From 05e863aef49b9495091fe4d1f94a87e438aabffe Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Thu, 29 May 2025 14:33:19 +0100 Subject: [PATCH 1/2] Refactor variables inputs --- .github/actionlint.yaml | 6 + .github/workflows/test-apply.yaml | 37 ++--- .github/workflows/test-plan.yaml | 11 ++ docs-gen/inputs/var.py | 3 +- image/actions.sh | 176 +++++++++--------------- image/entrypoints/apply.sh | 32 +---- image/entrypoints/check.sh | 1 - image/entrypoints/destroy-workspace.sh | 11 +- image/entrypoints/destroy.sh | 7 - image/entrypoints/new-workspace.sh | 8 +- image/entrypoints/plan.sh | 3 +- image/entrypoints/refresh.sh | 5 +- image/entrypoints/test.sh | 5 +- image/entrypoints/validate.sh | 2 +- image/src/github_actions/inputs.py | 1 - image/src/github_pr_comment/__main__.py | 10 -- terraform-apply/action.yaml | 11 -- terraform-check/action.yaml | 11 -- terraform-destroy-workspace/action.yaml | 11 -- terraform-destroy/action.yaml | 11 -- terraform-plan/action.yaml | 11 -- tofu-apply/action.yaml | 11 -- tofu-check/action.yaml | 11 -- tofu-destroy-workspace/action.yaml | 11 -- tofu-destroy/action.yaml | 11 -- tofu-plan/action.yaml | 11 -- 26 files changed, 108 insertions(+), 320 deletions(-) diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index 7f91124b..1bafb250 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -41,3 +41,9 @@ paths: ignore: - 'property "random" is not defined in object type' - 'property "acme" is not defined in object type' + .github/workflows/test-apply.yaml: + ignore: + - 'input "var" is not defined in action "terraform-apply"' + .github/workflows/test-plan.yaml: + ignore: + - 'input "var" is not defined in action "terraform-plan"' diff --git a/.github/workflows/test-apply.yaml b/.github/workflows/test-apply.yaml index 0e253e54..d3d4cfa3 100644 --- a/.github/workflows/test-apply.yaml +++ b/.github/workflows/test-apply.yaml @@ -928,7 +928,7 @@ jobs: apply_vars: runs-on: ubuntu-24.04 - name: Apply approved changes with deprecated vars + name: Apply changes with deprecated var permissions: contents: read pull-requests: write @@ -940,43 +940,22 @@ jobs: with: persist-credentials: false - - name: Plan - uses: ./terraform-plan - with: - path: tests/workflows/test-apply/deprecated_var - var: my_var=hello - var_file: tests/workflows/test-apply/test.tfvars - - name: Apply uses: ./terraform-apply - id: output + id: apply + continue-on-error: true with: path: tests/workflows/test-apply/deprecated_var var: my_var=hello var_file: tests/workflows/test-apply/test.tfvars + auto_approve: true - - name: Verify outputs + - name: Check invalid env: - OUTPUT_STRING: ${{ steps.output.outputs.output_string }} - FROM_VAR: ${{ steps.output.outputs.from_var }} - FROM_VARFILE: ${{ steps.output.outputs.from_varfile }} - RUN_ID: ${{ steps.output.outputs.run_id }} + APPLY_OUTCOME: ${{ steps.apply.outcome }} run: | - if [[ "$OUTPUT_STRING" != "the_string" ]]; then - echo "::error:: output s not set correctly" - exit 1 - fi - if [[ "$FROM_VAR" != "this should be overridden" ]]; then - echo "::error:: output from_var not set correctly" - exit 1 - fi - if [[ "$FROM_VARFILE" != "monkey" ]]; then - echo "::error:: output from_varfile not set correctly" - exit 1 - fi - - if [[ -n "$RUN_ID" ]]; then - echo "::error:: run_id should not be set" + if [[ "$APPLY_OUTCOME" != "failure" ]]; then + echo "Using removed var input did not fail correctly." exit 1 fi diff --git a/.github/workflows/test-plan.yaml b/.github/workflows/test-plan.yaml index 171b49b3..1c30ac69 100644 --- a/.github/workflows/test-plan.yaml +++ b/.github/workflows/test-plan.yaml @@ -922,10 +922,21 @@ jobs: - name: Plan uses: ./terraform-plan + id: plan + continue-on-error: true with: path: tests/workflows/test-plan/sensitive_var var: my_sensitive_var=hello + - name: Check invalid + env: + PLAN_OUTCOME: ${{ steps.plan.outcome }} + run: | + if [[ "$PLAN_OUTCOME" != "failure" ]]; then + echo "Using removed var input did not fail correctly." + exit 1 + fi + plan_change_run_commands: runs-on: ubuntu-24.04 name: Change with shell init commands diff --git a/docs-gen/inputs/var.py b/docs-gen/inputs/var.py index 022ddcb4..0655b31e 100644 --- a/docs-gen/inputs/var.py +++ b/docs-gen/inputs/var.py @@ -5,7 +5,7 @@ type='string', description=''' Comma separated list of $ProductName vars to set. -This is deprecated due to the following limitations: +This has been removed due to the following limitations: - Only primitive types can be set with `var` - number, bool and string. - String values may not contain a comma. - Values set with `var` will be overridden by values contained in `var_file`s @@ -27,6 +27,7 @@ ''', required=False, deprecation_message='Use the variables input instead.', + available_in=[], #default='', show_in_docs=False ) diff --git a/image/actions.sh b/image/actions.sh index f7bb4cb4..79db6ef5 100644 --- a/image/actions.sh +++ b/image/actions.sh @@ -81,8 +81,6 @@ function detect-tfmask() { if ! hash tfmask 2>/dev/null; then TFMASK="cat" fi - - export TFMASK } function execute_run_commands() { @@ -163,6 +161,30 @@ function relative_to() { realpath --no-symlinks --canonicalize-missing --relative-to="$absbase" "$relpath" } +function set-init-args() { + INIT_ARGS="" + + if [[ -n "${INPUT_BACKEND_CONFIG_FILE:-}" ]]; then + for file in $(echo "$INPUT_BACKEND_CONFIG_FILE" | tr ',' '\n'); do + + if [[ ! -f "$file" ]]; then + error_log "Path does not exist: \"$file\"" + exit 1 + fi + + INIT_ARGS="$INIT_ARGS -backend-config=$(relative_to "$INPUT_PATH" "$file")" + done + fi + + if [[ -n "${INPUT_BACKEND_CONFIG:-}" ]]; then + for config in $(echo "$INPUT_BACKEND_CONFIG" | tr ',' '\n'); do + INIT_ARGS="$INIT_ARGS -backend-config=$config" + done + fi + + create-auto-tfvars +} + ## # Initialize terraform without a backend # @@ -174,9 +196,9 @@ function init() { rm -rf "$TF_DATA_DIR" # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS + debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS) + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false) end_group } @@ -194,51 +216,19 @@ function init-test() { if [[ -n "$INPUT_TEST_DIRECTORY" ]]; then # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS -test-directory "$INPUT_TEST_DIRECTORY" + debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false -test-directory "$INPUT_TEST_DIRECTORY" # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS -test-directory "$INPUT_TEST_DIRECTORY") + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false -test-directory "$INPUT_TEST_DIRECTORY") else # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false $EARLY_VARIABLE_ARGS + debug_log "$TOOL_COMMAND_NAME" init -input=false -backend=false # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false $EARLY_VARIABLE_ARGS) + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false) fi end_group } -function set-init-args() { - INIT_ARGS="" - - if [[ -n "${INPUT_BACKEND_CONFIG_FILE:-}" ]]; then - for file in $(echo "$INPUT_BACKEND_CONFIG_FILE" | tr ',' '\n'); do - - if [[ ! -f "$file" ]]; then - error_log "Path does not exist: \"$file\"" - exit 1 - fi - - INIT_ARGS="$INIT_ARGS -backend-config=$(relative_to "$INPUT_PATH" "$file")" - done - fi - - if [[ -n "${INPUT_BACKEND_CONFIG:-}" ]]; then - for config in $(echo "$INPUT_BACKEND_CONFIG" | tr ',' '\n'); do - INIT_ARGS="$INIT_ARGS -backend-config=$config" - done - fi - - if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then - debug_log "Preparing variables for early evaluation" - set-variable-args - EARLY_VARIABLE_ARGS=$VARIABLE_ARGS - else - EARLY_VARIABLE_ARGS="" - fi - - export INIT_ARGS -} - ## # Initialize the backend for a specific workspace # @@ -251,11 +241,11 @@ function init-backend-workspace() { rm -rf "$TF_DATA_DIR" # shellcheck disable=SC2016,SC2086 - debug_log TF_WORKSPACE="$INPUT_WORKSPACE" "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' $EARLY_VARIABLE_ARGS # don't expand INIT_ARGS + debug_log