Add variables and var_files support for remote operations in terraform-check

Author: dflook

.github/workflows/test-remote.yaml

@@ -61,6 +61,42 @@ jobs:
             exit 1
           fi
 
+      - name: Check no changes
+        uses: ./terraform-check
+        with:
+          path: tests/terraform-cloud
+          workspace: ${{ github.head_ref }}-1
+          backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="from_variables"
+
+      - name: Check changes
+        uses: ./terraform-check
+        id: check
+        continue-on-error: true
+        with:
+          path: tests/terraform-cloud
+          workspace: ${{ github.head_ref }}-1
+          backend_config: "token=${{ secrets.TF_API_TOKEN }}"
+          var_file: |
+            tests/terraform-cloud/my_variable.tfvars
+          variables: |
+            from_variables="Changed!"
+
+      - name: Verify changes detected
+        run: |
+          if [[ "${{ steps.check.outcome }}" != "failure" ]]; then
+            echo "Check didn't fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.check.outputs.failure-reason }}" != "changes-to-apply" ]]; then
+            echo "failure-reason not set correctly"
+            exit 1
+          fi
+
       - name: Destroy workspace
         uses: ./terraform-destroy-workspace
         with:

image/actions.sh

@@ -221,8 +221,6 @@ function set-remote-plan-args() {
         PLAN_ARGS="$PLAN_ARGS -parallelism=$INPUT_PARALLELISM"
     fi
 
-    set -x
-
     local AUTO_TFVARS_COUNTER=0
 
     if [[ -n "$INPUT_VAR_FILE" ]]; then
@@ -271,6 +269,28 @@ function write_credentials() {
     debug_cmd git config --list
 }
 
+function plan() {
+
+    local PLAN_OUT_ARG
+    if [[ -n "$PLAN_OUT" ]]; then
+        PLAN_OUT_ARG="-out=$PLAN_OUT"
+    else
+        PLAN_OUT_ARG=""
+    fi
+
+    set +e
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
+        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
+        | $TFMASK \
+        | tee /dev/fd/3 \
+        | compact_plan \
+            >"$STEP_TMP_DIR/plan.txt"
+
+    PLAN_EXIT=${PIPESTATUS[0]}
+    set -e
+}
+
 # Every file written to disk should use one of these directories
 readonly STEP_TMP_DIR="/tmp"
 readonly JOB_TMP_DIR="$HOME/.dflook-terraform-github-actions"

image/entrypoints/apply.sh

@@ -23,28 +23,6 @@ fi
 
 exec 3>&1
 
-function plan() {
-
-    local PLAN_OUT_ARG
-    if [[ -n "$PLAN_OUT" ]]; then
-        PLAN_OUT_ARG="-out=$PLAN_OUT"
-    else
-        PLAN_OUT_ARG=""
-    fi
-
-    set +e
-    # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
-        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
-        | $TFMASK \
-        | tee /dev/fd/3 \
-        | compact_plan \
-            >"$STEP_TMP_DIR/plan.txt"
-
-    PLAN_EXIT=${PIPESTATUS[0]}
-    set -e
-}
-
 function apply() {
 
     set +e

image/entrypoints/check.sh

@@ -9,19 +9,27 @@ init-backend
 select-workspace
 set-plan-args
 
-set +e
-# shellcheck disable=SC2086
-(cd "$INPUT_PATH" && terraform plan -input=false -detailed-exitcode -lock-timeout=300s $PLAN_ARGS) \
-    | $TFMASK
+PLAN_OUT="$STEP_TMP_DIR/plan.out"
 
-readonly TF_EXIT=${PIPESTATUS[0]}
-set -e
+exec 3>&1
 
-if [[ $TF_EXIT -eq 1 ]]; then
+plan
+
+if [[ $PLAN_EXIT -eq 1 ]]; then
+    if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then
+        # This terraform module is using the remote backend, which is deficient.
+        set-remote-plan-args
+        PLAN_OUT=""
+        plan
+        find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -delete
+    fi
+fi
+
+if [[ $PLAN_EXIT -eq 1 ]]; then
     echo "Error running terraform"
     exit 1
 
-elif [[ $TF_EXIT -eq 2 ]]; then
+elif [[ $PLAN_EXIT -eq 2 ]]; then
 
     echo "Changes detected!"
     set_output failure-reason changes-to-apply

image/entrypoints/plan.sh

@@ -13,28 +13,6 @@ PLAN_OUT="$STEP_TMP_DIR/plan.out"
 
 exec 3>&1
 
-function plan() {
-
-    local PLAN_OUT_ARG
-    if [[ -n "$PLAN_OUT" ]]; then
-        PLAN_OUT_ARG="-out=$PLAN_OUT"
-    else
-        PLAN_OUT_ARG=""
-    fi
-
-    set +e
-    # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
-        2>"$STEP_TMP_DIR/terraform_plan.stderr" \
-        | $TFMASK \
-        | tee /dev/fd/3 \
-        | compact_plan \
-            >"$STEP_TMP_DIR/plan.txt"
-
-    PLAN_EXIT=${PIPESTATUS[0]}
-    set -e
-}
-
 ### Generate a plan
 
