Orchestrating Infrastructure via GitLab CI/CD and the OpenTofu Transition

Published by TechMarmot Editorail Staff on | Category GitLab CI

The landscape of Infrastructure as Code (IaC) within GitLab has undergone a seismic shift. Historically, engineers relied upon built-in Terraform CI/CD templates provided directly by GitLab to automate the lifecycle of cloud resources. However, as the ecosystem evolves, GitLab has moved away from distributing these specific templates and the underlying terraform-images. This transition necessitates a sophisticated understanding of how to build, host, and manage independent CI/CD components, particularly as the industry pivots toward OpenTofu as a viable, open-source alternative to HashiCorp Terraform. Implementing a robust pipeline today requires more than just a simple script; it demands a coordinated strategy involving state management, secure credential handling, and a deep integration of CI/CD workflows that can detect drift and enforce policy.

The Architectural Shift from Native Templates to Modular Components

The deprecation of native Terraform CI/CD templates in GitLab marks a turning point for DevOps engineers. While GitLab no longer provides the standard templates or the terraform-images (the job images containing the Terraform binary), the capability to execute Terraform within GitLab pipelines remains fully intact. This change shifts the responsibility of image maintenance and template versioning from the platform provider to the individual organization.

To maintain operational continuity, organizations must transition to either building and hosting their own custom Terraform CI/CD templates or adopting the newly available OpenTofu CI/CD components. This shift provides greater control over the specific versions of the binaries used, ensuring that environments remain consistent and reproducible without being tethered to the platform's release schedule.

The OpenTofu Integration Path

OpenTofu serves as a drop-in replacement for Terraform in most workflows, sharing the same syntax, variables, and dependency management. The primary technical distinction lies in the HCL lock file format used during tofu init. Beyond this specific file structure, the integration within GitLab is highly streamlined through the GitLab OpenTofu CI/CD component.

By utilizing the official GitLab component, users can implement a standard validate, plan, and apply workflow with minimal friction. This component is designed to mirror the functionality previously provided by the deprecated templates, allowing for a smoother migration path.

The implementation of the OpenTofu component follows a specific structural requirement:

yaml include: - component: gitlab.com/components/opentofu/validate-plan-apply@<VERSION> inputs: version: <VERSION> opentofu_version: <OPENTOFU_VERSION> root_dir: terraform/ state_name: production stages: [validate, build, deploy]

In this configuration, the root_dir defines the location of the IaC code, while state_name determines the identifier for the remote state. This level of granularity allows teams to manage multiple environments—such as development, staging, and production—within a single repository by simply adjusting the input parameters for each environment's pipeline.

State Management and the Necessity of Centralized Backends

The most critical component of any IaC pipeline is the state file. The state file acts as the single source of truth, mapping your configuration to the real-world resources deployed in the cloud. In a collaborative GitLab environment, managing this state is the difference between a stable infrastructure and catastrophic resource drift.

GitLab-Managed Terraform State

GitLab provides a managed backend that allows for seamless collaboration. By using the GitLab-managed state, teams can ensure that state files are stored securely and that state locking is handled to prevent concurrent modifications that could corrupt the infrastructure.

To implement this, a backend.tf file must be configured to use the http backend type. The actual connection details are injected dynamically during the pipeline execution via CI variables.

```hcl

terraform/backend.tf

terraform {
backend "http" {
# GitLab will provide these via CI variables
}
}
```

The initialization of this backend requires a specific before_script in the GitLab CI configuration. This script uses terraform init with multiple -backend-config flags to point to the GitLab API.

```yaml
variables:
TFSTATENAME: default
TFADDRESS: ${CIAPIV4URL}/projects/${CIPROJECTID}/terraform/state/${TFSTATENAME}

beforescript:
- cd ${TFROOT}
- |
terraform init \
-backend-config="address=${TFADDRESS}" \
-backend-config="lockaddress=${TFADDRESS}/lock" \
-backend-config="unlockaddress=${TFADDRESS}/lock" \
-backend-config="username=gitlab-ci-token" \
-backend-config="password=${CIJOBTOKEN}" \
-backend-config="lockmethod=POST" \
-backend-config="unlock_method=DELETE"
```

This configuration ensures that the gitlab-ci-token and CI_JOB_TOKEN are used to authenticate the session, enabling secure, automated state management. The use of lock_address and unlock_address is vital; it implements a locking mechanism that prevents two different pipeline jobs from attempting to modify the same infrastructure simultaneously.

