From b58301acdd252db1784431604648cefc2f779775 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Mon, 9 Jun 2025 18:40:48 +0100
Subject: [PATCH 1/2] Add OpenTofu 1.9 exclude parameter support

---
 .github/actionlint.yaml                       |   5 +-
 ....yaml => test-target-replace-exclude.yaml} | 126 ++++++++++++++----
 .gitignore                                    |   3 +
 docs-gen/action.py                            |   1 +
 docs-gen/actions/apply.py                     |   5 +
 docs-gen/actions/plan.py                      |   2 +
 docs-gen/actions/refresh.py                   |   5 +
 docs-gen/inputs/exclude.py                    |  23 ++++
 image/actions.sh                              |  14 ++
 image/entrypoints/refresh.sh                  |   8 ++
 image/src/github_actions/inputs.py            |   1 +
 image/src/github_pr_comment/__main__.py       |  10 ++
 image/src/terraform_version/local_state.py    |   5 +-
 .../test-target-replace-exclude/main.tf       |  61 +++++++++
 tests/workflows/test-target-replace/main.tf   |  29 ----
 tofu-apply/README.md                          |  15 +++
 tofu-apply/action.yaml                        |   6 +
 tofu-plan/README.md                           |  17 +++
 tofu-plan/action.yaml                         |   8 ++
 tofu-refresh/README.md                        |  15 +++
 tofu-refresh/action.yaml                      |   6 +
 21 files changed, 310 insertions(+), 55 deletions(-)
 rename .github/workflows/{test-target-replace.yaml => test-target-replace-exclude.yaml} (80%)
 create mode 100644 docs-gen/inputs/exclude.py
 create mode 100644 tests/workflows/test-target-replace-exclude/main.tf
 delete mode 100644 tests/workflows/test-target-replace/main.tf

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
index 1bafb250..4abdd4bb 100644
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -30,10 +30,13 @@ paths:
       - 'property "git_https" is not defined in object type'
       - 'property "awkward_.*" is not defined in object type'
       - 'property "word" is not defined in object type'
-  .github/workflows/test-target-replace.yaml:
+  .github/workflows/test-target-replace-exclude.yaml:
     ignore:
       - 'property "count" is not defined in object type'
       - 'property "foreach" is not defined in object type'
+      - 'property "keep_me" is not defined in object type'
+      - 'property "exclude_me" is not defined in object type'
+      - 'property "also_exclude" is not defined in object type'
   .github/workflows/release.yaml:
     ignore:
       - 'Useless cat.'
diff --git a/.github/workflows/test-target-replace.yaml b/.github/workflows/test-target-replace-exclude.yaml
similarity index 80%
rename from .github/workflows/test-target-replace.yaml
rename to .github/workflows/test-target-replace-exclude.yaml
index 3753ed83..ff3f313f 100644
--- a/.github/workflows/test-target-replace.yaml
+++ b/.github/workflows/test-target-replace-exclude.yaml
@@ -1,4 +1,4 @@
-name: Test actions using target and replace
+name: Test actions using target, replace, and exclude
 
 on:
   - pull_request
@@ -27,7 +27,7 @@ jobs:
         id: plan
         with:
           label: test-target-replace plan_targeting
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.notpresent
           variables: |
@@ -46,7 +46,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-first-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
           variables: |
@@ -65,7 +65,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-first-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
           variables: |
@@ -84,7 +84,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-second-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           variables: |
@@ -103,7 +103,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-second-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           variables: |
@@ -129,7 +129,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-third-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
             random_string.foreach["hello"]
@@ -158,7 +158,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-targeted-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           replace: |
@@ -180,7 +180,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-targeted-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           replace: |
@@ -210,7 +210,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           replace: |
             random_string.foreach["hello"]
             random_string.count[0]
@@ -230,7 +230,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           replace: |
             random_string.foreach["hello"]
             random_string.count[0]
@@ -268,7 +268,7 @@ jobs:
 
       - name: Setup remote backend
         run: |
-          cat >tests/workflows/test-target-replace/backend.tf <<EOF
+          cat >tests/workflows/test-target-replace-exclude/backend.tf <<EOF
           terraform {
             backend "remote" {
               organization = "flooktech"
@@ -284,7 +284,7 @@ jobs:
       - name: Create test workspace
         uses: ./terraform-new-workspace
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           workspace: ${{ github.head_ref }}
           backend_config: token=${{ secrets.TF_API_TOKEN }}
 
