Copy early variables into auto tfvars for apply command

dflook · dflook · commit ba209845dfc0 · 2025-05-28T20:15:14.000+01:00
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -119,13 +119,6 @@ jobs:
             docs/*.md
             **/README.md
 
-      - name: ensure-sha-pinned-actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
-        with:
-          allowlist: |
-            actions/
-            dflook/
-
       - name: Lint Dockerfile
         uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
         with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -3,3 +3,4 @@ rules:
     config:
       policies:
         dflook/terraform-apply: ref-pin
+        actions/*: ref-pin
diff --git a/image/actions.sh b/image/actions.sh
@@ -436,11 +436,7 @@ function set-plan-args() {
     export PLAN_ARGS
 }
 
-function set-remote-plan-args() {
-    set-common-plan-args
-    VARIABLE_ARGS=""
-    DEPRECATED_VAR_ARGS=""
-
+function create-auto-tfvars() {
     local AUTO_TFVARS_COUNTER=0
 
     if [[ -n "$INPUT_VAR_FILE" ]]; then
@@ -451,9 +447,20 @@ function set-remote-plan-args() {
     fi
 
     if [[ -n "$INPUT_VARIABLES" ]]; then
-        echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars"
         cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars"
     fi
+}
+
+function delete-auto-tfvars() {
+    debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true
+}
+
+function set-remote-plan-args() {
+    set-common-plan-args
+    VARIABLE_ARGS=""
+    DEPRECATED_VAR_ARGS=""
+
+    create-auto-tfvars
 
     export PLAN_ARGS
 }
@@ -585,7 +592,7 @@ function fix_owners() {
     fi
 
     if [[ -d "$INPUT_PATH" ]]; then
-        debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true
+        delete-auto-tfvars
     fi
 
     if [[ -f "$HOME/.terraformrc" ]]; then
diff --git a/image/entrypoints/apply.sh b/image/entrypoints/apply.sh
@@ -41,6 +41,14 @@ function apply() {
           SAVED_PLAN_VARIABLES="$VARIABLE_ARGS"
         fi
 
+        # With OpenTofu >= 1.8.0 Early variable initialization any variables used by the encryption block
+        # must be available for the apply command, but you can not use the -var or -var-file arguments with a saved plan
+        # We have to put them in an auto tfvars file as a workaround.
+
+        if [[ "$TOOL_PRODUCT_NAME" == "OpenTofu" && -n "$EARLY_VARIABLE_ARGS" ]]; then
+            create-auto-vars
+        fi
+
         # shellcheck disable=SC2086
         debug_log $TOOL_COMMAND_NAME apply -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $SAVED_PLAN_VARIABLES $PLAN_OUT
         # shellcheck disable=SC2086
@@ -51,6 +59,10 @@ function apply() {
         APPLY_EXIT=${PIPESTATUS[0]}
         >&2 cat "$STEP_TMP_DIR/terraform_apply.stderr"
 
+        if [[ "$TOOL_PRODUCT_NAME" == "OpenTofu" && -n "$EARLY_VARIABLE_ARGS" ]]; then
+            delete-auto-vars
+        fi
+
     else
         # There is no plan file to apply, since the remote backend can't produce them.
         # Instead we need to do an auto approved apply using the arguments we would normally use for the plan
