feat: Add OpenTofu (#161)

terramate-io · May 4, 2024 · 09a6c16 · 09a6c16
2 parents a722008 + 0b83549
commit 09a6c16
Show file tree

Hide file tree

Showing 39 changed files with 320 additions and 85 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -38,6 +38,11 @@ jobs:
           asdf plugin add terraform
           asdf install terraform
 
+      - name: Install OpenTofu with asdf
+        run: |
+          asdf plugin add opentofu
+          asdf install opentofu
+
       ### Check for changed stacks
 
       - name: List changed stacks
@@ -69,7 +74,7 @@ jobs:
             -C stacks \
             --parallel 1 \
             --changed \
-            terraform init
+            init
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -81,7 +86,7 @@ jobs:
             -C stacks \
             --parallel 5 \
             --changed \
-            terraform deploy
+            deploy
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -92,6 +97,6 @@ jobs:
             -C stacks \
             --parallel 5 \
             --changed \
-            terraform drift detect
+            drift detect
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/drift-detection.yml b/.github/workflows/drift-detection.yml
@@ -40,6 +40,11 @@ jobs:
           asdf plugin add terraform
           asdf install terraform
 
+      - name: Install OpenTofu with asdf
+        run: |
+          asdf plugin add opentofu
+          asdf install opentofu
+
       ### Configure cloud credentials
 
       - name: Configure AWS credentials
@@ -61,7 +66,7 @@ jobs:
           terramate script run \
             -C stacks \
             --parallel 1 \
-            terraform init
+            init
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -73,7 +78,7 @@ jobs:
             --parallel 5 \
             --continue-on-error \
             -- \
-            terraform drift detect
+            drift detect
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -87,6 +92,6 @@ jobs:
             --parallel 5 \
             --continue-on-error \
             -- \
-            terraform drift reconcile
+            drift reconcile
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -41,7 +41,7 @@ jobs:
       ### Install tooling
 
       - name: Install Terramate
-        uses: terramate-io/terramate-action@v1
+        uses: terramate-io/terramate-action@v2
 
       - name: Install asdf
         uses: asdf-vm/actions/setup@v3
@@ -51,6 +51,11 @@ jobs:
           asdf plugin add terraform
           asdf install terraform
 
+      - name: Install OpenTofu with asdf
+        run: |
+          asdf plugin add opentofu
+          asdf install opentofu
+
       ### Linting
 
       - name: Check Terramate formatting
@@ -90,7 +95,7 @@ jobs:
             -C stacks \
             --changed \
             --parallel 1 \
-            terraform init
+            init
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -103,7 +108,7 @@ jobs:
             --parallel 5 \
             --continue-on-error \
             -- \
-            terraform preview
+            preview
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
@@ -115,20 +120,25 @@ jobs:
         run: |
           echo >>pr-comment.txt "## Preview of Terraform changes in ${{ github.event.pull_request.head.sha }}"
           echo >>pr-comment.txt
-          echo >>pr-comment.txt "[:mag: View Details on Terramate Cloud](https://cloud.terramate.io/o/terramate-demo/review-requests)"
+          echo >>pr-comment.txt '> [!TIP]'
+          echo >>pr-comment.txt '> [:mag: View all Preview Details on Terramate Cloud](https://cloud.terramate.io/o/terramate-demo/review-requests)'
+          echo >>pr-comment.txt
+          terramate script run --changed safe-guard >>pr-comment.txt
           echo >>pr-comment.txt
           echo >>pr-comment.txt "### Changed Stacks"
           echo >>pr-comment.txt
           echo >>pr-comment.txt '```bash'
           echo >>pr-comment.txt "${{ steps.list-changed.outputs.stdout }}"
           echo >>pr-comment.txt '```'
           echo >>pr-comment.txt
-          echo >>pr-comment.txt "#### Terraform Plan"
+          echo >>pr-comment.txt "#### Terraform Plans"
           echo >>pr-comment.txt
-          echo >>pr-comment.txt '```terraform'
-          terramate run -C stacks --changed -- terraform show -no-color out.tfplan |& dd bs=1024 count=248 >>pr-comment.txt
+          terramate script run --changed -- terraform render | dd bs=1024 count=248 >>pr-comment.txt
           [ "${PIPESTATUS[0]}" == "141" ] && sed -i 's/#### Terraform Plan/#### :warning: Terraform Plan truncated: please check console output :warning:/' pr-comment.txt
-          echo >>pr-comment.txt '```'
+          echo >>pr-comment.txt "#### OpenTofu Plans"
+          echo >>pr-comment.txt
+          terramate script run --changed -- tofu render | dd bs=1024 count=248 >>pr-comment.txt
+          [ "${PIPESTATUS[0]}" == "141" ] && sed -i 's/#### OpenTofu Plan/#### :warning: OpenTofu Plan truncated: please check console output :warning:/' pr-comment.txt
           cat pr-comment.txt >>$GITHUB_STEP_SUMMARY
 
