Pipelines GitLab Support Docs (#2393)

* bunch of stuff cursor made up

* bump to docusuaurs 3.7, add some basic cursor rules

* WIP - Security controls breakout of github vs gitlab

* WIP - install docs

* update overview

* Update .cursor/rules/gitlab-background.mdc

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* link in the scm comparison

* more gitlab support

* missing file

* remaining audit log updates

* components update

* start the ci workflow file

* ci workflows

* index page

* remaining concept pages

* specify a version for gitlab too

* more gitlab in installation

* add gitlab branch protectino

* spurious recommendations

* missing img

* gitlab docs for extending pipelines

* managing secrets and dd

* plan/apply

* env vars and eleegated repos

* updating pipelines

* tutorial 1

* tutorial 2

* Update docs/2.0/docs/pipelines/architecture/ci-workflows.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* Update docs/2.0/docs/pipelines/architecture/actions.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* Update docs/2.0/docs/pipelines/architecture/actions.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* Update docs/2.0/docs/pipelines/architecture/audit-logs.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* Update docs/2.0/docs/pipelines/installation/overview.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* Update docs/2.0/docs/pipelines/installation/viagithubapp.md

Co-authored-by: Oreoluwa Agunbiade <[email protected]>

* bit more consistency

* more consistency

* dict

* fix link

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Oreoluwa Agunbiade <[email protected]>

Author: 3 people

Diff for: .cursor/rules/gitlab-background.mdc

@@ -0,0 +1,22 @@
+---
+description: Background on how github vs gitlab work
+globs: 
+---
+
+Pipelines supports both GitHub and GitLab.  
+
+GitLab does not yet support account factory.
+GitLab does not yet support the same level of customization as GitHub
+GitLab requires one machine user with just one token and does not have a gitlab app.  
+## GitLab Setup Requirements
+
+1. **Gruntwork Management Portal**: An active account is required
+2. **GitLab Group Access**: 
+   - Customers must provide Gruntwork with their GitLab group information
+   - Gruntwork will authorize access for the specified groups
+
+> Important: Please contact Gruntwork support to initiate the GitLab group authorization process.
+
+<IMPORTANT>
+Whenever presenting information that diverges between github and gitlab, use the <Tabs> and <TabItem> components to distinguish the two sets of information UNLESS the distinction is just changing one word. For example, GitHub has pull requests and GitLab has merge requests, so we can just say ".... pull/merge requests..." and not need full <Tabs>.
+</IMPORTANT>

Diff for: .cursor/rules/tone.mdc

@@ -0,0 +1,16 @@
+---
+description: Setting the tone of documentation content
+globs: 
+---
+Our voice for documentation content is:
+
+**Relatable / Down-to-Earth / Knowledgeable, but Not Arrogant**
+* Write as if you’re talking to a peer, not a corporate overlord—approachable, clear, and free from jargon.
+* Use a friendly, no-nonsense tone that feels natural and easy to understand.
+* Explain complex concepts in a way that educates and empowers, not overwhelms.
+
+**Writing Style Guidelines**
+* Use plain, clear language. If a reader needs to Google a word, we’re doing it wrong.
+* Write like a human, not a machine. No stiff, robotic corporate-speak—this should feel like a trusted friend explaining DevOps.
+* Avoid buzzwords and clichés. We don’t "synergize mission-critical paradigms"—we simplify DevOps so teams can move faster.
+* Use humor sparingly, but effectively. DevOps is hard—sometimes, a well-placed joke can make it feel a little easier.

Diff for: custom-dictionary.txt

@@ -49,4 +49,6 @@ MTTR
 terrapatch
 Terrapatch
 KodeKloud
-GOVCLOUD
+preconfigured
+projectprefix
+GOVCLOUD

Diff for: docs/2.0/docs/pipelines/architecture/actions.md

@@ -1,6 +1,6 @@
 # Pipelines Actions
 
-When a user opens a pull request, Pipelines runs a set of operations as a Github Action Workflow in response to the proposed [infrastructure changes](/2.0/docs/pipelines/concepts/overview/#infrastructure-change). We call these operations _pipelines actions_. Gruntwork Pipelines supports the following pipelines actions:
+When a user opens a pull request, Pipelines runs a set of operations as a CI Workflow in response to the proposed [infrastructure changes](/2.0/docs/pipelines/concepts/overview/#infrastructure-change). We call these operations _pipelines actions_. Gruntwork Pipelines supports the following pipelines actions:
 
 ## Terragrunt plan
 
@@ -12,7 +12,10 @@ When a pull request is merged, Pipelines will automatically execute either `terr
 