External State Storage Alternatives

For organizations that prefer to keep their state within cloud-native providers like AWS, Google Cloud, or Azure, GitLab can facilitate the initialization of these external backends. This is particularly useful when using S3 with DynamoDB for locking or GCS.

The configuration for an S3-based backend would look like this:

```yaml
variables:
TFBACKENDBUCKET: "terraform-state-bucket"
TFBACKENDKEY: "${CIPROJECTPATH}/${TFSTATENAME}.tfstate"

beforescript:
- cd ${TFROOT}
- |
terraform init \
-backend-config="bucket=${TFBACKENDBUCKET}" \
-backend-config="key=${TFBACKENDKEY}" \
-backend-config="region=${AWS_REGION}"
```

The Terraform Cloud Approach

An alternative to managing the backend within GitLab is to utilize Terraform Cloud. When using Terraform Cloud as the authoritative state store, it handles both state management and locking automatically. If remote execution is enabled, Terraform Cloud also acts as the execution engine, meaning the GitLab CI job only sends the instructions, and the actual plan and apply operations occur on Terraform Cloud's infrastructure. This significantly reduces the security surface area, as GitLab CI no longer requires direct cloud provider credentials.

```hcl

Example of Terraform Cloud backend configuration

terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "gitops-demo"
workspaces {
name = "aws"
}
}
}
```

Secure Credential Management and Authentication

Executing IaC in a CI/CD pipeline requires the ability to authenticate with cloud providers (AWS, GCP, Azure) to create and modify resources. Handling these credentials securely is paramount to preventing unauthorized access to the cloud environment.

AWS Credential Strategies

When running pipelines within GitLab, credentials can be managed through CI/CD variables. This is the most common method for teams requiring high-speed execution within the GitLab runner environment.

yaml variables: # AWS credentials from CI variables AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} AWS_DEFAULT_REGION: us-east-1

However, the modern standard for security is to use OpenID Connect (OIDC). OIDC allows for keyless authentication, where GitLab CI requests a temporary, short-lived token from the cloud provider, eliminating the need to store long-lived secrets in GitLab variables.

Designing a Production-Grade Pipeline

A production-ready Terraform pipeline is not merely a sequence of commands; it is a multi-stage lifecycle designed to ensure stability, security, and visibility. A standard lifecycle follows these steps:

  1. The developer opens a Merge Request (MR).
  2. The CI system generates a plan and posts the output directly to the MR for review.
  3. Peers and security engineers review the plan diff.
  4. Upon approval, the code is merged into the main branch.
  5. The CI system executes the apply operation, using the exact plan that was previously approved.

The Comprehensive Pipeline Structure

Below is a comprehensive example of a production-grade pipeline. It incorporates multiple stages, including security and module testing, to ensure the integrity of the infrastructure.

```yaml
image:
name: hashicorp/terraform:1.7
entrypoint: [""]

stages:
- security
- validate
- plan
- apply
- destroy

variables:
TFROOT: ${CIPROJECTDIR}/terraform
TFSTATENAME: ${CICOMMITREFSLUG}

cache:
key: terraform-${CICOMMITREFSLUG}
paths:
- ${TFROOT}/.terraform

.terraform-init:
beforescript:
- cd ${TFROOT}
- |
terraform init \
-backend-config="address=${CIAPIV4URL}/projects/${CIPROJECTID}/terraform/state/${TFSTATENAME}" \
-backend-config="lockaddress=${CIAPIV4URL}/projects/${CIPROJECTID}/terraform/state/${TFSTATE_NAME}/lock"

Linting stage to ensure code formatting and basic validation

lint:
stage: validate
script:
- terraform fmt -check -recursive
- terraform validate

Plan stage with Merge Request integration

plan:
stage: plan
script:
- cd ${TFROOT}
- terraform plan -out=${TFROOT}/tfplan
- terraform show -json ${TFROOT}/tfplan > ${TFROOT}/plan.json
artifacts:
reports:
terraform: ${TFROOT}/tfplan
rules:
- if: $CIMERGEREQUESTIID

Apply stage, only triggered after merge to main

apply:
stage: apply
script:
- cd ${TFROOT}
- terraform apply -auto-approve ${TFROOT}/tfplan
rules:
- if: $CICOMMITBRANCH == $CIDEFAULTBRANCH
```

Advanced Module Lifecycle: Lint, Test, and Publish

For teams developing reusable Terraform modules, the pipeline must extend beyond simple deployment to include rigorous testing and registry publication.