       - name: Generate preview when no stacks changed
@@ -146,7 +156,10 @@ jobs:
         run: |
           echo >>pr-comment.txt "## Preview of Terraform changes in ${{ github.event.pull_request.head.sha }}"
           echo >>pr-comment.txt
-          echo >>pr-comment.txt "[:mag: View Details on Terramate Cloud](https://cloud.terramate.io/o/terramate-demo/review-requests)"
+          echo >>pr-comment.txt '> [!TIP]'
+          echo >>pr-comment.txt '> [:mag: View all Preview Details on Terramate Cloud](https://cloud.terramate.io/o/terramate-demo/review-requests)'
+          echo >>pr-comment.txt
+          terramate script run --changed safe-guard >>pr-comment.txt
           echo >>pr-comment.txt
           echo >>pr-comment.txt "### Changed Stacks"
           echo >>pr-comment.txt

diff --git a/.tool-versions b/.tool-versions
@@ -1,3 +1,4 @@
 terraform 1.7.5
 terramate 0.8.0
 pre-commit 3.6.2
+opentofu 1.6.2
diff --git a/_bootstrap/terraform-state-bucket/config.tm.hcl b/_bootstrap/terraform-state-bucket/config.tm.hcl
@@ -35,7 +35,7 @@ generate_hcl "_main.tf" {
     }
 
     resource "aws_dynamodb_table" "terraform-lock" {
-      name           = tm_try(global.terraform.backend.dyanmodb_table, "terraform_state")
+      name           = tm_try(global.terraform.backend.dynamodb_table, "terraform-lock")
       read_capacity  = 5
       write_capacity = 5
       hash_key       = "LockID"

diff --git a/config.tm.hcl b/config.tm.hcl
@@ -3,9 +3,8 @@ globals "terraform" {
 }
 
 globals "terraform" "backend" {
-  bucket         = "terramate-example-terraform-state-backend"
-  dyanmodb_table = "terraform-lock"
-  region         = "us-east-1"
+  bucket = "terramate-example-terraform-state-backend"
+  region = "us-east-1"
 }
 
 globals "aws" "oidc" {

diff --git a/imports/mixins/backend.tm.hcl b/imports/mixins/backend.tm.hcl
@@ -6,9 +6,9 @@ generate_hcl "backend.tf" {
       backend "s3" {
         region         = global.terraform.backend.region
         bucket         = global.terraform.backend.bucket
-        key            = "terraform/stacks/by-id/${terramate.stack.id}/terraform.tfstate"
+        key            = tm_try(global.terraform.backend.key, "terraform/stacks/by-id/${terramate.stack.id}/terraform.tfstate")
         encrypt        = true
-        dynamodb_table = tm_try(global.terraform.backend.dyanmodb_table, "terraform-lock")
+        dynamodb_table = tm_try(global.terraform.backend.dynamodb_table, "terraform-lock")
       }
     }
   }