 ## Skipping runs
 
-Sometimes you find it necessary to make a change without going through the full pipelines process. This can be accomplished using GitHub's built in method for skipping workflow runs [by adding [skip ci] to your commit message](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs).
+Sometimes you find it necessary to make a change without going through the full pipelines process. This can be accomplished using built-in CI skip mechanisms:
+
+- **GitHub**: Add `[skip ci]` to your commit or pull request message as described in the [GitHub documentation](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs)
+- **GitLab**: Add `[skip ci]` to your commit or merge request message as described in the [GitLab documentation](https://docs.gitlab.com/ee/ci/pipelines/index.html#skip-a-pipeline)
 
 ## Other actions
 

Diff for: docs/2.0/docs/pipelines/architecture/audit-logs.md

@@ -1,35 +1,39 @@
 # Audit Logs
 
-Gruntwork Pipelines provides an audit log that records which GitHub user performed specific operations in your AWS accounts as a result of a [Pipelines Action](/2.0/docs/pipelines/architecture/actions.md).
+Gruntwork Pipelines provides an audit log that records which user performed specific operations in your AWS accounts as a result of a [Pipelines Action](/2.0/docs/pipelines/architecture/actions.md).
 
-Accessing AWS environments from a CI/CD system often involves assuming temporary credentials using [OpenID Connect (OIDC)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services). Shared credentials can complicate tracking who performed specific actions in AWS accounts. Gruntwork Pipelines addresses this challenge by using [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) with a naming convention that includes context from the triggering Pipelines Action in GitHub. This approach associates every API operation performed by Pipelines with a GitHub username and a specific pull request or branch, enabling your security team to efficiently investigate access-related issues and analyze individual user actions.
+Accessing AWS environments from a CI/CD system often involves assuming temporary credentials using OpenID Connect (OIDC). For platform-specific documentation, see:
+- [GitHub OIDC Configuration](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+- [GitLab OIDC Configuration](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+
+Shared credentials can complicate tracking who performed specific actions in AWS accounts. Gruntwork Pipelines addresses this challenge by using [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) with a naming convention that includes context from the triggering Pipelines Action. This approach associates every API operation performed by Pipelines with a username and a specific pull request or branch, enabling your security team to efficiently investigate access-related issues and analyze individual user actions.
 
 ## How it works
 
-Gruntwork Pipelines creates an audit log that tracks which user performed what action in which AWS account. It does this by setting the [AWS STS](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) session name to include the initiating GitHub username, the Pipelines name, and the pull request or branch that triggered the action. Logging is handled through [AWS CloudTrail](https://aws.amazon.com/cloudtrail/), where session names appear in the `User name` field, making it easy to identify which user performed an action. For information on locating logs, see [where you can find logs](#where-you-can-find-logs) and [querying data](#querying-data).
+Gruntwork Pipelines creates an audit log that tracks which user performed what action in which AWS account. It does this by setting the [AWS STS](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) session name to include the initiating username, the Pipelines name, and the merge request/pull request or branch that triggered the action. Logging is handled through [AWS CloudTrail](https://aws.amazon.com/cloudtrail/), where session names appear in the `User name` field, making it easy to identify which user performed an action. For information on locating logs, see [where you can find logs](#where-you-can-find-logs) and [querying data](#querying-data).
 
 ### What gets logged
 
-Logs are generated for all operations performed by Gruntwork Pipelines across every AWS account. These logs leverage [AWS STS](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) session names to clearly label sessions with the GitHub username that requested the change and the associated pull request or branch.
+Logs are generated for all operations performed by Gruntwork Pipelines across every AWS account. These logs leverage [AWS STS](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) session names to clearly label sessions with the username that requested the change and the associated merge request/pull request or branch.
 
-Each CloudTrail event linked to API calls from Pipelines [Actions](/2.0/docs/pipelines/architecture/actions.md) includes the session name in the `userIdentity` field. For example, if the GitHub user `SomeUserInYourOrg` initiated the 123rd pull request in your repository, the `userIdentity` field in a corresponding CloudTrail event would provide details such as the following.
+Each CloudTrail event linked to API calls from Pipelines [Actions](/2.0/docs/pipelines/architecture/actions.md) includes the session name in the `userIdentity` field. For example, if the user `SomeUserInYourOrg` initiated the 123rd request in your repository, the `userIdentity` field in a corresponding CloudTrail event would provide details such as the following.
 
 ```json
 {
     "eventVersion": "1.09",
     "userIdentity": {
         "type": "AssumedRole",
         "principalId": "xxxxxxxxxxxxxxxxxxxxx:SomeUserInYourOrg-via-GWPipelines@PR-123",
-        "arn": "arn:aws:sts::123456789012:assumed-role/github/SomeUserInYourOrg-via-GWPipelines@PR-123",
+        "arn": "arn:aws:sts::123456789012:assumed-role/<platform>/SomeUserInYourOrg-via-GWPipelines@PR-123",
         "accountId": "123456789012",
         "accessKeyId": "xxxxxxxxxxxx",
         "sessionContext": {
             "sessionIssuer": {
                 "type": "Role",
                 "principalId": "xxxxxxxxxxxxxxxxxxxxx",
-                "arn": "arn:aws:iam::123456789012:role/github",
+                "arn": "arn:aws:iam::123456789012:role/<role-name>",
                 "accountId": "123456789012",
-                "userName": "github"
+                "userName": "<platform>"
             },
             "webIdFederationData": {
                 "federatedProvider": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com",
@@ -45,23 +49,23 @@ Each CloudTrail event linked to API calls from Pipelines [Actions](/2.0/docs/pip
 }
 ```
 
-Due to the 64-character limit for STS session names, the originating repository is not included in the session name. To identify the originating repository, you can search through repositories for commits matching the user and branch/PR-number combination or contact the GitHub user directly.
+Due to the 64-character limit for STS session names, the originating repository is not included in the session name. To identify the originating repository, you can search through repositories for commits matching the user and request number combination or contact the user directly.
 
 By combining this data with a [query service](#querying-data), you can analyze the usage patterns of Gruntwork Pipelines in your AWS accounts using CloudTrail logs.
 
 ### Who gets logged
 
-Pipelines employs a naming scheme that integrates the GitHub user who triggered the Pipelines [Action](/2.0/docs/pipelines/architecture/actions.md) along with the pull request or branch that initiated the action. The AWS STS session name is formatted as follows:  
-`<GitHubUserName>-via-GWPipelines@(PR-<PullRequestNumber>|<branch name>)`.
+Pipelines employs a naming scheme that integrates the user who triggered the Pipelines [Action](/2.0/docs/pipelines/architecture/actions.md) along with the request or branch that initiated the action. The AWS STS session name is formatted as follows:
+`<UserName>-via-GWPipelines@(PR-<RequestNumber>|<branch name>)`.
 
-#### For pull request events
-When Pipelines runs in response to a pull request event (opened, updated, or reopened), the session name includes the user who made the most recent commit on the branch and the pull request number assigned by GitHub. For instance:
-- If the user `SomeUserInYourOrg` created pull request number `123`, the session name would be:  
+#### For merge request/pull request events
+When Pipelines runs in response to a request event (opened, updated, or reopened), the session name includes the user who made the most recent commit on the branch and the request number. For instance:
+- If the user `SomeUserInYourOrg` created request number `123`, the session name would be:
   `SomeUserInYourOrg-via-GWPipelines@PR-123`.
 
-#### For merged pull requests
-When Pipelines runs after a pull request is merged, the session name reflects the user who performed the merge (e.g., clicked the `merge` button) and the deploy branch name (e.g., `main`). For example:
-- If the user `SomeUserInYourOrg` merged a pull request to the branch `main`, the session name would be:  
+#### For merged requests
+When Pipelines runs after a request is merged, the session name reflects the user who performed the merge and the deploy branch name (e.g., `main`). For example:
+- If the user `SomeUserInYourOrg` merged a request to the branch `main`, the session name would be:
   `SomeUserInYourOrg-via-GWPipelines@main`.
 
 ## Where you can find logs

Diff for: docs/2.0/docs/pipelines/architecture/github-workflows.md renamed to docs/2.0/docs/pipelines/architecture/ci-workflows.md

@@ -1,18 +1,33 @@
-# GitHub Workflows
+# CI Workflows
 
-Pipelines integrates with your repositories through GitHub Workflows, leveraging [Reusable Workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows) from Gruntwork's [pipelines-workflows](https://github.com/gruntwork-io/pipelines-workflows) repository. The workflows in your repositories rely on Gruntwork workflows through the uses clause within a job. This is structured as follows:
+Pipelines integrates with your repositories through GitHub/GitLab Workflows, leveraging [GitHub Reusable Workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows) and [GitLab Shared Components](https://docs.gitlab.com/ee/ci/components/) from Gruntwork's repositories. The workflows in your repositories rely on Gruntwork workflows through the uses/component clause within the workflow declaration. This is structured as follows:
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+<Tabs>
+<TabItem value="GitHub" label="GitHub">
 
 ```yml
 jobs:
   GruntworkPipelines:
     uses: gruntwork-io/pipelines-workflows/.github/workflows/pipelines-root.yml@v3
 ```
 
+</TabItem>
+<TabItem value="GitLab" label="GitLab">
+
+```yml
+include:
+  - component: gitlab.com/gruntwork-io/pipelines-workflows/pipelines@3
+```
+</TabItem>
+</Tabs>
 ## Workflow versioning
 
 Gruntwork follows [Semantic Versioning](https://semver.org/) for `pipelines-workflows` releases. New releases are tracked using git tags in the `v.MAJOR.MINOR.PATCH` format. A major tag, such as `v.MAJOR`, is also maintained and updated to point to the latest release within that major version. For example, when releasing a patch update from `v3.0.1` to `v3.0.2`, the `v3` tag will be updated to reference the newer version.
 
-When referencing a workflow, the version is specified in the `uses` clause. For example: `pipelines-root.yml@v3`. Using the major version, like v3, in your workflows ensures you receive the latest updates and performance enhancements.. However, you can choose to pin to a specific version if needed.
+When referencing a workflow, the version is specified in the `uses` or `component` clause. For example: `pipelines-root.yml@v3`. Using the major version, e.g. v3, in your workflows ensures you receive the latest updates and performance enhancements. However, you can choose to pin to a specific version if needed.
 
 ## Modifying workflows
 
@@ -22,13 +37,17 @@ If you [fork the Gruntwork Workflows](https://docs.gruntwork.io/2.0/docs/pipelin
 
 ## Workflow dependencies
 
+<Tabs>
+<TabItem value="GitHub" label="GitHub">
+
 The `pipelines-workflows` repository includes the following reusable workflows:
 
 - `pipelines-drift-detection.yml` - Used for [Pipelines Drift Detection](/2.0/docs/pipelines/concepts/drift-detection) in all repositories with Drift Detection installed.
 - `pipelines-root.yml` - The core Pipelines workflow for the `infrastructure-live-root` repository, providing core plan/apply functionality and account vending.
 - `pipelines-unlock.yml` - Used to manually unlock state files in all repositories.
 - `pipelines.yml` - The core Pipelines workflow for `infrastructure-live-access-control` and delegated repositories, supporting plan/apply operations.
 
+
 In your repositories, the following workflows are typically present:
 
 #### infrastructure-live-root
@@ -49,3 +68,13 @@ In your repositories, the following workflows are typically present:
 - `pipelines-unlock.yml` - Uses the Gruntwork `pipelines-unlock.yml` workflow.
 - `pipelines.yml` - Uses `pipelines.yml`.
 
+
+</TabItem>
+<TabItem value="GitLab" label="GitLab">
+
+Your `.gitlab-ci.yml` file will include the following workflow:
+
+- `GruntworkPipelines` - The core Pipelines workflow for your repository.
+
+</TabItem>
+</Tabs>

Diff for: docs/2.0/docs/pipelines/architecture/components.md

@@ -12,7 +12,7 @@ The executor receives a pipeline action and an infrastructure change as input an
 
 ## Execution flow
 
-Pipelines begins with an event in GitHub, such as the creation, update, or reopening of a pull request, or a push to `main` (e.g., merging a pull request). The orchestrator determines the set of infrastructure changes (`infra-change set`) and selects the appropriate action for each change. For every change in the set, the executor performs the necessary action and logs the results in GitHub, attaching them to the pull request that triggered the workflow.
+Pipelines begins with an event in GitHub/GitLab, such as the creation, update, or reopening of a merge request/pull request, or a push to `main` (e.g., merging a pull request). The orchestrator determines the set of infrastructure changes (`infra-change set`) and selects the appropriate action for each change. For every change in the set, the executor performs the necessary action and logs the results in GitHub/GitLab, attaching them to the merge request/pull request that triggered the workflow.
 
 ## Trust boundaries
 

Diff for: docs/2.0/docs/pipelines/architecture/index.md

@@ -1,7 +1,7 @@
 # Architecture
 
 Gruntwork Pipelines is designed to provide flexibility, enabling you to utilize the components you need to manage your infrastructure in a way that aligns with your organization's requirements.
- 
+
 
 Understanding the components and their structure will help you use Pipelines and associated Infrastructure as Code (IaC) effectively.
 
@@ -15,8 +15,8 @@ All other infrastructure managed with Gruntwork software ultimately depends on r
 
 ### Workflows
 
-- **Account Factory:** Provides an API for interacting with the Gruntwork Account Factory. It uses a [repository dispatch](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#repository_dispatch) to create AWS account requests.
-  
+- **Account Factory:** (GitHub only) Provides an API for interacting with the Gruntwork Account Factory. It uses a [repository dispatch](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#repository_dispatch) to create AWS account requests.
+
   This workflow uses a [repository dispatch](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#repository_dispatch) to create a standard AWS account creation request in the repository.
 
   The workflow payload is a JSON object, which can be constructed using the sample HTML file included in the repository. This file can be customized for organizational needs, such as adding tagging fields or additional context.