password-file vault_pw.ansible
    - terraform init -backend-config="password=$TF_GITLAB_TOKEN" -backend-config="username=$TF_GITLAB_USERNAME"
    - terraform apply -auto-approve -input=false destroy_plan.bin
    - |
      curl -s --request DELETE --header "PRIVATE-TOKEN: $TF_GITLAB_TOKEN" \
      https://gitlab.example.com/api/v4/projects/$CI_PROJECT_ID/variables/ANSIBLE_VAULT_KEY_MASKED > /dev/nul
  only:
    variables:
      - $PHASE == "DESTROY"
  environment:
    name: snunv
    action: stop