diff --git a/scripts/script_tofu_deploy.tm b/scripts/script_tofu_deploy.tm
@@ -0,0 +1,18 @@
+script "tofu" "deploy" {
+  name        = "OpenTofu Deployment"
+  description = "Run a full OpenTofu deployment cycle and synchronize the result to Terramate Cloud."
+
+  job {
+    name        = "OpenTofu Apply"
+    description = "Initialize, validate, plan, and apply OpenTofu changes."
+    commands = [
+      ["tofu", "init", "-lock-timeout=5m"],
+      ["tofu", "validate"],
+      ["tofu", "plan", "-out", "plan.tfplan", "-lock=false"],
+      ["tofu", "apply", "-input=false", "-auto-approve", "-lock-timeout=5m", "plan.tfplan", {
+        sync_deployment = true
+        tofu_plan_file  = "plan.tfplan"
+      }],
+    ]
+  }
+}
diff --git a/scripts/script_tofu_detect_drift.tm b/scripts/script_tofu_detect_drift.tm
@@ -0,0 +1,16 @@
+script "tofu" "detect-drift" {
+  name        = "OpenTofu Drift Check"
+  description = "Detect drifts in OpenTofu configuration and synchronize it to Terramate Cloud."
+
+  job {
+    name        = "OpenTofu Plan"
+    description = "Initialize, validate, and plan OpenTofu changes."
+    commands = [
+      ["tofu", "init", "-lock-timeout=5m"],
+      ["tofu", "plan", "-out", "drift.tfplan", "-detailed-exitcode", "-lock=false", {
+        sync_drift_status = true
+        tofu_plan_file    = "drift.tfplan"
+      }],
+    ]
+  }
+}
diff --git a/scripts/script_tofu_preview.tm b/scripts/script_tofu_preview.tm
@@ -0,0 +1,17 @@
+script "tofu" "preview" {
+  name        = "OpenTofu Deployment Preview"
+  description = "Create a preview of OpenTofu Changes and synchronize it to Terramate Cloud."
+
+  job {
+    name        = "OpenTofu Plan"
+    description = "Initialize, validate, and plan OpenTofu changes."
+    commands = [
+      ["tofu", "init", "-lock-timeout=5m"],
+      ["tofu", "validate"],
+      ["tofu", "plan", "-out", "preview.tfplan", "-detailed-exitcode", "-lock=false", {
+        sync_preview   = true
+        tofu_plan_file = "preview.tfplan"
+      }],
+    ]
+  }
+}
diff --git a/stacks/opentofu/config.tm.hcl b/stacks/opentofu/config.tm.hcl
@@ -0,0 +1,7 @@
+globals "terraform" "backend" {
+  key = "opentofu/stacks/by-id/${terramate.stack.id}/opentofu.tfstate"
+}
+
+globals "terraform" {
+  version = "1.6.2"
+}
diff --git a/stacks/opentofu/empty/backend.tf b/stacks/opentofu/empty/backend.tf
@@ -0,0 +1,11 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+terraform {
+  backend "s3" {
+    bucket         = "terramate-example-terraform-state-backend"
+    dynamodb_table = "terraform-lock"
+    encrypt        = true
+    key            = "opentofu/stacks/by-id/f50a9ef3-c5de-48ab-8acf-a60d91bfef7b/opentofu.tfstate"
+    region         = "us-east-1"
+  }
+}
diff --git a/stacks/opentofu/empty/stack.tm.hcl b/stacks/opentofu/empty/stack.tm.hcl
@@ -0,0 +1,5 @@
+stack {
+  name        = "Empty Stack"
+  description = "An empty OpenTofu Stack"
+  id          = "f50a9ef3-c5de-48ab-8acf-a60d91bfef7b"
+}
diff --git a/stacks/opentofu/empty/terraform.tf b/stacks/opentofu/empty/terraform.tf
@@ -0,0 +1,16 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+terraform {
+  required_version = "1.6.2"
+}
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.31"
+    }