@@ -293,7 +293,7 @@ jobs:
         id: plan
         with:
           label: test-target-replace remote_plan_targeting
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.notpresent
           variables: |
@@ -314,7 +314,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-first-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
           variables: |
@@ -335,7 +335,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-first-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
           variables: |
@@ -356,7 +356,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-second-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           variables: |
@@ -377,7 +377,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-second-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           variables: |
@@ -405,7 +405,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-third-change
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.count[0]
             random_string.foreach["hello"]
@@ -436,7 +436,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-targeted-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           replace: |
@@ -460,7 +460,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-targeted-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           target: |
             random_string.foreach["hello"]
           replace: |
@@ -492,7 +492,7 @@ jobs:
         uses: ./terraform-plan
         id: plan-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           replace: |
             random_string.foreach["hello"]
             random_string.count[0]
@@ -514,7 +514,7 @@ jobs:
         uses: ./terraform-apply
         id: apply-replacement
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           replace: |
             random_string.foreach["hello"]
             random_string.count[0]
@@ -543,8 +543,86 @@ jobs:
       - name: Destroy the workspace
         uses: ./terraform-destroy-workspace
         with:
-          path: tests/workflows/test-target-replace
+          path: tests/workflows/test-target-replace-exclude
           workspace: ${{ github.head_ref }}
           variables: |
             length = 10
           backend_config: token=${{ secrets.TF_API_TOKEN }}
+
+  tofu_exclude_testing:
+    runs-on: ubuntu-24.04
+    name: OpenTofu exclude testing
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Plan excluding resources
+        uses: ./tofu-plan
+        id: plan-exclude
+        with:
+          label: test-exclude tofu_exclude_testing
+          path: tests/workflows/test-target-replace-exclude
+          exclude: |
+            random_string.exclude_me
+            random_string.also_exclude
+          variables: |
+            length = 5
+
+      - name: Verify exclude plan outputs
+        env:
+          CHANGES: ${{ steps.plan-exclude.outputs.changes }}
+        run: |
+          if [[ "$CHANGES" != "true" ]]; then
+            echo "::error:: Exclude plan should have changes for non-excluded resources"
+            exit 1
+          fi
+
+      - name: Apply excluding resources
+        uses: ./tofu-apply
+        id: apply-exclude
+        with:
+          label: test-exclude tofu_exclude_testing
+          path: tests/workflows/test-target-replace-exclude
+          exclude: |
+            random_string.exclude_me
+            random_string.also_exclude
+          variables: |
+            length = 5
+
+      - name: Verify exclude apply outputs
+        env:
+          COUNT: ${{ steps.apply-exclude.outputs.count }}
+          FOREACH: ${{ steps.apply-exclude.outputs.foreach }}
+          KEEP_ME: ${{ steps.apply-exclude.outputs.keep_me }}
+          EXCLUDE_ME: ${{ steps.apply-exclude.outputs.exclude_me }}
+          ALSO_EXCLUDE: ${{ steps.apply-exclude.outputs.also_exclude }}
+        run: |
+          # Should have created non-excluded resources
+          if [[ "$COUNT" == "" ]]; then
+            echo "::error:: count output should be set (resource not excluded)"
+            exit 1
+          fi
+          if [[ "$FOREACH" == "" ]]; then
+            echo "::error:: foreach output should be set (resource not excluded)"
+            exit 1
+          fi
+          if [[ "$KEEP_ME" == "" ]]; then
+            echo "::error:: keep_me output should be set (resource not excluded)"
+            exit 1
+          fi
+