  • Linting: Uses terraform fmt -check -recursive to enforce style and terraform validate to check for internal consistency.
  • Testing: Involves a dedicated test stage where a module is initialized, planned, applied, and then destroyed in a controlled environment.
  • Publishing: Once a module passes all tests, it is uploaded to the GitLab Terraform Registry.

```yaml
stages:
- lint
- test
- publish

lint:
stage: lint
script:
- terraform fmt -check -recursive
- terraform validate

test-module:
stage: test
image:
name: hashicorp/terraform:1.7
entrypoint: [""]
script:
- cd tests
- terraform init
- terraform plan
- terraform apply -auto-approve
- terraform destroy -auto-approve
variables:
TFVARtest_mode: "true"

publish-module:
stage: publish
script:
- |
curl --header "JOB-TOKEN: ${CIJOBTOKEN}" \
--upload-file module.tar.gz \
"${CIAPIV4URL}/projects/${CIPROJECTID}/packages/terraform/modules/my-module/aws/1.0.0/file"
rules:
- if: $CICOMMIT_TAG
```

Addressing the Limitations of CI/CD in IaC

While GitLab CI/CD is powerful, it has inherent limitations regarding infrastructure awareness. Standard pipelines operate in a "blind and stateless" manner. Each execution is a discrete event; the pipeline only knows about the files currently in the repository and the state returned by the backend.

The Visibility Gap

The following limitations are common in traditional CI/CD-only workflows:

  • Lack of Drift Detection: A pipeline only evaluates infrastructure when it is manually or automatically triggered. If a technician makes a manual change in the AWS Console, the GitLab pipeline remains unaware of this "drift" until the next time the pipeline runs.
  • Policy Enforcement Gaps: Standard CI/CD cannot natively enforce complex, organization-wide rules, such as "all storage buckets must be encrypted" or "no resources can be deployed in unapproved regions." While custom scripts can be written, they are prone to drift and bypasses.
  • Disconnected Execution: The pipeline has no real-time visibility into the actual cloud environment, creating a disconnect between the intended state (code) and the actual state (cloud).

To mitigate these issues, advanced organizations often integrate third-party tools or specialized platforms like Firefly. These tools treat IaC, state, and the cloud footprint as first-class entities, providing continuous drift detection and a live inventory that traditional CI/CD systems lack.

Comparison of Workflow Orchestration Tools

Different organizations utilize different tools to manage the hand-off between building infrastructure and deploying it. Understanding these distinctions is vital for architectural planning.

Tool Type Example Primary Focus Interaction with CI
CI/CD Platform GitLab CI / GitHub Actions Automation and Execution Acts as the engine that runs the Terraform commands.
Release Orchestration Octopus Deploy Deployment and Promotion Takes artifacts from CI and manages environment promotion.
IaC Management Firefly Visibility and Compliance Provides continuous drift detection and cloud inventory.

An "Octopus pipeline" represents a specific workflow where Octopus Deploy handles the release orchestration. In this model, the CI system (like GitLab or GitHub Actions) builds the infrastructure artifacts, and Octopus Deploy manages the complex task of promoting those changes through various environments (Dev, QA, Prod) while handling variable management and manual approvals.

Conclusion

The transition from native GitLab Terraform templates to a modular, component-based architecture represents a shift toward greater maturity in DevOps practices. By embracing OpenTofu or managing custom Terraform images, engineers gain the autonomy required to maintain consistent, versioned environments. However, the true strength of an IaC strategy lies in the integration of three pillars: robust state management via centralized backends, secure authentication through OIDC or managed variables, and a multi-stage pipeline that incorporates linting, testing, and merge-request-driven planning. As the complexity of cloud environments grows, the limitations of stateless CI/CD pipelines become more apparent, necessitating the eventual adoption of continuous drift detection and advanced policy enforcement tools to ensure that the code in the repository truly reflects the reality of the cloud.

Sources

  1. GitLab Infrastructure as Code Documentation
  2. OneUptime: Terraform GitLab CI/CD
  3. Firefly Academy: Terraform CI/CD
  4. GitLab Forum: Deprecation of Terraform CI/CD Templates

Related Posts