.gitlab-ci.yml

include:
  - template: Terraform/Base.gitlab-ci.yml
  - template: Jobs/SAST-IaC.gitlab-ci.yml

image:
  name: gitlab-registry.cern.ch/ceph/terraform/terraform-images:1.1.9-6

.jsonnet_image:
  variables:
    JSONNET_VERSION: "v0.18.0"
  before_script:
    - yum install -y go curl
    - export PATH="$HOME/go/bin:$PATH"
    - go install github.com/google/go-jsonnet/cmd/jsonnet@${JSONNET_VERSION}
    - go install github.com/google/go-jsonnet/cmd/jsonnetfmt@${JSONNET_VERSION}

.qa:
  variables:
    GRAFANA_URL: $GRAFANA_QA_URL
    TF_ROOT: terraform/environments/qa
    TF_STATE_NAME: qa
  cache:
    - key: prod
      paths:
        - .terraform

.prod:
  variables:
    GRAFANA_URL: $GRAFANA_PROD_URL
    TF_ROOT: terraform/environments/prod
    TF_STATE_NAME: prod
  cache:
    - key: qa
      paths:
        - .terraform
stages:
  - validate
  - build
  - deploy

build-jsonnet:
  stage: .pre
  extends: .jsonnet_image
  variables:
    JB_VERSION: "v0.4.0"
  script:
    - go install github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@${JB_VERSION}
    - jb install
    - make -B
  artifacts:
    paths:
      - vendor/
      - dashboards_out/
      - alerts.yaml
      - rules.yaml
    expire_in: 1 month

lint-jsonnet:
  stage: validate
  extends: .jsonnet_image
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet
  script:
    - make lint

iac-sast:
  stage: validate
  dependencies: []
  needs: []

kics-iac-sast:
  stage: validate
  dependencies: []
  needs: []

lint-dashboards:
  stage: validate
  extends: .jsonnet_image
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet
  script:
    - go install github.com/grafana/dashboard-linter@819e185
    - make lint-dashboards

lint-tf:
  stage: validate
  script:
    - gitlab-terraform fmt
  dependencies: []
  needs: []

validate-rules:
  stage: validate
  extends: .jsonnet_image
  script:
    - dnf install -y epel-release
    - dnf install -y golang-github-prometheus
    - promtool check rules alerts.yaml rules.yaml
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet

validate-qa:
  extends:
    - .terraform:validate
    - .qa
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet

validate-prod:
  extends:
    - .terraform:validate
    - .prod
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet

plan-qa:
  allow_failure: true
  extends:
    - .terraform:build
    - .qa
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet

plan-prod:
  extends:
    - .terraform:build
    - .prod
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet

apply-qa:
  allow_failure: true
  stage: deploy
  # This doesn't extend the gitlab template as we can't override `only` for some reasons...
  extends: .qa
  environment:
    name: qa
  script:
    - cd "${TF_ROOT}"
    - gitlab-terraform apply
  dependencies:
    - build-jsonnet
    - plan-qa
  needs:
    - build-jsonnet
    - plan-qa

apply-prod:
  stage: deploy
  environment:
    name: production
  # This doesn't extend the gitlab template as we can't override `only` for some reasons...
  extends: .prod
  script:
    - cd "${TF_ROOT}"
    - gitlab-terraform apply
  dependencies:
    - build-jsonnet
    - plan-prod
  needs:
    - build-jsonnet
    - plan-prod
  only:
    variables:
      - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

deploy-rules:
  stage: deploy
  image: gitlab-registry.cern.ch/linuxsupport/cs9-base
  dependencies:
    - build-jsonnet
  needs:
    - build-jsonnet
  before_script:
    - dnf install -y python3-pip
    - pip install -r requirements.txt
  script:
    - ./utils/make_mr.py
  only:
    variables:
      - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH