Merge pull request #104 from davidtabat/main

Migrate from Terraform to OpenTofu

Author: Vinai

.github/workflows/terraform-checks.yml

@@ -1,6 +1,6 @@
-name: "Terraform apply"
+name: "OpenTofu apply"
 
-concurrency: terraform-ci
+concurrency: tofu-ci
 
 on:
   push:
@@ -14,8 +14,8 @@ on:
       - main
 
 jobs:
-  terraform-apply:
-    name: "Terraform apply"
+  tofu-apply:
+    name: "OpenTofu apply"
     runs-on: ubuntu-latest
     env:
       TF_LOG: DEBUG
@@ -34,16 +34,16 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+      - name: Set up OpenTofu
+        uses: opentofu/setup-opentofu@v1
 
-      - name: Terraform init
+      - name: OpenTofu init
         id: init
-        run: terraform init
+        run: tofu init
 
-      - name: Terraform validate
+      - name: OpenTofu validate
         id: validate
-        run: terraform validate -no-color
+        run: tofu validate -no-color
 
-      - name: Terraform apply
-        run: terraform apply -auto-approve
+      - name: OpenTofu apply
+        run: tofu apply -auto-approve

.github/workflows/terraform-apply.yml .github/workflows/tofu-apply.yml

@@ -0,0 +1,49 @@
+  name: "OpenTofu checks"
+
+  on:
+    pull_request:
+      paths-ignore:
+        - .gitignore
+        - "*.md"
+        - CODEOWNERS
+      branches:
+        - main
+
+  jobs:
+    tofu-checks:
+      name: "OpenTofu checks"
+      runs-on: ubuntu-latest
+      steps:
+        - name: Get pull request ref
+          id: sha
+          uses: actions/github-script@v7
+          with:
+            result-encoding: string
+            script: |
+              const { owner, repo, number } = context.issue;
+              const pr = await github.rest.pulls.get({
+                owner,
+                repo,
+                pull_number: number,
+              });
+              return pr.data.head.sha
+
+        - name: Checkout
+          uses: actions/checkout@v4
+          with:
+            ref: ${{ steps.sha.outputs.result }}
+
+        - name: Setup OpenTofu
+          uses: opentofu/setup-opentofu@v1
+
+        - name: OpenTofu Format
+          id: fmt
+          run: tofu fmt -check -diff
+
+        - name: OpenTofu Init
+          id: init
+          run: tofu init -backend=false
+
+        - name: OpenTofu Validate
+          id: validate
+          run: tofu validate -no-color

.github/workflows/tofu-checks.yml

@@ -1,14 +1,14 @@
-name: "Terraform plan"
+name: "OpenTofu plan"
 
-concurrency: terraform-ci
+concurrency: tofu-ci
 
 on:
   issue_comment:
     types: [created]
 
 jobs:
-  terraform-plan:
-    name: "Terraform plan"
+  opentofu-plan:
+    name: "OpenTofu plan"
     # This conditional acts as an access control list to prevent exposing
     # secrets to untrusted pull requests.
     if: |
@@ -49,33 +49,33 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: "@${{ github.actor }} Starting Terraform plan ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+              body: "@${{ github.actor }} Starting OpenTofu plan ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
             })
 
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.ref.outputs.result }}
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
 
-      - name: Terraform init
+      - name: OpenTofu init
         id: init
-        run: terraform init
+        run: tofu init
 
-      - name: Terraform plan
+      - name: OpenTofu plan
         id: plan
-        run: terraform plan -no-color
+        run: tofu plan -no-color
         continue-on-error: true
 
       - uses: actions/github-script@v7
         env:
-          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+          PLAN: "tofu\n${{ steps.plan.outputs.stdout }}"
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            const output = `#### Terraform Plan \`${{ steps.plan.outcome }}\`
+            const output = `#### OpenTofu Plan \`${{ steps.plan.outcome }}\`
 
             <details><summary>Show Plan</summary>
 
@@ -94,6 +94,6 @@ jobs:
               body: output
             })
 
-      - name: Terraform plan status
+      - name: OpenTofu plan status
         if: steps.plan.outcome == 'failure'
         run: exit 1

.github/workflows/terraform-plan.yml .github/workflows/tofu-plan.yml

@@ -1,24 +1,24 @@
-# Managing GitHub organization with Terraform
+# Managing GitHub organization with OpenTofu
 
 This setup is based on
 [hashicorp/learn-terraform-github-actions](https://github.com/hashicorp/learn-terraform-github-actions),
 but relies exclusively on GitHub Actions without communicating with Terraform
 Cloud.
 