TF_WORKSPACE="$INPUT_WORKSPACE" "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' # don't expand INIT_ARGS set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && TF_WORKSPACE=$INPUT_WORKSPACE $TOOL_COMMAND_NAME init -input=false $INIT_ARGS $EARLY_VARIABLE_ARGS \ + (cd "$INPUT_PATH" && TF_WORKSPACE=$INPUT_WORKSPACE $TOOL_COMMAND_NAME init -input=false $INIT_ARGS \ 2>"$STEP_TMP_DIR/terraform_init.stderr") local INIT_EXIT=$? @@ -292,10 +282,10 @@ function init-backend-default-workspace() { rm -rf "$TF_DATA_DIR" # shellcheck disable=SC2016,SC2086 - debug_log "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' $EARLY_VARIABLE_ARGS # don't expand INIT_ARGS + debug_log "$TOOL_COMMAND_NAME" init -input=false '$INIT_ARGS' # don't expand INIT_ARGS set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false $INIT_ARGS $EARLY_VARIABLE_ARGS \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false $INIT_ARGS \ 2>"$STEP_TMP_DIR/terraform_init.stderr") local INIT_EXIT=$? @@ -321,11 +311,11 @@ function select-workspace() { local WORKSPACE_EXIT # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" workspace select $EARLY_VARIABLE_ARGS "$INPUT_WORKSPACE" + debug_log "$TOOL_COMMAND_NAME" workspace select "$INPUT_WORKSPACE" set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select $EARLY_VARIABLE_ARGS "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1 + (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1 WORKSPACE_EXIT=$? set -e @@ -389,87 +379,49 @@ function set-common-plan-args() { fi } -function set-variable-args() { - VARIABLE_ARGS="" - - if [[ -n "${INPUT_VAR_FILE:-}" ]]; then - for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do - - if [[ ! -f "$file" ]]; then - error_log "Path does not exist: \"$file\"" - exit 1 - fi - - VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$(relative_to "$INPUT_PATH" "$file")" - done - fi - - if [[ -n "${INPUT_VARIABLES:-}" ]]; then - echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars" - VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars" - fi -} - -function set-deprecated-var-args() { - DEPRECATED_VAR_ARGS="" - - if [[ -n "$INPUT_VAR" ]]; then - for var in $(echo "$INPUT_VAR" | tr ',' '\n'); do - DEPRECATED_VAR_ARGS="$DEPRECATED_VAR_ARGS -var $var" - done - fi -} - -function masked-deprecated-vars() { - if [[ -n "$DEPRECATED_VAR_ARGS" ]]; then - echo "-var " - else - echo "" - fi -} - function set-plan-args() { set-common-plan-args - set-deprecated-var-args - set-variable-args - export PLAN_ARGS + if [[ -n "${INPUT_VAR:-}" ]]; then + error_log "The var input has been removed. Use the variables input instead. See https://github.com/dflook/terraform-github-actions/blob/main/CHANGELOG.md" + exit 1 + fi } function create-auto-tfvars() { local AUTO_TFVARS_COUNTER=0 - if [[ -n "$INPUT_VAR_FILE" ]]; then - for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do - cp "$file" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars" + if [[ -n "${INPUT_VAR_FILE:-}" ]]; then + for file_path in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do + if [[ ! -f "$file_path" ]]; then + error_log "Path does not exist: \"$file_path\"" + exit 1 + fi + + local file_name="${file_path##*/}" + local name="${file_name%.tfvars}" + + debug_log "Creating autoloading tfvars file for $file_path: zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.$name.auto.tfvars" + cp "$file_path" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.$name.auto.tfvars" AUTO_TFVARS_COUNTER=$((AUTO_TFVARS_COUNTER + 1)) done fi - if [[ -n "$INPUT_VARIABLES" ]]; then - cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars" + if [[ -n "${INPUT_VARIABLES:-}" ]]; then + debug_log "Creating autoloading tfvars file for the variables input: zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars" + echo "$INPUT_VARIABLES" >"$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars" fi } function delete-auto-tfvars() { - debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true -} - -function set-remote-plan-args() { - set-common-plan-args - VARIABLE_ARGS="" - DEPRECATED_VAR_ARGS="" - - create-auto-tfvars - - export PLAN_ARGS + debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+.