Merge pull request #103 from dflook/tfc-variables

Add variables and var_files support for remote operations

Author: dflook

.github/workflows/test-remote.yaml

@@ -33,11 +33,69 @@ jobs:
 
       - name: Auto apply workspace
         uses: ./terraform-apply
+        id: auto_apply
         with:
           path: tests/terraform-cloud
           workspace: ${{ github.head_ref }}-1
           backend_config: "token=${{ secrets.TF_API_TOKEN }}"
           auto_approve: true
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="from_variables"
+
+      - name: Verify auto_apply terraform outputs
+        run: |
+          if [[ "${{ steps.auto_apply.outputs.default }}" != "default" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.auto_apply.outputs.from_tfvars }}" != "from_tfvars" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.auto_apply.outputs.from_variables }}" != "from_variables" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
+
+      - name: Check no changes
+        uses: ./terraform-check
+        with:
+          path: tests/terraform-cloud
+          workspace: ${{ github.head_ref }}-1
+          backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="from_variables"
+
+      - name: Check changes
+        uses: ./terraform-check
+        id: check
+        continue-on-error: true
+        with:
+          path: tests/terraform-cloud
+          workspace: ${{ github.head_ref }}-1
+          backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="Changed!"
+
+      - name: Verify changes detected
+        run: |
+          if [[ "${{ steps.check.outcome }}" != "failure" ]]; then
+            echo "Check didn't fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.check.outputs.failure-reason }}" != "changes-to-apply" ]]; then
+            echo "failure-reason not set correctly"
+            exit 1
+          fi
 
       - name: Destroy workspace
         uses: ./terraform-destroy-workspace
@@ -55,6 +113,10 @@ jobs:
           path: tests/terraform-cloud
           workspace: ${{ github.head_ref }}-2
           backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="from_variables"
 
       - name: Verify plan outputs
         run: |
@@ -70,12 +132,34 @@ jobs:
 
       - name: Apply workspace
         uses: ./terraform-apply
+        id: apply
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           path: tests/terraform-cloud
           workspace: ${{ github.head_ref }}-2
           backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="from_variables"
+
+      - name: Verify apply terraform outputs
+        run: |
+          if [[ "${{ steps.apply.outputs.default }}" != "default" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.apply.outputs.from_tfvars }}" != "from_tfvars" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.apply.outputs.from_variables }}" != "from_variables" ]]; then
+            echo "::error:: Variables not set correctly"
+            exit 1
+          fi
 
       - name: Destroy the last workspace
         uses: ./terraform-destroy-workspace

image/actions.sh

@@ -214,6 +214,32 @@ function set-plan-args() {
     export PLAN_ARGS
 }
 
+function set-remote-plan-args() {
+    PLAN_ARGS=""
+
+    if [[ "$INPUT_PARALLELISM" -ne 0 ]]; then
+        PLAN_ARGS="$PLAN_ARGS -parallelism=$INPUT_PARALLELISM"
+    fi
+
+    local AUTO_TFVARS_COUNTER=0
+
+    if [[ -n "$INPUT_VAR_FILE" ]]; then
+        for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do
+            cp "$file" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars"
+            AUTO_TFVARS_COUNTER=$(( AUTO_TFVARS_COUNTER + 1 ))
+        done
+    fi
+
+    if [[ -n "$INPUT_VARIABLES" ]]; then
+        echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars"
+        cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars"
+    fi
+
+    debug_cmd ls -la "$INPUT_PATH"
+
+    export PLAN_ARGS
+}
+
 function output() {
     (cd "$INPUT_PATH" && terraform output -json | convert_output)
 }
@@ -243,6 +269,28 @@ function write_credentials() {
     debug_cmd git config --list
 }
 
+function plan() {
+
+    local PLAN_OUT_ARG
+    if [[ -n "$PLAN_OUT" ]]; then
+        PLAN_OUT_ARG="-out=$PLAN_OUT"
+    else
+        PLAN_OUT_ARG=""
+    fi
+
+    set +e
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
+        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
+        | $TFMASK \
+        | tee /dev/fd/3 \
+        | compact_plan \
+            >"$STEP_TMP_DIR/plan.txt"
+
+    PLAN_EXIT=${PIPESTATUS[0]}
+    set -e
+}
+
 # Every file written to disk should use one of these directories
 readonly STEP_TMP_DIR="/tmp"
 readonly JOB_TMP_DIR="$HOME/.dflook-terraform-github-actions"

image/entrypoints/apply.sh

@@ -23,28 +23,6 @@ fi
 
 exec 3>&1
 
-function plan() {
-
-    local PLAN_OUT_ARG
-    if [[ -n "$PLAN_OUT" ]]; then
-        PLAN_OUT_ARG="-out=$PLAN_OUT"
-    else
-        PLAN_OUT_ARG=""
-    fi
-
-    set +e
-    # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
-        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
-        | $TFMASK \
-        | tee /dev/fd/3 \
-        | compact_plan \
-            >"$STEP_TMP_DIR/plan.txt"
-
-    PLAN_EXIT=${PIPESTATUS[0]}
-    set -e
-}
-
 function apply() {
 
     set +e
@@ -53,6 +31,8 @@ function apply() {
     local APPLY_EXIT=${PIPESTATUS[0]}
     set -e
 