+          # Should NOT have created excluded resources
+          if [[ "$EXCLUDE_ME" != "" ]]; then
+            echo "::error:: exclude_me output should be empty (resource excluded)"
+            exit 1
+          fi
+          if [[ "$ALSO_EXCLUDE" != "" ]]; then
+            echo "::error:: also_exclude output should be empty (resource excluded)"
+            exit 1
+          fi
+
diff --git a/.gitignore b/.gitignore
index 1d6ae894..b87ce647 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@ build/
 __pycache__/
 .DS_Store
 *.egg-info/
+
+# API cache files
+github_api_cache.sqlite
diff --git a/docs-gen/action.py b/docs-gen/action.py
index d7f8105b..5191ddcc 100644
--- a/docs-gen/action.py
+++ b/docs-gen/action.py
@@ -172,6 +172,7 @@ def assert_ordering(self):
             "backend_config_file",
             "replace",
             "target",
+            "exclude",
             "destroy",
             "refresh",
             "plan_path",
diff --git a/docs-gen/actions/apply.py b/docs-gen/actions/apply.py
index 5d0d06da..99de6829 100644
--- a/docs-gen/actions/apply.py
+++ b/docs-gen/actions/apply.py
@@ -19,6 +19,7 @@
 from inputs.refresh import refresh
 from inputs.replace import replace
 from inputs.target import target
+from inputs.exclude import exclude
 from inputs.var_file import var_file
 from inputs.variables import variables
 from inputs.var import var
@@ -79,6 +80,10 @@
         dataclasses.replace(target, description='''
   List of resources to apply, one per line.
   The apply operation will be limited to these resources and their dependencies.
+        '''),
+        dataclasses.replace(exclude, description='''
+  List of resources to exclude from the apply operation, one per line.
+  The apply operation will include all resources except the specified ones and their dependencies.
         '''),
         dataclasses.replace(destroy, description='''
 Set to `true` to destroy all resources.
diff --git a/docs-gen/actions/plan.py b/docs-gen/actions/plan.py
index 4618cbc4..7b2a3791 100644
--- a/docs-gen/actions/plan.py
+++ b/docs-gen/actions/plan.py
@@ -19,6 +19,7 @@
 from inputs.refresh import refresh
 from inputs.replace import replace
 from inputs.target import target
+from inputs.exclude import exclude
 from inputs.var import var
 from inputs.var_file import var_file
 from inputs.variables import variables
@@ -57,6 +58,7 @@
         backend_config_file,
         replace,
         target,
+        exclude,
         destroy,
         refresh,
         add_github_comment,
diff --git a/docs-gen/actions/refresh.py b/docs-gen/actions/refresh.py
index 0150e550..94c1d026 100644
--- a/docs-gen/actions/refresh.py
+++ b/docs-gen/actions/refresh.py
@@ -14,6 +14,7 @@
 from inputs.variables import variables
 from inputs.workspace import workspace
 from inputs.target import target
+from inputs.exclude import exclude
 from outputs.failure_reason import failure_reason
 from outputs.lock_info import lock_info
 from outputs.run_id import run_id
@@ -35,6 +36,10 @@
         dataclasses.replace(target, description='''
 List of resources to target, one per line.
 The refresh will be limited to these resources and their dependencies.
+'''),
+        dataclasses.replace(exclude, description='''
+List of resources to exclude from the refresh operation, one per line.
+The refresh will include all resources except the specified ones and their dependencies.
 '''),
         parallelism
     ],
diff --git a/docs-gen/inputs/exclude.py b/docs-gen/inputs/exclude.py
new file mode 100644
index 00000000..649126e4
--- /dev/null
+++ b/docs-gen/inputs/exclude.py
@@ -0,0 +1,23 @@
+from action import Input, OpenTofu
+
+exclude = Input(
+    name='exclude',
+    type='string',
+    description='''
+List of resources to exclude from operations, one per line.
+The plan will include all resources except the specified ones and their dependencies.
+
+Requires OpenTofu 1.9+.
+''',
+    example='''
+```yaml
+with:
+  exclude: |
+    local_file.sensitive_config
+    aws_instance.temp_resource
+```
+''',
+    default='',
+    required=False,
+    available_in=[OpenTofu]
+)
\ No newline at end of file
diff --git a/image/actions.sh b/image/actions.sh
index 7d9833da..046d987c 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -350,6 +350,12 @@ function set-common-plan-args() {
         PARALLEL_ARG="-parallelism=$INPUT_PARALLELISM"
     fi
 