*\.auto\.tfvars' -print -delete || true } function output() { # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" output -json $EARLY_VARIABLE_ARGS + debug_log "$TOOL_COMMAND_NAME" output -json # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME output -json $EARLY_VARIABLE_ARGS | tee "$STEP_TMP_DIR/terraform_output.json" | convert_output) + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME output -json | tee "$STEP_TMP_DIR/terraform_output.json" | convert_output) } function random_string() { @@ -521,11 +473,11 @@ function plan() { fi # shellcheck disable=SC2086 - debug_log $TOOL_COMMAND_NAME plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT_ARG $PLAN_ARGS "$(masked-deprecated-vars)" $VARIABLE_ARGS + debug_log $TOOL_COMMAND_NAME plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT_ARG $PLAN_ARGS set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT_ARG $PLAN_ARGS $DEPRECATED_VAR_ARGS $VARIABLE_ARGS ) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT_ARG $PLAN_ARGS) \ 2>"$STEP_TMP_DIR/terraform_plan.stderr" \ | $TFMASK \ | tee /dev/fd/3 "$STEP_TMP_DIR/terraform_plan.stdout" \ @@ -549,11 +501,11 @@ function plan() { function destroy() { # shellcheck disable=SC2086 - debug_log $TOOL_COMMAND_NAME destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS "$(masked-deprecated-vars)" $VARIABLE_ARGS + debug_log $TOOL_COMMAND_NAME destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS $DEPRECATED_VAR_ARGS $VARIABLE_ARGS) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) \ 2>"$STEP_TMP_DIR/terraform_destroy.stderr" \ | tee /dev/fd/3 \ >"$STEP_TMP_DIR/terraform_destroy.stdout" @@ -566,9 +518,9 @@ function destroy() { function force_unlock() { echo "Unlocking state with ID: $INPUT_LOCK_ID" # shellcheck disable=SC2086 - debug_log "$TOOL_COMMAND_NAME" force-unlock -force $EARLY_VARIABLE_ARGS "$INPUT_LOCK_ID" + debug_log "$TOOL_COMMAND_NAME" force-unlock -force "$INPUT_LOCK_ID" # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME force-unlock -force $EARLY_VARIABLE_ARGS "$INPUT_LOCK_ID") + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME force-unlock -force "$INPUT_LOCK_ID") } # Every file written to disk should use one of these directories diff --git a/image/entrypoints/apply.sh b/image/entrypoints/apply.sh index 6cd33f56..ed385b23 100755 --- a/image/entrypoints/apply.sh +++ b/image/entrypoints/apply.sh @@ -32,28 +32,11 @@ function apply() { if [[ -n "$PLAN_OUT" ]]; then - # With Terrraform >= 1.10 Ephemeral variables must be specified again in the apply command. - # Non-ephemeral variables may be specified again, but may not be different from the plan. - # Terraform < 1.1.0 must not specify any variables when applying a saved plan. - - SAVED_PLAN_VARIABLES="" - if [[ "$TOOL_PRODUCT_NAME" == "Terraform" ]] && test-terraform-version ">=" "1.10.0"; then - SAVED_PLAN_VARIABLES="$VARIABLE_ARGS" - fi - - # With OpenTofu >= 1.8.0 Early variable initialization any variables used by the encryption block - # must be available for the apply command, but you can not use the -var or -var-file arguments with a saved plan - # We have to put them in an auto tfvars file as a workaround. - - if [[ "$TOOL_PRODUCT_NAME" == "OpenTofu" && -n "$EARLY_VARIABLE_ARGS" ]]; then - create-auto-tfvars - fi - set +e # shellcheck disable=SC2086 - debug_log $TOOL_COMMAND_NAME apply -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $SAVED_PLAN_VARIABLES $PLAN_OUT + debug_log $TOOL_COMMAND_NAME apply -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME apply -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $SAVED_PLAN_VARIABLES $PLAN_OUT) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME apply -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT) \ 2>"$STEP_TMP_DIR/terraform_apply.stderr" \ | $TFMASK \ | tee "$STEP_TMP_DIR/terraform_apply.stdout" @@ -61,19 +44,15 @@ function apply() { >&2 cat "$STEP_TMP_DIR/terraform_apply.stderr" set -e - if [[ "$TOOL_PRODUCT_NAME" == "OpenTofu" && -n "$EARLY_VARIABLE_ARGS" ]]; then - delete-auto-tfvars - fi - else # There is no plan file to apply, since the remote backend can't produce them. # Instead we need to do an auto approved apply using the arguments we would normally use for the plan set +e # shellcheck disable=SC2086,SC2016 - debug_log $TOOL_COMMAND_NAME apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS "$(masked-deprecated-vars)" $VARIABLE_ARGS + debug_log $TOOL_COMMAND_NAME apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS $DEPRECATED_VAR_ARGS $VARIABLE_ARGS) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) \ 2>"$STEP_TMP_DIR/terraform_apply.stderr" \ | $TFMASK \ | tee "$STEP_TMP_DIR/terraform_apply.stdout" @@ -127,7 +106,6 @@ else if [[ $PLAN_EXIT -eq 1 ]]; then if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then - set-remote-plan-args PLAN_OUT="" if [[ "$INPUT_AUTO_APPROVE" == "true" ]]; then @@ -162,7 +140,7 @@ else if [[ -n "$PLAN_OUT" ]]; then # shellcheck disable=SC2086 - if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json $EARLY_VARIABLE_ARGS "$PLAN_OUT" ) >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then + if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json "$PLAN_OUT" ) >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then set_output json_plan_path "$WORKSPACE_TMP_DIR/plan.json" else debug_file "$STEP_TMP_DIR/terraform_show.stderr" diff --git a/image/entrypoints/check.sh b/image/entrypoints/check.sh index e42c44cc..f6fc4633 100755 --- a/image/entrypoints/check.sh +++ b/image/entrypoints/check.sh @@ -17,7 +17,6 @@ plan if [[ $PLAN_EXIT -eq 1 ]]; then if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then # This terraform module is using the remote backend, which is deficient. - set-remote-plan-args PLAN_OUT="" PLAN_ARGS="$PLAN_ARGS -lock=false" plan diff --git a/image/entrypoints/destroy-workspace.sh b/image/entrypoints/destroy-workspace.sh index bb800861..c3e12b2c 100755 --- a/image/entrypoints/destroy-workspace.sh +++ b/image/entrypoints/destroy-workspace.sh @@ -12,13 +12,6 @@ exec 3>&1 destroy -if [[ $DESTROY_EXIT -eq 1 ]]; then - if grep -q "Run variables are currently not supported" "$STEP_TMP_DIR/terraform_destroy.stderr"; then - set-remote-plan-args - destroy - fi -fi - if [[ $DESTROY_EXIT -eq 1 ]]; then cat >&2 "$STEP_TMP_DIR/terraform_destroy.stderr" if lock-info "$STEP_TMP_DIR/terraform_destroy.stderr"; then @@ -36,7 +29,7 @@ else init-backend-default-workspace # shellcheck disable=SC2086 - debug_log $TOOL_COMMAND_NAME workspace delete $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE" + debug_log $TOOL_COMMAND_NAME workspace delete -no-color -lock-timeout=300s "$INPUT_WORKSPACE" # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace delete $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace delete -no-color -lock-timeout=300s "$INPUT_WORKSPACE") fi diff --git a/image/entrypoints/destroy.sh b/image/entrypoints/destroy.sh index 8c02b9e3..be13c5c6 100755 --- a/image/entrypoints/destroy.sh +++ b/image/entrypoints/destroy.sh @@ -12,13 +12,6 @@ exec 3>&1 destroy -if [[ $DESTROY_EXIT -eq 1 ]]; then - if grep -q "Run variables are currently not supported" "$STEP_TMP_DIR/terraform_destroy.stderr"; then - set-remote-plan-args - destroy - fi -fi - if [[ $DESTROY_EXIT -eq 1 ]]; then cat >&2 "$STEP_TMP_DIR/terraform_destroy.stderr" if lock-info "$STEP_TMP_DIR/terraform_destroy.stderr"; then diff --git a/image/entrypoints/new-workspace.sh b/image/entrypoints/new-workspace.sh index 6774036f..84101fbd 100755 --- a/image/entrypoints/new-workspace.sh +++ b/image/entrypoints/new-workspace.sh @@ -15,7 +15,7 @@ init-backend-default-workspace set +e # shellcheck disable=SC2086 -(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list $EARLY_VARIABLE_ARGS -no-color) \ +(cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace list -no-color) \ 2>"$STEP_TMP_DIR/terraform_workspace_list.stderr" \ >"$STEP_TMP_DIR/terraform_workspace_list.stdout" @@ -34,13 +34,13 @@ fi if workspace_exists "$INPUT_WORKSPACE" <"$STEP_TMP_DIR/terraform_workspace_list.stdout"; then echo "Workspace appears to exist, selecting it" # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $EARLY_VARIABLE_ARGS -no-color "$INPUT_WORKSPACE") + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select -no-color "$INPUT_WORKSPACE") else echo "Workspace does not appear to exist, attempting to create it" set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new $EARLY_VARIABLE_ARGS -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace new -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \ 2>"$STEP_TMP_DIR/terraform_workspace_new.stderr" \ >"$STEP_TMP_DIR/terraform_workspace_new.stdout" @@ -56,7 +56,7 @@ else if grep -Fq "already exists" "$STEP_TMP_DIR/terraform_workspace_new.stderr"; then echo "Workspace does exist, selecting it" # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select $EARLY_VARIABLE_ARGS -no-color "$INPUT_WORKSPACE") + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select -no-color "$INPUT_WORKSPACE") else cat "$STEP_TMP_DIR/terraform_workspace_new.stderr" cat "$STEP_TMP_DIR/terraform_workspace_new.stdout" diff --git a/image/entrypoints/plan.sh b/image/entrypoints/plan.sh index 778244b1..7f9a053d 100755 --- a/image/entrypoints/plan.sh +++ b/image/entrypoints/plan.sh @@ -18,7 +18,6 @@ plan if [[ $PLAN_EXIT -eq 1 ]]; then if grep -q "Saving a generated plan is currently not supported" "$STEP_TMP_DIR/terraform_plan.stderr"; then # This terraform module is using the remote backend, which is deficient. - set-remote-plan-args PLAN_OUT="" PLAN_ARGS="$PLAN_ARGS -lock=false" plan @@ -85,7 +84,7 @@ if [[ -n "$PLAN_OUT" ]]; then set_output plan_path "$WORKSPACE_TMP_DIR/plan.tfplan" # shellcheck disable=SC2086 - if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json $EARLY_VARIABLE_ARGS "$PLAN_OUT") >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then + if (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME show -json "$PLAN_OUT") >"$GITHUB_WORKSPACE/$WORKSPACE_TMP_DIR/plan.json" 2>"$STEP_TMP_DIR/terraform_show.stderr"; then set_output json_plan_path "$WORKSPACE_TMP_DIR/plan.json" else debug_file "$STEP_TMP_DIR/terraform_show.stderr" diff --git a/image/entrypoints/refresh.sh b/image/entrypoints/refresh.sh index 5e1a59fb..dbb578b7 100755 --- a/image/entrypoints/refresh.sh +++ b/image/entrypoints/refresh.sh @@ -6,7 +6,6 @@ source /usr/local/actions.sh debug setup init-backend-workspace -set-variable-args exec 3>&1 @@ -30,9 +29,9 @@ function refresh() { set +e # shellcheck disable=SC2086,SC2016 - debug_log $TOOL_COMMAND_NAME refresh -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $REFRESH_ARGS $VARIABLE_ARGS + debug_log $TOOL_COMMAND_NAME refresh -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $REFRESH_ARGS # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME refresh -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $REFRESH_ARGS $VARIABLE_ARGS) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME refresh -input=false -no-color -lock-timeout=300s $PARALLEL_ARG $REFRESH_ARGS) \ 2>"$STEP_TMP_DIR/terraform_refresh.stderr" \ | tee "$STEP_TMP_DIR/terraform_refresh.stdout" REFRESH_EXIT=${PIPESTATUS[0]} diff --git a/image/entrypoints/test.sh b/image/entrypoints/test.sh index 05b24c02..34851f87 100755 --- a/image/entrypoints/test.sh +++ b/image/entrypoints/test.sh @@ -35,11 +35,11 @@ function set-test-args() { function test() { # shellcheck disable=SC2086 - debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS + debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS set +e # shellcheck disable=SC2086 - (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS) \ + (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS) \ 2>"$STEP_TMP_DIR/terraform_test.stderr" \ | tee /dev/fd/3 \ >"$STEP_TMP_DIR/terraform_test.stdout" @@ -70,6 +70,5 @@ function test() { } set-test-args -set-variable-args test diff --git a/image/entrypoints/validate.sh b/image/entrypoints/validate.sh index da679761..f7668679 100755 --- a/image/entrypoints/validate.sh +++ b/image/entrypoints/validate.sh @@ -22,7 +22,7 @@ fi init || true # shellcheck disable=SC2086 -if ! (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate -json $EARLY_VARIABLE_ARGS | convert_validate_report "$INPUT_PATH"); then +if ! (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate -json | convert_validate_report "$INPUT_PATH"); then (cd "$INPUT_PATH" && TF_WORKSPACE="$TF_WORKSPACE" $TOOL_COMMAND_NAME validate) else echo -e "\033[1;32mSuccess!\033[0m The configuration is valid" diff --git a/image/src/github_actions/inputs.py b/image/src/github_actions/inputs.py index 4f5d98e5..3dbb4d0e 100644 --- a/image/src/github_actions/inputs.py +++ b/image/src/github_actions/inputs.py @@ -18,7 +18,6 @@ class InitInputs(TypedDict): class PlanInputs(InitInputs): """Common input variables for actions that generate a plan""" INPUT_VARIABLES: str - INPUT_VAR: str INPUT_VAR_FILE: str INPUT_PARALLELISM: str diff --git a/image/src/github_pr_comment/__main__.py b/image/src/github_pr_comment/__main__.py index 99cbe13e..b7c0a15c 100644 --- a/image/src/github_pr_comment/__main__.py +++ b/image/src/github_pr_comment/__main__.py @@ -99,9 +99,6 @@ def format_classic_description(action_inputs: PlanPrInputs) -> str: if action_inputs["INPUT_BACKEND_CONFIG_FILE"]: label += f'\nWith backend config files: `{action_inputs["INPUT_BACKEND_CONFIG_FILE"]}`' - if action_inputs["INPUT_VAR"]: - label += f'\nWith vars: `{action_inputs["INPUT_VAR"]}`' - if action_inputs["INPUT_VAR_FILE"]: label += f'\nWith var files: `{action_inputs["INPUT_VAR_FILE"]}`' @@ -153,13 +150,6 @@ def format_description(action_inputs: PlanPrInputs, sensitive_variables: List[st if action_inputs["INPUT_BACKEND_CONFIG_FILE"]: label += f'\nWith backend config files: `{action_inputs["INPUT_BACKEND_CONFIG_FILE"]}`' - if action_inputs["INPUT_VAR"]: - label += '\n:warning: Using deprecated var input. Use the variables input instead.' - if any(var_name in action_inputs["INPUT_VAR"] for var_name in sensitive_variables): - label += '\nWith vars: (sensitive values)' - else: - label += f'\nWith vars: `{action_inputs["INPUT_VAR"]}`' - if action_inputs["INPUT_VAR_FILE"]: label += f'\nWith var files: `{action_inputs["INPUT_VAR_FILE"]}`' diff --git a/terraform-apply/action.yaml b/terraform-apply/action.yaml index d8f50dfd..81b73c9e 100644 --- a/terraform-apply/action.yaml +++ b/terraform-apply/action.yaml @@ -30,17 +30,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of Terraform vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of Terraform backend config values, one per line. required: false diff --git a/terraform-check/action.yaml b/terraform-check/action.yaml index 40b12c70..96f4c2af 100644 --- a/terraform-check/action.yaml +++ b/terraform-check/action.yaml @@ -22,17 +22,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of Terraform vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of Terraform backend config values, one per line. required: false diff --git a/terraform-destroy-workspace/action.yaml b/terraform-destroy-workspace/action.yaml index bcc19598..c21af2f9 100644 --- a/terraform-destroy-workspace/action.yaml +++ b/terraform-destroy-workspace/action.yaml @@ -21,17 +21,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of Terraform vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of Terraform backend config values, one per line. required: false diff --git a/terraform-destroy/action.yaml b/terraform-destroy/action.yaml index df79aa57..8fdbe803 100644 --- a/terraform-destroy/action.yaml +++ b/terraform-destroy/action.yaml @@ -22,17 +22,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of Terraform vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of Terraform backend config