+    find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
+
     if [[ $APPLY_EXIT -eq 0 ]]; then
         update_status "Plan applied in $(job_markdown_ref)"
     else
@@ -68,6 +48,7 @@ plan
 
 if [[ $PLAN_EXIT -eq 1 ]]; then
     if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then
+        set-remote-plan-args
         PLAN_OUT=""
 
         if [[ "$INPUT_AUTO_APPROVE" == "true" ]]; then
@@ -80,6 +61,7 @@ if [[ $PLAN_EXIT -eq 1 ]]; then
 fi
 
 if [[ $PLAN_EXIT -eq 1 ]]; then
+    find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
     cat "$STEP_TMP_DIR/terraform_plan.stderr"
 
     update_status "Error applying plan in $(job_markdown_ref)"
@@ -95,18 +77,22 @@ if [[ "$INPUT_AUTO_APPROVE" == "true" || $PLAN_EXIT -eq 0 ]]; then
 else
 
     if [[ "$GITHUB_EVENT_NAME" != "push" && "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "issue_comment" && "$GITHUB_EVENT_NAME" != "pull_request_review_comment" && "$GITHUB_EVENT_NAME" != "pull_request_target" && "$GITHUB_EVENT_NAME" != "pull_request_review" ]]; then
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
         echo "Could not fetch plan from the PR - $GITHUB_EVENT_NAME event does not relate to a pull request. You can generate and apply a plan automatically by setting the auto_approve input to 'true'"
         exit 1
     fi
 
     if [[ ! -v GITHUB_TOKEN ]]; then
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
         echo "GITHUB_TOKEN environment variable must be set to get plan approval from a PR"
         echo "Either set the GITHUB_TOKEN environment variable or automatically approve by setting the auto_approve input to 'true'"
         echo "See https://github.com/dflook/terraform-github-actions/ for details."
         exit 1
     fi
 
     if ! github_pr_comment get "$STEP_TMP_DIR/approved-plan.txt" 2>"$STEP_TMP_DIR/github_pr_comment.stderr"; then
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
+
         debug_file "$STEP_TMP_DIR/github_pr_comment.stderr"
         echo "Plan not found on PR"
         echo "Generate the plan first using the dflook/terraform-plan action. Alternatively set the auto_approve input to 'true'"
@@ -119,6 +105,8 @@ else
     if plan_cmp "$STEP_TMP_DIR/plan.txt" "$STEP_TMP_DIR/approved-plan.txt"; then
         apply
     else
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
+
         echo "Not applying the plan - it has changed from the plan on the PR"
         echo "The plan on the PR must be up to date. Alternatively, set the auto_approve input to 'true' to apply outdated plans"
         update_status "Plan not applied in $(job_markdown_ref) (Plan has changed)"

image/entrypoints/check.sh

@@ -9,19 +9,27 @@ init-backend
 select-workspace
 set-plan-args
 
-set +e
-# shellcheck disable=SC2086
-(cd "$INPUT_PATH" && terraform plan -input=false -detailed-exitcode -lock-timeout=300s $PLAN_ARGS) \
-    | $TFMASK
+PLAN_OUT="$STEP_TMP_DIR/plan.out"
 
-readonly TF_EXIT=${PIPESTATUS[0]}
-set -e
+exec 3>&1
 
-if [[ $TF_EXIT -eq 1 ]]; then
+plan
+
+if [[ $PLAN_EXIT -eq 1 ]]; then
+    if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then
+        # This terraform module is using the remote backend, which is deficient.
+        set-remote-plan-args
+        PLAN_OUT=""
+        plan
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
+    fi
+fi
+
+if [[ $PLAN_EXIT -eq 1 ]]; then
     echo "Error running terraform"
     exit 1
 
-elif [[ $TF_EXIT -eq 2 ]]; then
+elif [[ $PLAN_EXIT -eq 2 ]]; then
 
     echo "Changes detected!"
     set_output failure-reason changes-to-apply

image/entrypoints/plan.sh

@@ -13,36 +13,17 @@ PLAN_OUT="$STEP_TMP_DIR/plan.out"
 
 exec 3>&1
 
-function plan() {
-
-    local PLAN_OUT_ARG
-    if [[ -n "$PLAN_OUT" ]]; then
-        PLAN_OUT_ARG="-out=$PLAN_OUT"
-    else
-        PLAN_OUT_ARG=""
-    fi
-
-    set +e
-    # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
-        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
-        | $TFMASK \
-        | tee /dev/fd/3 \
-        | compact_plan \
-            >"$STEP_TMP_DIR/plan.txt"
-
-    PLAN_EXIT=${PIPESTATUS[0]}
-    set -e
-}
-
 ### Generate a plan
 
 plan
 
 if [[ $PLAN_EXIT -eq 1 ]]; then
     if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then
+        # This terraform module is using the remote backend, which is deficient.
+        set-remote-plan-args
         PLAN_OUT=""
         plan
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
     fi
 fi