From 390bc71bc7ded023cd4666e8a6191981aa84686e Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 28 Dec 2024 18:28:55 +0000 Subject: [PATCH 1/7] Add support for early evalution in OpenTofu Pass variables to the init and workspace select commands --- .github/workflows/test-early-eval.yaml | 28 +++++++++++ image/actions.sh | 15 +++++- image/entrypoints/test.sh | 3 +- .../test-plan/early-eval/tofu/main.tf | 48 +++++++++++++++++++ .../early-eval/tofu/terraform.tfvars | 1 + 5 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/test-early-eval.yaml create mode 100644 tests/workflows/test-plan/early-eval/tofu/main.tf create mode 100644 tests/workflows/test-plan/early-eval/tofu/terraform.tfvars diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml new file mode 100644 index 00000000..a6d21d79 --- /dev/null +++ b/.github/workflows/test-early-eval.yaml @@ -0,0 +1,28 @@ +name: Test OpenTofu early eval + +on: + - pull_request + +permissions: + contents: read + +jobs: + plan: + runs-on: ubuntu-24.04 + name: Plan with early eval + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: terraform plan + uses: ./tofu-plan + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + with: + path: tests/workflows/test-plan/early-eval/tofu + add_github_comment: false + variables: | + passphrase = "tofuqwertyuiopasdfgh" diff --git a/image/actions.sh b/image/actions.sh index b0e6f93d..141efebd 100644 --- a/image/actions.sh +++ b/image/actions.sh @@ -218,6 +218,14 @@ function set-init-args() { done fi + if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then + debug_log "Preparing variables for early evaluation" + set-variable-args + INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS" + else + VARIABLE_ARGS="" + fi + export INIT_ARGS } @@ -302,9 +310,12 @@ function init-backend-default-workspace() { function select-workspace() { local WORKSPACE_EXIT - debug_log "$TOOL_COMMAND_NAME" workspace select "$INPUT_WORKSPACE" + # shellcheck disable=SC2086 + debug_log "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE" + set +e - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1 + # shellcheck disable=SC2086 + (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1 WORKSPACE_EXIT=$? set -e diff --git a/image/entrypoints/test.sh b/image/entrypoints/test.sh index badd1c4f..05b24c02 100755 --- a/image/entrypoints/test.sh +++ b/image/entrypoints/test.sh @@ -34,7 +34,8 @@ function set-test-args() { function test() { - debug_log $TOOL_COMMAND_NAME test -no-color "$TEST_ARGS" "$VARIABLE_ARGS" + # shellcheck disable=SC2086 + debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS set +e # shellcheck disable=SC2086 diff --git a/tests/workflows/test-plan/early-eval/tofu/main.tf b/tests/workflows/test-plan/early-eval/tofu/main.tf new file mode 100644 index 00000000..cae67d28 --- /dev/null +++ b/tests/workflows/test-plan/early-eval/tofu/main.tf @@ -0,0 +1,48 @@ +terraform { + backend "s3" { + bucket = var.state_bucket + key = "test-plan-early-eval" + region = "eu-west-2" + } +} + +provider "aws" { + region = "eu-west-2" +} + +variable "state_bucket" { + type = string +} + +variable "acm_certificate_version" { + type = string + default = "4.3.0" +} + +variable "passphrase" { + type = string + sensitive = true +} + +module "s3-bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = var.acm_certificate_version +} + +terraform { + encryption { + key_provider "pbkdf2" "my_passphrase" { + passphrase = var.passphrase + } + + method "aes_gcm" "my_method" { + keys = key_provider.pbkdf2.my_passphrase + } + + state { + method = method.aes_gcm.my_method + } + } + + required_version = "1.8.8" +} diff --git a/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars new file mode 100644 index 00000000..7f3ce5bc --- /dev/null +++ b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars @@ -0,0 +1 @@ +state_bucket = "terraform-github-actions" \ No newline at end of file From f81a5e47bc1c93c99fb70754bd98bd3760fb28fd Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 12:34:16 +0000 Subject: [PATCH 2/7] Cope with connection errors to cloud backend during output operation --- image/tools/convert_output.py | 18 ++++++++++++- tests/test_output.py | 51 ++++++++++++++++++++++++++++++++--- 2 files changed, 64 insertions(+), 5 deletions(-) diff --git a/image/tools/convert_output.py b/image/tools/convert_output.py index 361a3f9f..bcfa67d3 100755 --- a/image/tools/convert_output.py +++ b/image/tools/convert_output.py @@ -40,11 +40,27 @@ def convert_to_github(outputs: Dict) -> Iterable[Union[Mask, Output]]: yield Output(name, str(value)) +def read_input(s: str) -> dict: + """ + If there is a problem connecting to terraform, the output contains junk lines we need to skip over + """ + + # Remove any lines that don't start with a { + # This is because terraform sometimes outputs junk lines + # before the JSON output + lines = s.splitlines() + while lines and not lines[0].startswith('{'): + lines.pop(0) + + jstr = '\n'.join(lines) + return json.loads(jstr) + + if __name__ == '__main__': input_string = sys.stdin.read() try: - outputs = json.loads(input_string) + outputs = read_input(input_string) if not isinstance(outputs, dict): raise Exception('Unable to parse outputs') except: diff --git a/tests/test_output.py b/tests/test_output.py index 8c89dd10..cf395d0d 100644 --- a/tests/test_output.py +++ b/tests/test_output.py @@ -1,5 +1,5 @@ import json -from convert_output import convert_to_github, Mask, Output +from convert_output import convert_to_github, Mask, Output, read_input def test_string(): @@ -40,9 +40,11 @@ def test_number(): } } - expected_output = [Output(name='int', value='123'), - Mask(value='123'), - Output(name='sensitive_int', value='123')] + expected_output = [ + Output(name='int', value='123'), + Mask(value='123'), + Output(name='sensitive_int', value='123') + ] output = list(convert_to_github(input)) assert output == expected_output @@ -305,3 +307,44 @@ def test_compound(): output = list(convert_to_github(input)) assert output == expected_output + + +def test_read_input_with_junk_lines(): + input_string = ''' There was an error connecting to Terraform Cloud. Please do not exit +Terraform to prevent data loss! Trying to restore the connection... + +Still trying to restore the connection... (3s elapsed) +Still trying to restore the connection... (5s elapsed) +{ + "output1": {"type": "string", "value": "value1", "sensitive": false} +}''' + result = read_input(input_string) + assert result == { + "output1": {"type": "string", "value": "value1", "sensitive": False} + } + +def test_read_input_without_junk_lines(): + input_string = '''{ + "output1": {"type": "string", "value": "value1", "sensitive": false} +}''' + result = read_input(input_string) + assert result == { + "output1": {"type": "string", "value": "value1", "sensitive": False} + } + +def test_read_input_empty_string(): + input_string = '' + try: + read_input(input_string) + assert False, "Expected an exception" + except json.JSONDecodeError: + pass + +def test_read_input_invalid_json(): + input_string = '''{ + "output1": {"type": "string", "value": "value1", "sensitive": false''' + try: + read_input(input_string) + assert False, "Expected an exception" + except json.JSONDecodeError: + pass From d08c2dc52f84b8c5399a6863b5beb8ce365ccd2e Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 13:21:41 +0000 Subject: [PATCH 3/7] Pass variables to workspace new/delete --- .github/workflows/test-early-eval.yaml | 24 ++++++++++++++++++ docs-gen/action.py | 5 +++- docs-gen/actions/destroy_workspace.py | 2 +- docs-gen/actions/new_workspace.py | 12 +++++++-- image/entrypoints/destroy-workspace.sh | 6 +++-- image/entrypoints/new-workspace.sh | 12 ++++++--- tofu-new-workspace/README.md | 34 ++++++++++++++++++++++++++ tofu-new-workspace/action.yaml | 11 +++++++++ 8 files changed, 96 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index a6d21d79..436fc3fa 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -26,3 +26,27 @@ jobs: add_github_comment: false variables: | passphrase = "tofuqwertyuiopasdfgh" + + - name: Create workspace + uses: ./terraform-new-workspace + with: + path: tests/workflows/test-new-workspace + workspace: test-workspace + variables: | + passphrase = "tofuqwertyuiopasdfgh" + + - name: Create workspace again + uses: ./terraform-new-workspace + with: + path: tests/workflows/test-new-workspace + workspace: test-workspace + variables: | + passphrase = "tofuqwertyuiopasdfgh" + + - name: Destroy workspace + uses: ./terraform-destroy-workspace + with: + path: tests/workflows/test-new-workspace + workspace: test-workspace + variables: | + passphrase = "tofuqwertyuiopasdfgh" diff --git a/docs-gen/action.py b/docs-gen/action.py index 0dbf45aa..d7f8105b 100644 --- a/docs-gen/action.py +++ b/docs-gen/action.py @@ -45,6 +45,7 @@ class Input: deprecation_message: str = None show_in_docs: bool = True example: str = None + available_in: list[Type[Terraform] | Type[OpenTofu]] = dataclasses.field(default_factory=lambda: [Terraform, OpenTofu]) def markdown(self, tool: Tool) -> str: if self.deprecation_message is None: @@ -226,6 +227,8 @@ def markdown(self, tool: Tool) -> str: for input in self.inputs: if not input.show_in_docs: continue + if tool not in input.available_in: + continue s += text_chunk(input.markdown(tool)) if self.outputs: @@ -264,7 +267,7 @@ def action_yaml(self, tool: Tool) -> str: if self.inputs: s += 'inputs:\n' - for input in self.inputs: + for input in (input for input in self.inputs if tool in input.available_in): s += f' {input.name}:\n' description = input.meta_description or input.description diff --git a/docs-gen/actions/destroy_workspace.py b/docs-gen/actions/destroy_workspace.py index 35ef297f..48975825 100644 --- a/docs-gen/actions/destroy_workspace.py +++ b/docs-gen/actions/destroy_workspace.py @@ -114,4 +114,4 @@ workspace: ${{ github.head_ref }} ``` ''' -) \ No newline at end of file +) diff --git a/docs-gen/actions/new_workspace.py b/docs-gen/actions/new_workspace.py index b917a82c..013bb889 100644 --- a/docs-gen/actions/new_workspace.py +++ b/docs-gen/actions/new_workspace.py @@ -1,6 +1,6 @@ import dataclasses -from action import Action +from action import Action, OpenTofu from environment_variables.GITHUB_DOT_COM_TOKEN import GITHUB_DOT_COM_TOKEN from environment_variables.TERRAFORM_CLOUD_TOKENS import TERRAFORM_CLOUD_TOKENS from environment_variables.TERRAFORM_HTTP_CREDENTIALS import TERRAFORM_HTTP_CREDENTIALS @@ -9,6 +9,8 @@ from inputs.backend_config import backend_config from inputs.backend_config_file import backend_config_file from inputs.path import path +from inputs.var_file import var_file +from inputs.variables import variables from inputs.workspace import workspace new_workspace = Action( @@ -19,6 +21,12 @@ inputs=[ path, dataclasses.replace(workspace, description='The name of the $ProductName workspace to create.', required=True, default=None), + dataclasses.replace(variables, description=''' + Variables to set when initializing $ProductName. This should be valid $ProductName syntax - like a [variable definition file]($VariableDefinitionUrl). + + Variables set here override any given in `var_file`s. + ''', available_in=[OpenTofu]), + dataclasses.replace(var_file, available_in=[OpenTofu]), backend_config, backend_config_file, ], @@ -62,4 +70,4 @@ auto_approve: true ``` ''' -) \ No newline at end of file +) diff --git a/image/entrypoints/destroy-workspace.sh b/image/entrypoints/destroy-workspace.sh index 59d76bc7..e465a601 