+    # Validate that target and exclude are not used together
+    if [[ -v INPUT_TARGET && -n "$INPUT_TARGET" && -v INPUT_EXCLUDE && -n "$INPUT_EXCLUDE" ]]; then
+        error_log "target and exclude cannot be used together. These flags are mutually exclusive in $TOOL_PRODUCT_NAME."
+        exit 1
+    fi
+
     if [[ -v INPUT_TARGET ]]; then
         if [[ -n "$INPUT_TARGET" ]]; then
             for target in $(echo "$INPUT_TARGET" | tr ',' '\n'); do
@@ -358,6 +364,14 @@ function set-common-plan-args() {
         fi
     fi
 
+    if [[ -v INPUT_EXCLUDE ]]; then
+        if [[ -n "$INPUT_EXCLUDE" ]]; then
+            for exclude in $(echo "$INPUT_EXCLUDE" | tr ',' '\n'); do
+                PLAN_ARGS="$PLAN_ARGS -exclude $exclude"
+            done
+        fi
+    fi
+
     if [[ -v INPUT_REPLACE ]]; then
         if [[ -n "$INPUT_REPLACE" ]]; then
             for target in $(echo "$INPUT_REPLACE" | tr ',' '\n'); do
diff --git a/image/entrypoints/refresh.sh b/image/entrypoints/refresh.sh
index dbb578b7..94e962cd 100755
--- a/image/entrypoints/refresh.sh
+++ b/image/entrypoints/refresh.sh
@@ -26,6 +26,14 @@ function refresh() {
         fi
     fi
 
+    if [[ -v INPUT_EXCLUDE ]]; then
+        if [[ -n "$INPUT_EXCLUDE" ]]; then
+            for exclude in $(echo "$INPUT_EXCLUDE" | tr ',' '\n'); do
+                REFRESH_ARGS="$REFRESH_ARGS -exclude $exclude"
+            done
+        fi
+    fi
+
     set +e
 
     # shellcheck disable=SC2086,SC2016
diff --git a/image/src/github_actions/inputs.py b/image/src/github_actions/inputs.py
index 3dbb4d0e..01d4a56f 100644
--- a/image/src/github_actions/inputs.py
+++ b/image/src/github_actions/inputs.py
@@ -26,6 +26,7 @@ class PlanPrInputs(PlanInputs):
     """Common input variables for actions that use a PR comment"""
     INPUT_LABEL: str
     INPUT_TARGET: str
+    INPUT_EXCLUDE: str
     INPUT_REPLACE: str
     INPUT_DESTROY: str
     INPUT_REFRESH: str
diff --git a/image/src/github_pr_comment/__main__.py b/image/src/github_pr_comment/__main__.py
index b7c0a15c..865a18e7 100644
--- a/image/src/github_pr_comment/__main__.py
+++ b/image/src/github_pr_comment/__main__.py
@@ -140,6 +140,10 @@ def format_description(action_inputs: PlanPrInputs, sensitive_variables: List[st
         label += '\nTargeting resources: '
         label += ', '.join(f'`{res.strip()}`' for res in action_inputs['INPUT_TARGET'].splitlines())
 
+    if action_inputs.get("INPUT_EXCLUDE"):
+        label += '\nExcluding resources: '
+        label += ', '.join(f'`{res.strip()}`' for res in action_inputs['INPUT_EXCLUDE'].splitlines())
+
     if action_inputs["INPUT_REPLACE"]:
         label += '\nReplacing resources: '
         label += ', '.join(f'`{res.strip()}`' for res in action_inputs['INPUT_REPLACE'].splitlines())
@@ -301,6 +305,9 @@ def new_pr_comment(backend_fingerprint: bytes) -> TerraformComment:
     if target := os.environ.get('INPUT_TARGET'):
         plan_modifier['target'] = sorted(t.strip() for t in target.replace(',', '\n', ).split('\n') if t.strip())
 
+    if exclude := os.environ.get('INPUT_EXCLUDE'):
+        plan_modifier['exclude'] = sorted(t.strip() for t in exclude.replace(',', '\n', ).split('\n') if t.strip())
+
     if replace := os.environ.get('INPUT_REPLACE'):
         plan_modifier['replace'] = sorted(t.strip() for t in replace.replace(',', '\n', ).split('\n') if t.strip())
 
@@ -350,6 +357,9 @@ def get_comment(action_inputs: PlanPrInputs, backend_fingerprint: bytes, backup_
     if target := os.environ.get('INPUT_TARGET'):
         plan_modifier['target'] = sorted(t.strip() for t in target.replace(',', '\n', ).split('\n') if t.strip())
 
+    if exclude := os.environ.get('INPUT_EXCLUDE'):
+        plan_modifier['exclude'] = sorted(t.strip() for t in exclude.replace(',', '\n', ).split('\n') if t.strip())
+
     if replace := os.environ.get('INPUT_REPLACE'):
         plan_modifier['replace'] = sorted(t.strip() for t in replace.replace(',', '\n', ).split('\n') if t.strip())
 
