How can I get a gitlab pipeline to stop and ask me to input variables?

Question

I have created a pipeline in gitlab, with

image:
  name: hashicorp/terraform:light
  entrypoint:
    - '/usr/bin/env'
    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

variables:
  PLAN: dbrest.tfplan
  STATE: dbrest.tfstate

cache:
  paths:
    - .terraform

before_script:
  - terraform --version
  - terraform init

stages:
  - validate
  - build
  - deploy
  - destroy

validate:
  stage: validate
  script:
    - terraform validate

plan:
  stage: build
  script:
    - terraform plan -state=$STATE -out=$PLAN
  artifacts:
    name: plan
    paths:
      - $PLAN
      - $STATE

apply:
  stage: deploy
  environment:
    name: production
  script:
    - terraform apply -state=$STATE -input=false $PLAN
    - terraform state show aws_instance.bastion
  dependencies:
    - plan
  when: manual
  only:
    - master

destroy:
    stage: destroy
    environment:
      name: production
    script:
      - terraform destroy -state=$STATE -auto-approve
    dependencies:
      - apply
    when: manual
    only:
      - master

I have also created a variable under 'Settings. -> 'CI/CD' -> 'Variables' - I was under the impression that when I came to the manual stage deploy, gitlab should pause and ask me to input a value for that variable, but this does not happen - what is missing?

Answer 1

You have mixed a job with when: manual to when you trigger a pipeline manually. This is the one you want:

https://docs.gitlab.com/ee/ci/pipelines/#run-a-pipeline-manually

You could use this together with an only for some variable. Something like:

...
apply:
  stage: deploy
  environment:
    name: production
  script:
    - terraform apply -state=$STATE -input=false $PLAN
    - terraform state show aws_instance.bastion
  dependencies:
    - plan
  only:
    refs:
      - master
    variables:
      - $RELEASE == "yes" 

destroy:
    stage: destroy
    environment:
      name: production
    script:
      - terraform destroy -state=$STATE -auto-approve
    dependencies:
      - apply
    only:
      refs:
        - master
      variables:
        - $RELEASE == "yes" 

With something like this, you can have jobs that are never run normally, but only if you manually start a new pipeline on the master branch and set the variable $RELEASE to yes. I haven't tested this, so my apologies if it doesn't work!