100755 --- a/image/entrypoints/destroy-workspace.sh +++ b/image/entrypoints/destroy-workspace.sh @@ -35,6 +35,8 @@ else # We can't delete an active workspace, so re-initialize with a 'default' workspace (which may not exist) init-backend-default-workspace - debug_log terraform workspace delete -no-color -lock-timeout=300s "$INPUT_WORKSPACE" - (cd "$INPUT_PATH" && terraform workspace delete -no-color -lock-timeout=300s "$INPUT_WORKSPACE") + # shellcheck disable=SC2086 + debug_log $TOOL_COMMAND_NAME workspace delete $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE" + # shellcheck disable=SC2086 + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace delete $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") fi diff --git a/image/entrypoints/new-workspace.sh b/image/entrypoints/new-workspace.sh index e3ee676e..5fda4ec0 100755 --- a/image/entrypoints/new-workspace.sh +++ b/image/entrypoints/new-workspace.sh @@ -14,7 +14,8 @@ fi init-backend-default-workspace set +e -(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list -no-color) \ +# shellcheck disable=SC2086 +(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list $VARIABLE_ARGS -no-color) \ 2>"$STEP_TMP_DIR/terraform_workspace_list.stderr" \ >"$STEP_TMP_DIR/terraform_workspace_list.stdout" @@ -32,12 +33,14 @@ fi if workspace_exists "$INPUT_WORKSPACE" <"$STEP_TMP_DIR/terraform_workspace_list.stdout"; then echo "Workspace appears to exist, selecting it" - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select -no-color "$INPUT_WORKSPACE") + # shellcheck disable=SC2086 + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $VARIABLE_ARGS -no-color "$INPUT_WORKSPACE") else echo "Workspace does not appear to exist, attempting to create it" set +e - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \ + # shellcheck disable=SC2086 + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new $VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \ 2>"$STEP_TMP_DIR/terraform_workspace_new.stderr" \ >"$STEP_TMP_DIR/terraform_workspace_new.stdout" @@ -52,7 +55,8 @@ else if grep -Fq "already exists" "$STEP_TMP_DIR/terraform_workspace_new.stderr"; then echo "Workspace does exist, selecting it" - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select -no-color "$INPUT_WORKSPACE") + # shellcheck disable=SC2086 + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $VARIABLE_ARGS -no-color "$INPUT_WORKSPACE") else cat "$STEP_TMP_DIR/terraform_workspace_new.stderr" cat "$STEP_TMP_DIR/terraform_workspace_new.stdout" diff --git a/tofu-new-workspace/README.md b/tofu-new-workspace/README.md index a872f7fb..6b6efee0 100644 --- a/tofu-new-workspace/README.md +++ b/tofu-new-workspace/README.md @@ -21,6 +21,40 @@ Creates a new OpenTofu workspace. If the workspace already exists, succeeds with - Type: string - Required +* `variables` + + Variables to set when initializing OpenTofu. This should be valid OpenTofu syntax - like a [variable definition file](https://opentofu.org/docs/language/values/variables/#variable-definitions-tfvars-files). + + Variables set here override any given in `var_file`s. + + ```yaml + with: + variables: | + image_id = "${{ secrets.AMI_ID }}" + availability_zone_names = [ + "us-east-1a", + "us-west-1c", + ] + ``` + + - Type: string + - Optional + +* `var_file` + + List of tfvars files to use, one per line. + Paths should be relative to the GitHub Actions workspace + + ```yaml + with: + var_file: | + common.tfvars + prod.tfvars + ``` + + - Type: string + - Optional + * `backend_config` List of OpenTofu backend config values, one per line. diff --git a/tofu-new-workspace/action.yaml b/tofu-new-workspace/action.yaml index 789cd3cd..28d68659 100644 --- a/tofu-new-workspace/action.yaml +++ b/tofu-new-workspace/action.yaml @@ -10,6 +10,17 @@ inputs: workspace: description: The name of the OpenTofu workspace to create. required: true + variables: + description: | + Variables to set when initializing OpenTofu. This should be valid OpenTofu syntax - like a [variable definition file](https://opentofu.org/docs/language/values/variables/#variable-definitions-tfvars-files). + + Variables set here override any given in `var_file`s. + required: false + var_file: + description: | + List of tfvars files to use, one per line. + Paths should be relative to the GitHub Actions workspace + required: false backend_config: description: List of OpenTofu backend config values, one per line. required: false From bfc38ba37c05ca75a03d2f7c7d11cf35bc1fc5e4 Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 13:35:52 +0000 Subject: [PATCH 4/7] Pass variables to workspace new/delete --- .github/workflows/test-early-eval.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index 436fc3fa..1ac9f8e3 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -28,7 +28,7 @@ jobs: passphrase = "tofuqwertyuiopasdfgh" - name: Create workspace - uses: ./terraform-new-workspace + uses: ./tofu-new-workspace with: path: tests/workflows/test-new-workspace workspace: test-workspace @@ -36,7 +36,7 @@ jobs: passphrase = "tofuqwertyuiopasdfgh" - name: Create workspace again - uses: ./terraform-new-workspace + uses: ./tofu-new-workspace with: path: tests/workflows/test-new-workspace workspace: test-workspace @@ -44,7 +44,7 @@ jobs: passphrase = "tofuqwertyuiopasdfgh" - name: Destroy workspace - uses: ./terraform-destroy-workspace + uses: ./tofu-destroy-workspace with: path: tests/workflows/test-new-workspace workspace: test-workspace From 022067b38ded01be7d0dfa7183aac94f40bce725 Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 13:51:07 +0000 Subject: [PATCH 5/7] Pass variables to workspace new/delete --- .github/workflows/test-early-eval.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index 1ac9f8e3..a70e5832 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -30,7 +30,7 @@ jobs: - name: Create workspace uses: ./tofu-new-workspace with: - path: tests/workflows/test-new-workspace + path: tests/workflows/test-plan/early-eval/tofu workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" @@ -38,7 +38,7 @@ jobs: - name: Create workspace again uses: ./tofu-new-workspace with: - path: tests/workflows/test-new-workspace + path: tests/workflows/test-plan/early-eval/tofu workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" @@ -46,7 +46,7 @@ jobs: - name: Destroy workspace uses: ./tofu-destroy-workspace with: - path: tests/workflows/test-new-workspace + path: tests/workflows/test-plan/early-eval/tofu workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" From fd8d536946a81356c34086cc1b61d56bc3b8d88d Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 14:04:35 +0000 Subject: [PATCH 6/7] Pass variables to workspace new/delete --- .github/workflows/test-early-eval.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index a70e5832..006270eb 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -10,6 +10,9 @@ jobs: plan: runs-on: ubuntu-24.04 name: Plan with early eval + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout uses: actions/checkout@v4 @@ -18,9 +21,6 @@ jobs: - name: terraform plan uses: ./tofu-plan - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} with: path: tests/workflows/test-plan/early-eval/tofu add_github_comment: false From 18c685876a505db2c3ac4bb4c0422629e30fd190 Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Sat, 29 Mar 2025 14:44:33 +0000 Subject: [PATCH 7/7] Test early eval with remote workspaces --- .github/workflows/test-early-eval.yaml | 47 ++++++++++++++++--- .../tofu => test-early-eval/s3}/main.tf | 0 .../s3}/terraform.tfvars | 0 tests/workflows/test-early-eval/scalr/main.tf | 47 +++++++++++++++++++ 4 files changed, 88 insertions(+), 6 