 plan

terraform-apply/README.md

@@ -74,35 +74,7 @@ These input values must be the same as any `terraform-plan` for the same configu
   ```
 
   Variables set here override any given in `var_file`s.
-
-  - Type: string
-  - Optional
-
-* ~~`var`~~
-
-  > :warning: **Deprecated**: Use the `variables` input instead.
-
-  Comma separated list of terraform vars to set.
-
-  This is deprecated due to the following limitations:
-  - Only primitive types can be set with `var` - number, bool and string.
-  - String values may not contain a comma.
-  - Values set with `var` will be overridden by values contained in `var_file`s
-
-  You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted.
-
-  For example:
-  ```yaml
-  with:
-    var: instance_type=m5.xlarge,nat_type=instance
-  ```
-  Becomes:
-  ```yaml
-  with:
-    variables: |
-      instance_type="m5.xlarge"
-      nat_type="instance"
-  ```
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
 
   - Type: string
   - Optional
@@ -119,6 +91,8 @@ These input values must be the same as any `terraform-plan` for the same configu
       prod.tfvars
   ```
 
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
+
   - Type: string
   - Optional
 
@@ -181,6 +155,36 @@ These input values must be the same as any `terraform-plan` for the same configu
   - Optional
   - Default: false
 
+* ~~`var`~~
+
+  > :warning: **Deprecated**: Use the `variables` input instead.
+
+  Comma separated list of terraform vars to set.
+
+  This is deprecated due to the following limitations:
+  - Only primitive types can be set with `var` - number, bool and string.
+  - String values may not contain a comma.
+  - Values set with `var` will be overridden by values contained in `var_file`s
+  - Does not work with the `remote` backend
+
+  You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted.
+
+  For example:
+  ```yaml
+  with:
+    var: instance_type=m5.xlarge,nat_type=instance
+  ```
+  Becomes:
+  ```yaml
+  with:
+    variables: |
+      instance_type="m5.xlarge"
+      nat_type="instance"
+  ```
+
+  - Type: string
+  - Optional
+
 ## Outputs
 
 * Terraform Outputs

terraform-check/README.md

@@ -39,15 +39,7 @@ This is intended to run on a schedule to notify if manual changes to your infras
   ```
 
   Variables set here override any given in `var_file`s.
-
-  - Type: string
-  - Optional
-
-* ~~`var`~~
-
-  > :warning: **Deprecated**: Use the `variables` input instead.
-
-  Comma separated list of terraform vars to set
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
 
   - Type: string
   - Optional
@@ -64,6 +56,11 @@ This is intended to run on a schedule to notify if manual changes to your infras
       prod.tfvars
   ```
 
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
+
+  - Type: string
+  - Optional
+
 * `backend_config`
 
   List of terraform backend config values, one per line.
@@ -97,6 +94,15 @@ This is intended to run on a schedule to notify if manual changes to your infras
   - Optional
   - Default: 10
 
+* ~~`var`~~
+
+  > :warning: **Deprecated**: Use the `variables` input instead.
+
+  Comma separated list of terraform vars to set
+
+  - Type: string
+  - Optional
+
 ## Outputs
 
 * `failure-reason`

terraform-plan/README.md

@@ -57,41 +57,13 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
   ```
 
   Variables set here override any given in `var_file`s.
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
 
   > :warning: Secret values are not masked in the PR comment. Set a `label` to avoid revealing the variables in the PR.
 
   - Type: string
   - Optional
 
-* ~~`var`~~
-
-  > :warning: **Deprecated**: Use the `variables` input instead.
-
-  Comma separated list of terraform vars to set.
-
-  This is deprecated due to the following limitations:
-  - Only primitive types can be set with `var` - number, bool and string.
-  - String values may not contain a comma.
-  - Values set with `var` will be overridden by values contained in `var_file`s
-
-  You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted.
-
-  For example:
-  ```yaml
-  with:
-    var: instance_type=m5.xlarge,nat_type=instance
-  ```
-  Becomes:
-  ```yaml
-  with:
-    variables: |
-      instance_type="m5.xlarge"
-      nat_type="instance"
-  ```
-
-  - Type: string
-  - Optional
-
 * `var_file`
 
   List of tfvars files to use, one per line.
@@ -104,6 +76,8 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
       prod.tfvars
   ```
 
+  This **can** be used with remote backends such as Terraform Cloud/Enterprise, with variables set in the remote workspace having precedence.
+
   - Type: string
   - Optional
 
@@ -150,6 +124,36 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
   - Optional
   - Default: true
 
+* ~~`var`~~
+
+  > :warning: **Deprecated**: Use the `variables` input instead.
+
+  Comma separated list of terraform vars to set.
+
+  This is deprecated due to the following limitations:
+  - Only primitive types can be set with `var` - number, bool and string.
+  - String values may not contain a comma.
+  - Values set with `var` will be overridden by values contained in `var_file`s
+  - Does not work with the `remote` backend
+
+  You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted.
+
+  For example:
+  ```yaml
+  with:
+    var: instance_type=m5.xlarge,nat_type=instance
+  ```
+  Becomes:
+  ```yaml
+  with:
+    variables: |
+      instance_type="m5.xlarge"
+      nat_type="instance"
+  ```
+
+  - Type: string
+  - Optional
+
 ## Environment Variables
 
 * `GITHUB_TOKEN`