values, one per line. required: false diff --git a/terraform-plan/action.yaml b/terraform-plan/action.yaml index 13e8be29..89a18ff4 100644 --- a/terraform-plan/action.yaml +++ b/terraform-plan/action.yaml @@ -30,17 +30,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of Terraform vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of Terraform backend config values, one per line. required: false diff --git a/tofu-apply/action.yaml b/tofu-apply/action.yaml index c24d2dae..8de2df12 100644 --- a/tofu-apply/action.yaml +++ b/tofu-apply/action.yaml @@ -30,17 +30,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of OpenTofu vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of OpenTofu backend config values, one per line. required: false diff --git a/tofu-check/action.yaml b/tofu-check/action.yaml index d82db5d9..66d69e74 100644 --- a/tofu-check/action.yaml +++ b/tofu-check/action.yaml @@ -22,17 +22,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of OpenTofu vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of OpenTofu backend config values, one per line. required: false diff --git a/tofu-destroy-workspace/action.yaml b/tofu-destroy-workspace/action.yaml index 5bd6d4d5..55f0a937 100644 --- a/tofu-destroy-workspace/action.yaml +++ b/tofu-destroy-workspace/action.yaml @@ -21,17 +21,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of OpenTofu vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of OpenTofu backend config values, one per line. required: false diff --git a/tofu-destroy/action.yaml b/tofu-destroy/action.yaml index 88f7ab4d..b762fa3c 100644 --- a/tofu-destroy/action.yaml +++ b/tofu-destroy/action.yaml @@ -22,17 +22,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of OpenTofu vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of OpenTofu backend config values, one per line. required: false diff --git a/tofu-plan/action.yaml b/tofu-plan/action.yaml index 9848d4a3..1aa8cf95 100644 --- a/tofu-plan/action.yaml +++ b/tofu-plan/action.yaml @@ -30,17 +30,6 @@ inputs: List of tfvars files to use, one per line. Paths should be relative to the GitHub Actions workspace required: false - var: - description: | - Comma separated list of OpenTofu vars to set. - This is deprecated due to the following limitations: - - Only primitive types can be set with `var` - number, bool and string. - - String values may not contain a comma. - - Values set with `var` will be overridden by values contained in `var_file`s - - Does not work with the `remote` backend - You can change from `var` to `variables` by putting each variable on a separate line and ensuring each string value is quoted. - required: false - deprecationMessage: Use the variables input instead. backend_config: description: List of OpenTofu backend config values, one per line. required: false From bdba707411f56b5740df88f62de16186635c2fab Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Fri, 30 May 2025 10:04:39 +0100 Subject: [PATCH 2/2] Make sure tfvars files are loaded in the correct order They are read in lexical order by terraform, use a two digit counter to ensure this is correct even for >10 files. --- image/actions.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/actions.sh b/image/actions.sh index 79db6ef5..c044afa0 100644 --- a/image/actions.sh +++ b/image/actions.sh @@ -389,7 +389,7 @@ function set-plan-args() { } function create-auto-tfvars() { - local AUTO_TFVARS_COUNTER=0 + local AUTO_TFVARS_COUNTER="00" if [[ -n "${INPUT_VAR_FILE:-}" ]]; then for file_path in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do @@ -403,7 +403,7 @@ function create-auto-tfvars() { debug_log "Creating autoloading tfvars file for $file_path: zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.$name.auto.tfvars" cp "$file_path" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.$name.auto.tfvars" - AUTO_TFVARS_COUNTER=$((AUTO_TFVARS_COUNTER + 1)) + AUTO_TFVARS_COUNTER=$(printf "%02d\n" "$((AUTO_TFVARS_COUNTER + 1))") done fi