deletions(-) rename tests/workflows/{test-plan/early-eval/tofu => test-early-eval/s3}/main.tf (100%) rename tests/workflows/{test-plan/early-eval/tofu => test-early-eval/s3}/terraform.tfvars (100%) create mode 100644 tests/workflows/test-early-eval/scalr/main.tf diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index 006270eb..cbbd92c8 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -7,7 +7,7 @@ permissions: contents: read jobs: - plan: + s3-backend: runs-on: ubuntu-24.04 name: Plan with early eval env: @@ -19,10 +19,10 @@ jobs: with: persist-credentials: false - - name: terraform plan + - name: tofu plan uses: ./tofu-plan with: - path: tests/workflows/test-plan/early-eval/tofu + path: tests/workflows/test-early-eval/s3 add_github_comment: false variables: | passphrase = "tofuqwertyuiopasdfgh" @@ -30,7 +30,7 @@ jobs: - name: Create workspace uses: ./tofu-new-workspace with: - path: tests/workflows/test-plan/early-eval/tofu + path: tests/workflows/test-early-eval/s3 workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" @@ -38,7 +38,7 @@ jobs: - name: Create workspace again uses: ./tofu-new-workspace with: - path: tests/workflows/test-plan/early-eval/tofu + path: tests/workflows/test-early-eval/s3 workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" @@ -46,7 +46,42 @@ jobs: - name: Destroy workspace uses: ./tofu-destroy-workspace with: - path: tests/workflows/test-plan/early-eval/tofu + path: tests/workflows/test-early-eval/s3 workspace: test-workspace variables: | passphrase = "tofuqwertyuiopasdfgh" + + remote-backend: + runs-on: ubuntu-24.04 + name: Remote plan with early eval + env: + TERRAFORM_CLOUD_TOKENS: dflook.scalr.io=${{ secrets.SCALR_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Create workspace + uses: ./tofu-new-workspace + with: + path: tests/workflows/test-early-eval/scalr + workspace: ${{ github.head_ref }}-early-eval + variables: | + passphrase = "tofuqwertyuiopasdfgh" + + - name: Create workspace again + uses: ./tofu-new-workspace + with: + path: tests/workflows/test-early-eval/scalr + workspace: ${{ github.head_ref }}-early-eval + variables: | + passphrase = "tofuqwertyuiopasdfgh" + + - name: Destroy workspace + uses: ./tofu-destroy-workspace + with: + path: tests/workflows/test-early-eval/scalr + workspace: ${{ github.head_ref }}-early-eval + variables: | + passphrase = "tofuqwertyuiopasdfgh" diff --git a/tests/workflows/test-plan/early-eval/tofu/main.tf b/tests/workflows/test-early-eval/s3/main.tf similarity index 100% rename from tests/workflows/test-plan/early-eval/tofu/main.tf rename to tests/workflows/test-early-eval/s3/main.tf diff --git a/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars b/tests/workflows/test-early-eval/s3/terraform.tfvars similarity index 100% rename from tests/workflows/test-plan/early-eval/tofu/terraform.tfvars rename to tests/workflows/test-early-eval/s3/terraform.tfvars diff --git a/tests/workflows/test-early-eval/scalr/main.tf b/tests/workflows/test-early-eval/scalr/main.tf new file mode 100644 index 00000000..f59ea946 --- /dev/null +++ b/tests/workflows/test-early-eval/scalr/main.tf @@ -0,0 +1,47 @@ +terraform { + backend "remote" { + hostname = "dflook.scalr.io" + organization = "Environment-A" + + workspaces { + prefix = "scalr-" + } + } +} + +provider "aws" { + region = "eu-west-2" +} + +variable "module_version" { + type = string + default = "4.3.0" +} + +variable "passphrase" { + type = string + sensitive = true +} + +module "s3-bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = var.module_version +} + +terraform { + encryption { + key_provider "pbkdf2" "my_passphrase" { + passphrase = var.passphrase + } + + method "aes_gcm" "my_method" { + keys = key_provider.pbkdf2.my_passphrase + } + + state { + method = method.aes_gcm.my_method + } + } + + required_version = "1.8.8" +}