+  }
+}
+provider "aws" {
+  region = "us-east-1"
+}
diff --git a/stacks/opentofu/workflows.tm.hcl b/stacks/opentofu/workflows.tm.hcl
@@ -0,0 +1,90 @@
+script "init" {
+  name        = "OpenTofu Init"
+  description = "Downloads the required provider plugins and modules and setting up the backend"
+
+  job {
+    commands = [
+      ["tofu", "init", "-lock-timeout=5m"],
+    ]
+  }
+}
+
+script "preview" {
+  name        = "OpenTofu Deployment Preview"
+  description = "Create a preview of OpenTofu Changes and synchronize it to Terramate Cloud."
+
+  job {
+    commands = [
+      ["tofu", "validate"],
+      ["tofu", "plan", "-out", "out.tfplan", "-detailed-exitcode", "-lock=false", {
+        sync_preview   = true
+        tofu_plan_file = "out.tfplan"
+      }],
+    ]
+  }
+}
+
+script "deploy" {
+  name        = "OpenTofu Deployment"
+  description = "Run a full OpenTofu deployment cycle and synchronize the result to Terramate Cloud."
+
+  job {
+    commands = [
+      ["tofu", "validate"],
+      ["tofu", "plan", "-out", "out.tfplan", "-lock=false"],
+      ["tofu", "apply", "-input=false", "-auto-approve", "-lock-timeout=5m", "out.tfplan", {
+        sync_deployment = true
+        tofu_plan_file  = "out.tfplan"
+      }],
+    ]
+  }
+}
+
+script "drift" "detect" {
+  name        = "OpenTofu Drift Check"
+  description = "Detect drifts in OpenTofu configuration and synchronize it to Terramate Cloud."
+
+  job {
+    commands = [
+      ["tofu", "plan", "-out", "out.tfplan", "-detailed-exitcode", "-lock=false", {
+        sync_drift_status = true
+        tofu_plan_file    = "out.tfplan"
+      }],
+    ]
+  }
+}
+
+script "drift" "reconcile" {
+  name        = "OpenTofu Drift Reconciliation"
+  description = "Reconciles drifts in all changed stacks."
+
+  job {
+    commands = [
+      ["tofu", "plan", "-out", "drift.tfplan", "-detailed-exitcode", "-lock=false", {
+        sync_drift_status = true
+        tofu_plan_file    = "drift.tfplan"
+      }],
+    ]
+  }
+}
+
+script "tofu" "render" {
+  name        = "OpenTofu Show Plan"
+  description = "Renders a OpenTofu Plan."
+
+  job {
+    commands = [
+      ["echo", "Stack: `${terramate.stack.path.absolute}`"],
+      ["echo", "```terraform"],
+      ["tofu", "show", "-no-color", "out.tfplan"],
+      ["echo", "```"],
+    ]
+  }
+}
+
+
+script "safe-guard" {
+  job {
+    command = ["true"]
+  }
+}
diff --git a/stacks/config.tm.hcl → stacks/terraform/config.tm.hcl b/stacks/config.tm.hcl → stacks/terraform/config.tm.hcl
diff --git a/stacks/prod/config.tm.hcl → stacks/terraform/prod/config.tm.hcl b/stacks/prod/config.tm.hcl → stacks/terraform/prod/config.tm.hcl
diff --git a/stacks/prod/us-east-1/alb/alb.tf → stacks/terraform/prod/us-east-1/alb/alb.tf b/stacks/prod/us-east-1/alb/alb.tf → stacks/terraform/prod/us-east-1/alb/alb.tf
diff --git a/stacks/prod/us-east-1/alb/backend.tf → ...s/terraform/prod/us-east-1/alb/backend.tf b/stacks/prod/us-east-1/alb/backend.tf → ...s/terraform/prod/us-east-1/alb/backend.tf
diff --git a/stacks/prod/us-east-1/alb/import.tm.hcl → ...erraform/prod/us-east-1/alb/import.tm.hcl b/stacks/prod/us-east-1/alb/import.tm.hcl → ...erraform/prod/us-east-1/alb/import.tm.hcl
diff --git a/stacks/prod/us-east-1/alb/stack.tm.hcl → ...terraform/prod/us-east-1/alb/stack.tm.hcl b/stacks/prod/us-east-1/alb/stack.tm.hcl → ...terraform/prod/us-east-1/alb/stack.tm.hcl
diff --git a/stacks/prod/us-east-1/alb/terraform.tf → ...terraform/prod/us-east-1/alb/terraform.tf b/stacks/prod/us-east-1/alb/terraform.tf → ...terraform/prod/us-east-1/alb/terraform.tf
diff --git a/.../us-east-1/ecs-fargate-cluster/backend.tf → .../us-east-1/ecs-fargate-cluster/backend.tf b/.../us-east-1/ecs-fargate-cluster/backend.tf → .../us-east-1/ecs-fargate-cluster/backend.tf
diff --git a/...cs-fargate-cluster/ecs-fargate-cluster.tf → ...cs-fargate-cluster/ecs-fargate-cluster.tf b/...cs-fargate-cluster/ecs-fargate-cluster.tf → ...cs-fargate-cluster/ecs-fargate-cluster.tf
diff --git a/...-east-1/ecs-fargate-cluster/import.tm.hcl → ...-east-1/ecs-fargate-cluster/import.tm.hcl b/...-east-1/ecs-fargate-cluster/import.tm.hcl → ...-east-1/ecs-fargate-cluster/import.tm.hcl
diff --git a/...s-east-1/ecs-fargate-cluster/stack.tm.hcl → ...s-east-1/ecs-fargate-cluster/stack.tm.hcl b/...s-east-1/ecs-fargate-cluster/stack.tm.hcl → ...s-east-1/ecs-fargate-cluster/stack.tm.hcl
diff --git a/...s-east-1/ecs-fargate-cluster/terraform.tf → ...s-east-1/ecs-fargate-cluster/terraform.tf b/...s-east-1/ecs-fargate-cluster/terraform.tf → ...s-east-1/ecs-fargate-cluster/terraform.tf
diff --git a/...t-1/ecs-fargate-services/nginx/backend.tf → ...t-1/ecs-fargate-services/nginx/backend.tf b/...t-1/ecs-fargate-services/nginx/backend.tf → ...t-1/ecs-fargate-services/nginx/backend.tf
diff --git a/...ate-services/nginx/ecs_fargate_service.tf → ...ate-services/nginx/ecs_fargate_service.tf b/...ate-services/nginx/ecs_fargate_service.tf → ...ate-services/nginx/ecs_fargate_service.tf
diff --git a/.../ecs-fargate-services/nginx/import.tm.hcl → .../ecs-fargate-services/nginx/import.tm.hcl b/.../ecs-fargate-services/nginx/import.tm.hcl → .../ecs-fargate-services/nginx/import.tm.hcl
diff --git a/...1/ecs-fargate-services/nginx/stack.tm.hcl → ...1/ecs-fargate-services/nginx/stack.tm.hcl b/...1/ecs-fargate-services/nginx/stack.tm.hcl → ...1/ecs-fargate-services/nginx/stack.tm.hcl
diff --git a/...1/ecs-fargate-services/nginx/terraform.tf → ...1/ecs-fargate-services/nginx/terraform.tf b/...1/ecs-fargate-services/nginx/terraform.tf → ...1/ecs-fargate-services/nginx/terraform.tf
diff --git a/stacks/prod/us-east-1/vpc/backend.tf → ...s/terraform/prod/us-east-1/vpc/backend.tf b/stacks/prod/us-east-1/vpc/backend.tf → ...s/terraform/prod/us-east-1/vpc/backend.tf
diff --git a/stacks/prod/us-east-1/vpc/import.tm.hcl → ...erraform/prod/us-east-1/vpc/import.tm.hcl b/stacks/prod/us-east-1/vpc/import.tm.hcl → ...erraform/prod/us-east-1/vpc/import.tm.hcl
diff --git a/stacks/prod/us-east-1/vpc/stack.tm.hcl → ...terraform/prod/us-east-1/vpc/stack.tm.hcl b/stacks/prod/us-east-1/vpc/stack.tm.hcl → ...terraform/prod/us-east-1/vpc/stack.tm.hcl
diff --git a/stacks/prod/us-east-1/vpc/terraform.tf → ...terraform/prod/us-east-1/vpc/terraform.tf b/stacks/prod/us-east-1/vpc/terraform.tf → ...terraform/prod/us-east-1/vpc/terraform.tf
diff --git a/stacks/prod/us-east-1/vpc/vpc.tf → stacks/terraform/prod/us-east-1/vpc/vpc.tf b/stacks/prod/us-east-1/vpc/vpc.tf → stacks/terraform/prod/us-east-1/vpc/vpc.tf