Skip to content

tofu-module-publish

Publishes the repository as a module to the GitLab Terraform Module Registry on release tags:

<api>/projects/<id>/packages/terraform/modules/<name>/<system>/<version>/file

Consumers then reference it as:

source  = "gitlab.com/<namespace>/<name>/<system>"
version = "X.Y.Z"

Auth defaults to $CI_JOB_TOKEN, which carries write access to its own project's package registry — publishing needs no personal/group access token and works on GitLab Free. The job picks the right auth header automatically (JOB-TOKEN for the job token, PRIVATE-TOKEN otherwise).

Runs only on tags matching tag_pattern (strict semver vX.Y.Z by default); the published version is the tag with the leading v stripped. Defaults to the built-in .post stage so it runs after — and only on success of — every other job in the tag pipeline, with no consumer stage wiring required. A re-run over an already-published version is treated as success (idempotent retry).

Jobs

Job What it runs
tofu-module-publish git archive the tagged tree (tracked files only), curl --request PUT to the module registry endpoint with the chosen auth header.

Inputs

Input Type Default Description
image_version string "v0.3.0" infra-tools image tag (needs git + curl).
stage string .post GitLab built-in stage — runs last, on success of all prior stages.
module_name string (required) Module name in the registry path, e.g. bootstrap. Unique within the top-level namespace.
module_system string "aws" Module system / target segment of the registry path, e.g. aws, azure, google.
tag_pattern string '^v[0-9]+\.[0-9]+\.[0-9]+$' RE2 pattern a tag must match to publish. Rejects prereleases, build metadata, arbitrary tags.
token string "$CI_JOB_TOKEN" Token authenticating the upload. Override with a PAT carrying api/write_package_registry only for cross-project publishing.

Usage

include:
  - component: gitlab.com/phpboyscout/cicd/[email protected]
    inputs:
      module_name: bootstrap
      module_system: aws

See also