diff --git a/image/src/terraform_version/local_state.py b/image/src/terraform_version/local_state.py
index 33e8277f..294aa05d 100644
--- a/image/src/terraform_version/local_state.py
+++ b/image/src/terraform_version/local_state.py
@@ -19,7 +19,10 @@ def read_local_state(module_dir: Path) -> Optional[Version]:
         with open(state_path) as f:
             state = json.load(f)
             if state.get('serial') > 0:
-                return Version(state.get('terraform_version'))
+                # Respect OPENTOFU environment variable when determining product type
+                # since OpenTofu maintains compatibility with Terraform state files
+                product = 'OpenTofu' if 'OPENTOFU' in os.environ else 'Terraform'
+                return Version(state.get('terraform_version'), product)
     except Exception as e:
         debug(str(e))
 
diff --git a/tests/workflows/test-target-replace-exclude/main.tf b/tests/workflows/test-target-replace-exclude/main.tf
new file mode 100644
index 00000000..e5d8d771
--- /dev/null
+++ b/tests/workflows/test-target-replace-exclude/main.tf
@@ -0,0 +1,61 @@
+resource "random_string" "count" {
+  count = 1
+
+  length = var.length
+
+  special = false
+  min_special = 0
+}
+
+resource "random_string" "foreach" {
+  for_each = toset(["hello"])
+
+  length = var.length
+
+  special = false
+  min_special = 0
+}
+
+# Additional resources for exclude testing
+resource "random_string" "exclude_me" {
+  length = var.length
+  special = false
+  min_special = 0
+}
+
+resource "random_string" "keep_me" {
+  length = var.length
+  special = false
+  min_special = 0
+}
+
+resource "random_string" "also_exclude" {
+  length = var.length
+  special = false
+  min_special = 0
+}
+
+
+variable "length" {
+
+}
+
+output "count" {
+  value = random_string.count[0].result
+}
+
+output "foreach" {
+  value = random_string.foreach["hello"].result
+}
+
+output "exclude_me" {
+  value = random_string.exclude_me.result
+}
+
+output "keep_me" {
+  value = random_string.keep_me.result
+}
+
+output "also_exclude" {
+  value = random_string.also_exclude.result
+}
diff --git a/tests/workflows/test-target-replace/main.tf b/tests/workflows/test-target-replace/main.tf
deleted file mode 100644
index 16fd8bd3..00000000
--- a/tests/workflows/test-target-replace/main.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-resource "random_string" "count" {
-  count = 1
-
-  length = var.length
-
-  special = false
-  min_special = 0
-}
-
-resource "random_string" "foreach" {
-  for_each = toset(["hello"])
-
-  length = var.length
-
-  special = false
-  min_special = 0
-}
-
-variable "length" {
-
-}
-
-output "count" {
-  value = random_string.count[0].result
-}
-
-output "foreach" {
-  value = random_string.foreach["hello"].result
-}
diff --git a/tofu-apply/README.md b/tofu-apply/README.md
index 7a5bda6b..935e09b5 100644
--- a/tofu-apply/README.md
+++ b/tofu-apply/README.md
@@ -148,6 +148,21 @@ These input values must be the same as any [`dflook/tofu-plan`](https://github.c
   - Type: string
   - Optional
 
+* `exclude`
+
+  List of resources to exclude from the apply operation, one per line.
+  The apply operation will include all resources except the specified ones and their dependencies.
+
+  ```yaml
+  with:
+    exclude: |
+      local_file.sensitive_config
+      aws_instance.temp_resource
+  ```
+
+  - Type: string
+  - Optional
+
 * `destroy`
 
   Set to `true` to destroy all resources.
diff --git a/tofu-apply/action.yaml b/tofu-apply/action.yaml
index 8de2df12..7973f95b 100644
--- a/tofu-apply/action.yaml
+++ b/tofu-apply/action.yaml
@@ -50,6 +50,12 @@ inputs:
       The apply operation will be limited to these resources and their dependencies.
     required: false
     default: ""
+  exclude:
+    description: |
+      List of resources to exclude from the apply operation, one per line.
+      The apply operation will include all resources except the specified ones and their dependencies.
+    required: false
+    default: ""
   destroy:
     description: |
       Set to `true` to destroy all resources.
diff --git a/tofu-plan/README.md b/tofu-plan/README.md
index a5f264a4..787ed381 100644
--- a/tofu-plan/README.md
+++ b/tofu-plan/README.md
@@ -129,6 +129,23 @@ The [dflook/tofu-apply](https://github.com/dflook/terraform-github-actions/tree/
   - Type: string
   - Optional
 
+* `exclude`
+
+  List of resources to exclude from operations, one per line.
+  The plan will include all resources except the specified ones and their dependencies.
+
+  Requires OpenTofu 1.9+.
+
+  ```yaml
+  with:
+    exclude: |
+      local_file.sensitive_config
+      aws_instance.temp_resource
+  ```
+
+  - Type: string
+  - Optional
+
 * `destroy`
 
   Set to `true` to generate a plan to destroy all resources.
diff --git a/tofu-plan/action.yaml b/tofu-plan/action.yaml
index 1aa8cf95..6b8b67a2 100644
--- a/tofu-plan/action.yaml
+++ b/tofu-plan/action.yaml
@@ -50,6 +50,14 @@ inputs:
       The plan will be limited to these resources and their dependencies.
     required: false
     default: ""
+  exclude:
+    description: |
+      List of resources to exclude from operations, one per line.
+      The plan will include all resources except the specified ones and their dependencies.
+
+      Requires OpenTofu 1.9+.
+    required: false
+    default: ""
   destroy:
     description: |
       Set to `true` to generate a plan to destroy all resources.
diff --git a/tofu-refresh/README.md b/tofu-refresh/README.md
index c43d6b0e..07e39ea9 100644
--- a/tofu-refresh/README.md
+++ b/tofu-refresh/README.md
@@ -97,6 +97,21 @@ This will synchronise the OpenTofu state with the actual resources, but will not
   - Type: string
   - Optional
 
+* `exclude`
+
+  List of resources to exclude from the refresh operation, one per line.
+  The refresh will include all resources except the specified ones and their dependencies.
+
+  ```yaml
+  with:
+    exclude: |
+      local_file.sensitive_config
+      aws_instance.temp_resource
+  ```
+
+  - Type: string
+  - Optional
+
 * `parallelism`
 
   Limit the number of concurrent operations
diff --git a/tofu-refresh/action.yaml b/tofu-refresh/action.yaml
index 0e27cd8b..ad03455c 100644
--- a/tofu-refresh/action.yaml
+++ b/tofu-refresh/action.yaml
@@ -38,6 +38,12 @@ inputs:
       The refresh will be limited to these resources and their dependencies.
     required: false
     default: ""
+  exclude:
+    description: |
+      List of resources to exclude from the refresh operation, one per line.
+      The refresh will include all resources except the specified ones and their dependencies.
+    required: false
+    default: ""
   parallelism:
     description: Limit the number of concurrent operations
     required: false

From 0d312e091e7107527e78be3db8ba653c173ab834 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Mon, 9 Jun 2025 21:33:09 +0100
Subject: [PATCH 2/2] Remove blank line

---
 .../test-target-replace-exclude.yaml          | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/.github/workflows/test-target-replace-exclude.yaml b/.github/workflows/test-target-replace-exclude.yaml
index ff3f313f..048ef2bf 100644
--- a/.github/workflows/test-target-replace-exclude.yaml
+++ b/.github/workflows/test-target-replace-exclude.yaml
@@ -626,3 +626,48 @@ jobs:
             exit 1
           fi
 
+      - name: Plan excluding resources without label
+        uses: ./tofu-plan
+        id: plan-exclude-no-label
+        with:
+          path: tests/workflows/test-target-replace-exclude
+          exclude: |
+            random_string.exclude_me
+          variables: |
+            length = 8
+
+      - name: Verify exclude plan without label
+        env:
+          CHANGES: ${{ steps.plan-exclude-no-label.outputs.changes }}
+        run: |
+          if [[ "$CHANGES" != "true" ]]; then
+            echo "::error:: Exclude plan without label should have changes for non-excluded resources"
+            exit 1
+          fi
+
+      - name: Apply excluding resources without label
+        uses: ./tofu-apply
+        id: apply-exclude-no-label
+        with:
+          path: tests/workflows/test-target-replace-exclude
+          exclude: |
+            random_string.exclude_me
+          variables: |
+            length = 8
+
+      - name: Verify exclude apply without label
+        env:
+          EXCLUDE_ME: ${{ steps.apply-exclude-no-label.outputs.exclude_me }}
+          KEEP_ME: ${{ steps.apply-exclude-no-label.outputs.keep_me }}
+        run: |
+          # Should NOT have created excluded resource
+          if [[ "$EXCLUDE_ME" != "" ]]; then
+            echo "::error:: exclude_me output should be empty (resource excluded without label)"
+            exit 1
+          fi
+
+          # Should have updated non-excluded resource
+          if [[ "$KEEP_ME" == "" ]]; then
+            echo "::error:: keep_me output should be set (resource not excluded without label)"
+            exit 1
+          fi