This repository demonstrates how to integrate the Resourcely guardrail validation job into a repository using GitLab CI/CD and Terrafom Cloud. It runs Terraform using the official Hashicorp Terraform Cloud Docker Images.
This repository uses GitLab CI/CD + Terraform Cloud to generate a Terraform plan. Once a plan is downloaded to a specified directory, the Resourcely guardrail validation job runs on the configured path. If you use a different runner, see the scaffolding repository for that runner:
- A Resourcely Account
- Resourcely GitLab SCM Configured
- GitLab Premium or Ultimate subscription
- Maintainer Role or Higher in the GitLab project
- A Terraform Cloud Instance configured with Resourcely
- AWS Provider Credentials configured in Terraform Cloud
- Import this project to your GitLab group by URL
a. On the left sidebar, at the top, select Create new (+) and New project/repository
b. Select Import project
c. Select Repository by URL
d. Enter the Git repository URL: https://github.com/Resourcely-Inc/scaffolding-gitlab-pipeline-terraform-cloud.git
e. Complete the remaining fields
f. Select Create project - Allow Resourcely to monitor the newly created project
- Generate a Resourcely API Token and save it in a safe place
- Add your Resourcely API Token to your GitLab project CI/CD variables
a. Go to the GitLab project that Resourcely will validate
b. In the side tab, navigate to Settings > CI/CD
c. Expand the Variables tab
d. Click the Add variable button
e. Add theRESOURCELY_API_TOKENas the key and the token as the value
f. Evaluate whether to unselect Protect variable, depending on the need to use the token in un-protected branches, while considering security implications
g. Select the Mask variable to protect sensitive data from being seen in job logs
h. Unselect Expand variable reference
i. Press the Add variable button - Generate a Terraform Cloud Team Token
- Add the Terraform Cloud Team token
TF_API_TOKENto GitLab following the same process in step 3 - Configure Terraform Cloud Credentials
a. Edit
.gitlab-ci.yml
b. Edit the value of TF_CLOUD_ORGANIZATION to match your Terraform Cloud Organization
c. Edit the value of TF_WORKSPACE to match your Terraform Cloud Workspace
d. Edit the value of TF_CLOUD_HOSTNAME to match your Terraform Cloud Hostname
e. Commit the.gitlab-ci.ymlfile to your main branch - Provision Infrastructure using Resourcely
Once a new Resource has been created via Merge-Request, the Resourcely job will automatically kick-off. It runs in the test stage by default.
When a merge-request is created using Resourcely:
- GitLab CI kicks off the
planstage a. Themjyocca/tfci:latestcontainer image is loaded for multiple jobs via the remote import of tfc-workflows-gitlab template that is included in this project's.gitlab-ci.yml
b.upload_configurationjob is run to create and upload a configuration version to terraform-cloud.variables
c.create_runjob is run to create a Terraform Cloud run
d.plan_outputjob is run to output the Terraform Plan details
e. Thealpine/curlcontainer image is loaded for thedownload_planjob
f. Call to the terraform API is peformed in order to download the Terraform plan json - After the
planstage completes, GitLab CI kicks off theteststage a. Theteststage is loaded by the Resourcely template that is included in this project's.gitlab-ci.yml
b. Theghcr.io/resourcely-inc/resourcely-cli:$RESOURCELY_IMAGEcontainer image is loaded
c. Theresourcely_guardrailsjob runsresourcely-cli evaluatescanning the Terraform plan json(s)
d. The resources generated with resourcely within the merge-request are validated against your Resourcely guardrails - The
teststage completes a. If guardrail violations are found, Resourcely will assign a reviewer to the merge-request and require approval before it can be merged