-# 1. Cloning Terraform repository
+# 1. Cloning OpenTofu repository
 
 Clone this repository to your GitHub organization and adjust variables to your
 liking.
 
 # 2. GitHub App configuration
 
-Github App will be used by Terraform to provision organization.
+GitHub App will be used by OpenTofu to provision organization.
 
 ## Creating new GitHub App
 
-It can created by following [this guide](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app).
+It can be created by following [this guide](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app).
 Application should be limited to only one account. Permissions depend on what
-resources you plan to manage with Terraform, but sensible base is:
+resources you plan to manage with OpenTofu, but a sensible base is:
 
 - Repository/Administration - Read and write
 - Repository/Contents - Read and write
@@ -30,11 +30,11 @@ resources you plan to manage with Terraform, but sensible base is:
 - Organization/Members - Read and write
 - Organization/Projects - Admin
 
-After creating App you may need to [install it in
+After creating the App, you may need to [install it in
 organization](https://docs.github.com/en/developers/apps/managing-github-apps/installing-github-apps).
 
-Github App will use [private key](https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps)
-for authentication. In order to properly authenticate with Terraform GitHub
+GitHub App will use [private key](https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps)
+for authentication. In order to properly authenticate with OpenTofu GitHub
 provider you will need:
 
 - GitHub App ID (GitHub Action secret `GH_APP_ID`)
@@ -43,22 +43,22 @@ provider you will need:
 
 ## Getting GitHub App node ID
 
-Node ID is used in GraphQL API. Some Terraform resources like
-[github_branch_protection](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection)
-may require node IDs for access control lists. Knowing you App node ID will be
-handy, when you want to allow some actions only to it. While there maybe some
-better way of getting node ID, you can use your newly created App to query
-itself for node ID. First generate [JWT token](https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app)
+Node ID is used in GraphQL API. Some OpenTofu resources like
+[github_branch_protection](https://search.opentofu.org/provider/hashicorp/github/latest/docs/resources/branch_protection)
+may require node IDs for access control lists. Knowing your App node ID will be
+handy, when you want to allow some actions only to it. While there may be some
+better way of getting the node ID, you can use your newly created App to query
+itself for node ID. First, generate [JWT token](https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app)
 and then [query /app endpoint](https://docs.github.com/en/rest/reference/apps).
 
 # 3. Configuring state backend
 
-Terraform requires backend to store configuration state. This example repository
-uses OpenStack Swift. Consult [Terraform documentation](https://www.terraform.io/language/settings/backends)
+OpenTofu requires a backend to store configuration state. This example repository
+uses OpenStack Swift. Consult [OpenTofu documentation](https://opentofu.org/docs/language/settings/backends/configuration/)
 and choose your preferred backend. Keep in mind that you will also have to pass
 access credentials as GitHub secrets in order to use it.
 
-# 4. Configuring Terraform repository secrets
+# 4. Configuring OpenTofu repository secrets
 
 Visit `Repository` -> `Settings` -> `Secrets` -> `Actions` and ensure that at
 least the following variables are configured:
@@ -76,12 +76,12 @@ least the following variables are configured:
 
 Workflows are divided into 3 files:
 
-- `.github/workflows/terraform-checks.yml` - Validates pull request without
+- `.github/workflows/tofu-checks.yml` - Validates pull request without
   accessing repository secrets.
-- `.github/workflows/terraform-plan.yml` - Generates Terraform plan. This
-  workflow is launched only after user whitelisted in file comments pull request
-  with _/plan_ message. It ensures that untrusted code from pull request won't
+- `.github/workflows/tofu-plan.yml` - Generates OpenTofu plan. This
+  workflow is launched only after a user whitelists in file comments pull request
+  with the _/plan_ message. It ensures that untrusted code from pull requests won't
   be run automatically with repository secrets. See [this article](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
   for more details.
-- `.github/workflows/terraform-apply.yml` - Enforces state after pushing code to
-  main branch.
+- `.github/workflows/tofu-apply.yml` - Enforces state after pushing code to
+  the main branch.