Commit 05caf683 authored by Marcel Amirault's avatar Marcel Amirault

Merge branch 'nagyv-gitlab-master-patch-30306' into 'master'

Add IAC SAST testing to the pipeline

See merge request gitlab-org/gitlab!76786
parents 2bd98e30 86d06839
...@@ -15,12 +15,14 @@ GitLab, and support Terraform best practices. ...@@ -15,12 +15,14 @@ GitLab, and support Terraform best practices.
## Quick Start ## Quick Start
> SAST test was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6655) in GitLab 14.6.
Use the following `.gitlab-ci.yml` to set up a basic Terraform project integration Use the following `.gitlab-ci.yml` to set up a basic Terraform project integration
for GitLab versions 14.0 and later: for GitLab versions 14.0 and later:
```yaml ```yaml
include: include:
- template: Terraform.gitlab-ci.yml - template: Terraform.latest.gitlab-ci.yml
variables: variables:
# If not using GitLab's HTTP backend, remove this line and specify TF_HTTP_* variables # If not using GitLab's HTTP backend, remove this line and specify TF_HTTP_* variables
...@@ -30,15 +32,23 @@ variables: ...@@ -30,15 +32,23 @@ variables:
# TF_ROOT: terraform/production # TF_ROOT: terraform/production
``` ```
This template includes some opinionated decisions, which you can override: This template includes the following parameters that you can override:
- Including the latest [GitLab Terraform Image](https://gitlab.com/gitlab-org/terraform-images). - Uses the latest [GitLab Terraform image](https://gitlab.com/gitlab-org/terraform-images).
- Using the [GitLab managed Terraform State](#gitlab-managed-terraform-state) as - Uses the [GitLab-managed Terraform State](#gitlab-managed-terraform-state) as
the Terraform state storage backend. the Terraform state storage backend.
- Creating [four pipeline stages](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml): - Creates [four pipeline stages](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml):
`init`, `validate`, `build`, and `deploy`. These stages `test`, `validate`, `build`, and `deploy`. These stages
[run the Terraform commands](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform/Base.gitlab-ci.yml) [run the Terraform commands](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml)
`init`, `validate`, `plan`, `plan-json`, and `apply`. The `apply` command only runs on the default branch. `test`, `validate`, `plan`, `plan-json`, and `apply`. The `apply` command only runs on the default branch.
- Runs the [Terraform SAST scanner](../../application_security/iac_scanning/index.md#configure-iac-scanning-manually),
that you can disable by creating a `SAST_DISABLED` environment variable and setting it to `1`.
The latest template described above might contain breaking changes between major GitLab releases. For users requiring more stable setups, we
recommend using the stable templates:
- [A ready to use version](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml)
- [A base template for customized setups](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform/Base.gitlab-ci.yml)
This video from January 2021 walks you through all the GitLab Terraform integration features: This video from January 2021 walks you through all the GitLab Terraform integration features:
......
...@@ -5,9 +5,11 @@ ...@@ -5,9 +5,11 @@
include: include:
- template: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml - template: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml
- template: Jobs/SAST-IaC.latest.gitlab-ci.yml
stages: stages:
- validate - validate
- test
- build - build
- deploy - deploy
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment