Missing test results in Merge Requests using "latest" Terraform template

Summary

When using the "latest" Terraform template, only the kics-iac-sast job results are appearing in Merge Requests. The other job results are running in a duplicate pipeline, and their failures (if any) do not show up in the Merge Request status.

Steps to reproduce

  1. Create a Terraform project in GitLab.com or self-hosted GitLab 15.3. Configure pipelines using the "latest" Terraform template: 
    include:
  - template: Terraform.latest.gitlab-ci.yml

variables:
  # If not using GitLab's HTTP backend, remove this line and specify TF_HTTP_* variables
  TF_STATE_NAME: default
  TF_CACHE_KEY: default
  2. Open an MR with any change (including an empty commit).
  3. Inspect the pipeline linked from the MR. It will only show the results for the kics-iac-sast job.

Example Project

This MR demonstrates the duplicate pipelines: morgan_delagrange/terraform-pipeline-bug!1

What is the current bug behavior?

The MR only shows the status of the kics-iac-sast job.

What is the expected correct behavior?

The MR shows the status of the kics-iac-sast, fmt, validate and build jobs.

Relevant logs and/or screenshots

Screen_Shot_2022-08-30_at_10.23.02_AM

Output of checks

This bugs happens on GitLab.com or self-hosted GitLab 15.3.

Results of GitLab environment info

N/A

Results of GitLab application Check

N/A

Possible fixes

This is the change that causes the bug: !94429 (merged). The change to the rules for the kics-iac-sast job is causing duplicate pipelines for the "latest" Terraform template.

Possible fixes:

  1. Revert the above change
  2. Update jobs in the "latest" Terraform pipeline to run in MRs rather than in the branch
  3. Update the Terraform pipeline documentation (https://docs.gitlab.com/ee/user/infrastructure/iac/) to add workflow rules that prevent duplicate pipelines. Something like this should work: 
    workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI_COMMIT_BRANCH
    However, this option is not ideal, because it will require manual updates to pipelines for GitLab users.