Use early variables for additional commands

Use early variables for:
- tofu workspace
- tofu show
- tofu validate
- tofu init, even when the backend is not needed

Author: dflook

.github/workflows/test-early-eval.yaml

@@ -10,9 +10,13 @@ jobs:
   s3-backend:
     runs-on: ubuntu-24.04
     name: Plan with early eval
+    permissions:
+      contents: read
+      pull-requests: write
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -21,9 +25,25 @@ jobs:
 
       - name: tofu plan
         uses: ./tofu-plan
+        id: plan
+        with:
+          path: tests/workflows/test-early-eval/s3
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
+
+      - name: Verify outputs
+        env:
+          JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
+        run: |
+          if [[ ! -f "$JSON_PLAN_PATH" ]]; then
+            echo "::error:: json_plan_path not set correctly"
+            exit 1
+          fi
+
+      - name: tofu apply
+        uses: ./tofu-apply
         with:
           path: tests/workflows/test-early-eval/s3
-          add_github_comment: false
           variables: |
             passphrase = "tofuqwertyuiopasdfgh"
 

docs-gen/actions/fmt.py

@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 
 fmt = Action(
@@ -20,6 +22,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -70,4 +77,4 @@
           branch: automated-$ToolName-fmt
 ```
 '''
-)
+)

docs-gen/actions/fmt_check.py

@@ -1,11 +1,13 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.failure_reason import failure_reason
 
@@ -24,6 +26,11 @@
             $ProductName workspace to inspect when discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
         '''),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         dataclasses.replace(backend_config, description='''
             List of $ProductName backend config values, one per line. This is used for discovering the $ProductName version to use, if the version is not otherwise specified.
             See [dflook/$ToolName-version](https://github.com/dflook/terraform-github-actions/tree/main/$ToolName-version#$ToolName-version-action) for details.
@@ -96,4 +103,4 @@
         run: echo "formatting check failed"
 ```
 '''
-)
+)

docs-gen/actions/new_workspace.py

@@ -21,11 +21,11 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='The name of the $ProductName workspace to create.', required=True, default=None),
-        dataclasses.replace(variables, description='''
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
         Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
 
         Variables set here override any given in `var_file`s.
-        ''', available_in=[OpenTofu]),
+        '''),
         dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
         backend_config_file,

docs-gen/actions/output.py

@@ -1,6 +1,6 @@
 import dataclasses
 
-from action import Action
+from action import Action, OpenTofu
 from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN
 from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS
 from environment_variables.TERRAFORM_HTTP_CREDENTIALS import TERRAFORM_HTTP_CREDENTIALS
@@ -9,6 +9,8 @@
 from inputs.backend_config import backend_config
 from inputs.backend_config_file import backend_config_file
 from inputs.path import path
+from inputs.var_file import var_file
+from inputs.variables import variables
 from inputs.workspace import workspace
 from outputs.terraform_outputs import terraform_outputs
 
@@ -20,8 +22,14 @@
     inputs=[
         path,
         dataclasses.replace(workspace, description='$ProductName workspace to get outputs from'),
+        dataclasses.replace(variables, available_in=[OpenTofu], description='''
+            Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl).
+
+            Variables set here override any given in `var_file`s.
+        '''),
+        dataclasses.replace(var_file, available_in=[OpenTofu]),
         backend_config,
-        backend_config_file,
+        backend_config_file
     ],
     environment_variables=[
         GITHUB_DOT_COM_TOKEN,
@@ -106,4 +114,4 @@
 The subnet-ids are subnet-053008016a2c1768c,subnet-07d4ce437c43eba2f,subnet-0a5f8c3a20023b8c0
 ```
 '''
-)
+)

image/actions.sh

@@ -171,8 +171,10 @@ function init() {
     start_group "Initializing $TOOL_PRODUCT_NAME"
 
     rm -rf "$TF_DATA_DIR"
-    debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false)
+    # shellcheck disable=SC2086
+    debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS)
 
     end_group
 }
@@ -187,11 +189,15 @@ function init-test() {
     rm -rf "$TF_DATA_DIR"
 
     if [[ -n "$INPUT_TEST_DIRECTORY" ]]; then
-        debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false -test-directory "$INPUT_TEST_DIRECTORY"
-        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false -test-directory "$INPUT_TEST_DIRECTORY")
+        # shellcheck disable=SC2086
+        debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS -test-directory "$INPUT_TEST_DIRECTORY"
+        # shellcheck disable=SC2086
+        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS -test-directory "$INPUT_TEST_DIRECTORY")
     else
-        debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false
-        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false)
+        # shellcheck disable=SC2086
+        debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS
+        # shellcheck disable=SC2086
+        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS)
     fi
 
     end_group
@@ -221,9 +227,9 @@ function set-init-args() {
     if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
         debug_log "Preparing variables for early evaluation"
         set-variable-args
-        INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
+        EARLY_VARIABLE_ARGS=$VARIABLE_ARGS
     else
-        VARIABLE_ARGS=""
+        EARLY_VARIABLE_ARGS=""
     fi
 
     export INIT_ARGS
@@ -240,12 +246,12 @@ function init-backend-workspace() {
 
     rm -rf "$TF_DATA_DIR"
 
-    # shellcheck disable=SC2016
-    debug_log TF_WORKSPACE="$INPUT_WORKSPACE" "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS'  # don't expand INIT_ARGS
+    # shellcheck disable=SC2016,SC2086
+    debug_log TF_WORKSPACE="$INPUT_WORKSPACE" "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' $EARLY_VARIABLE_ARGS # don't expand INIT_ARGS
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && TF_WORKSPACE=$INPUT_WORKSPACE $TOOL_COMMAND_NAME init -input=false $INIT_ARGS \
+    (cd "$INPUT_PATH" && TF_WORKSPACE=$INPUT_WORKSPACE $TOOL_COMMAND_NAME init -input=false $INIT_ARGS $EARLY_VARIABLE_ARGS \
         2>"$STEP_TMP_DIR/terraform_init.stderr")
 
     local INIT_EXIT=$?
@@ -281,11 +287,11 @@ function init-backend-default-workspace() {
 
     rm -rf "$TF_DATA_DIR"
 
-    # shellcheck disable=SC2016
-    debug_log "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS'  # don't expand INIT_ARGS
+    # shellcheck disable=SC2016,SC2086
+    debug_log "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' $EARLY_VARIABLE_ARGS # don't expand INIT_ARGS
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false $INIT_ARGS \
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false $INIT_ARGS $EARLY_VARIABLE_ARGS \
         2>"$STEP_TMP_DIR/terraform_init.stderr")
 
     local INIT_EXIT=$?
@@ -311,11 +317,11 @@ function select-workspace() {
     local WORKSPACE_EXIT
 
     # shellcheck disable=SC2086
-    debug_log "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE"
+    debug_log "$TOOL_COMMAND_NAME" workspace select $EARLY_VARIABLE_ARGS "$INPUT_WORKSPACE"
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select $EARLY_VARIABLE_ARGS "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e
 
@@ -449,8 +455,10 @@ function set-remote-plan-args() {
 }
 
 function output() {
-    debug_log "$TOOL_COMMAND_NAME" output -json
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME output -json | tee "$STEP_TMP_DIR/terraform_output.json" | convert_output)
+    # shellcheck disable=SC2086
+    debug_log "$TOOL_COMMAND_NAME" output -json $EARLY_VARIABLE_ARGS
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME output -json $EARLY_VARIABLE_ARGS | tee "$STEP_TMP_DIR/terraform_output.json" | convert_output)
 }
 
 function random_string() {
@@ -546,8 +554,10 @@ function destroy() {
 
 function force_unlock() {
     echo "Unlocking state with ID: $INPUT_LOCK_ID"
-    debug_log "$TOOL_COMMAND_NAME" force-unlock -force "$INPUT_LOCK_ID"
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME force-unlock -force "$INPUT_LOCK_ID")
+    # shellcheck disable=SC2086
+    debug_log "$TOOL_COMMAND_NAME" force-unlock -force $EARLY_VARIABLE_ARGS "$INPUT_LOCK_ID"
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME force-unlock -force $EARLY_VARIABLE_ARGS "$INPUT_LOCK_ID")
 }
 
 # Every file written to disk should use one of these directories

image/entrypoints/destroy-workspace.sh

@@ -36,7 +36,7 @@ else
     init-backend-default-workspace
 
     # shellcheck disable=SC2086
-    debug_log $TOOL_COMMAND_NAME workspace delete $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE"
+    debug_log $TOOL_COMMAND_NAME workspace delete $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE"
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace delete $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE")
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace delete $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE")
 fi

image/entrypoints/new-workspace.sh

@@ -15,7 +15,7 @@ init-backend-default-workspace
 
 set +e
 # shellcheck disable=SC2086
-(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list $VARIABLE_ARGS -no-color) \
+(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list $EARLY_VARIABLE_ARGS -no-color) \
     2>"$STEP_TMP_DIR/terraform_workspace_list.stderr" \
     >"$STEP_TMP_DIR/terraform_workspace_list.stdout"
 
@@ -34,13 +34,13 @@ fi
 if workspace_exists "$INPUT_WORKSPACE" <"$STEP_TMP_DIR/terraform_workspace_list.stdout"; then
     echo "Workspace appears to exist, selecting it"
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $VARIABLE_ARGS -no-color "$INPUT_WORKSPACE")
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $EARLY_VARIABLE_ARGS -no-color "$INPUT_WORKSPACE")
 else
     echo "Workspace does not appear to exist, attempting to create it"
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \
         2>"$STEP_TMP_DIR/terraform_workspace_new.stderr" \
         >"$STEP_TMP_DIR/terraform_workspace_new.stdout"
 
@@ -56,7 +56,7 @@ else
         if grep -Fq "already exists" "$STEP_TMP_DIR/terraform_workspace_new.stderr"; then
             echo "Workspace does exist, selecting it"
             # shellcheck disable=SC2086
-            (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $VARIABLE_ARGS -no-color "$INPUT_WORKSPACE")
+            (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $EARLY_VARIABLE_ARGS -no-color "$INPUT_WORKSPACE")
         else
             cat "$STEP_TMP_DIR/terraform_workspace_new.stderr"
             cat "$STEP_TMP_DIR/terraform_workspace_new.stdout"

image/entrypoints/plan.sh

@@ -84,7 +84,8 @@ if [[ -n "$PLAN_OUT" ]]; then
     cp "$PLAN_OUT" "$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.tfplan"
     set_output plan_path "$WORKSPACE_TMP_DIR/plan.tfplan"
 
-    if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json "$PLAN_OUT") >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then
+    # shellcheck disable=SC2086
+    if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json $EARLY_VARIABLE_ARGS "$PLAN_OUT") >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then
         set_output json_plan_path "$WORKSPACE_TMP_DIR/plan.json"
     else
         debug_file "$STEP_TMP_DIR/terraform_show.stderr"

image/entrypoints/validate.sh

@@ -21,7 +21,8 @@ fi
 
 init || true
 
-if ! (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate -json | convert_validate_report "$INPUT_PATH"); then
+# shellcheck disable=SC2086
+if ! (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate -json $EARLY_VARIABLE_ARGS | convert_validate_report "$INPUT_PATH"); then
     (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate)
 else
     echo -e "\033[1;32mSuccess!\033[0m The configuration is valid"