Add tests

.gitlab-ci.yml

@@ -6,25 +6,31 @@
 #
 # stages: [build, test, release]
 
+include: 
+  - local: tests/unit-tests.gitlab-ci.yml
+
 stages:
   - build
+  - test
 
-.versions:
+.opentofu-versions:
   parallel:
     matrix:
       - OPENTOFU_VERSION: '1.6.0'
       - OPENTOFU_VERSION: '1.6.0-rc1'
 
 variables:
+  # OpenTofu variables
+  STABLE_OPENTOFU_VERSION: '1.6.0'
+
   # OpenTofu image build variables:
   DOCKER_DIND_IMAGE: "docker:24.0.7-dind"
   PLATFORMS: linux/amd64,linux/arm64
   BASE_IMAGE: "alpine:3.18.4"
   GITLAB_OPENTOFU_IMAGE_NAME: "$CI_REGISTRY_IMAGE/internal/gitlab-opentofu-$OPENTOFU_VERSION:$CI_COMMIT_SHA"
 
-
 gitlab-opentofu-image:
-  extends: .versions
+  extends: .opentofu-versions
   stage: build
   services:
     - "$DOCKER_DIND_IMAGE"

Dockerfile

@@ -23,8 +23,8 @@ RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opent
 
 WORKDIR /
 
-COPY assets/gitlab-opentofu.sh /usr/bin/gitlab-opentofu
-RUN chmod +x /usr/bin/gitlab-opentofu
+COPY assets/gitlab-tofu.sh /usr/bin/gitlab-tofu
+RUN chmod +x /usr/bin/gitlab-tofu
 
 # Override ENTRYPOINT
 ENTRYPOINT []

tests/Test-Terraform.gitlab-ci.yml

+workflow:
+  rules:
+    - if: '$CI_PROJECT_PATH == "gitlab-org/terraform-images"'
+
+include:
+  - template: Terraform.gitlab-ci.yml
+
+image: "$IMAGE"
+
+# The `terraform apply` should always happen for the integration tests.
+# This prevents stalled manual pipelines, but more importantly tests
+# the `apply` wrapper.
+deploy:
+  rules:
+    - when: always
+
+destroy:
+  extends: .terraform:destroy
+  rules:
+    - when: always

tests/Test-Terraform.latest.gitlab-ci.yml

+workflow:
+  rules:
+    - if: '$CI_PROJECT_PATH == "gitlab-org/terraform-images"'
+
+include:
+  - template: Terraform.latest.gitlab-ci.yml
+
+default:
+  image: "$IMAGE"
+
+.run-always:
+  rules:
+    - when: always
+
+fmt:
+  rules: !reference [.run-always, rules]
+
+validate:
+  rules: !reference [.run-always, rules]
+
+build:
+  rules: !reference [.run-always, rules]
+
+# The `terraform apply` should always happen for the integration tests.
+# This prevents stalled manual pipelines, but more importantly tests
+# the `apply` wrapper.
+deploy:
+  rules: !reference [.run-always, rules]
+
+destroy:
+  extends: .terraform:destroy
+  rules: !reference [.run-always, rules]

tests/terraform/backend.tf

+terraform {
+  backend "http" {}
+}

tests/terraform/main.tf

+module "random_pet" {
+  source = "./modules/random-pet"
+}
+
+resource "local_file" "foo" {
+  content  = "foo!"
+  filename = "${path.module}/foo.bar"
+}
+
+variable "CI_PROJECT_NAME" {
+  type    = string
+  default = "default"
+}
+
+output "project_name" {
+  value = var.CI_PROJECT_NAME
+}

tests/terraform/modules/random-pet/main.tf

+terraform {
+  required_providers {
+    random = {
+      source  = "hashicorp/random"
+      version = "3.1.2"
+    }
+  }
+}
+
+provider "random" {}
+
+resource "random_pet" "random_pet" {
+  length = var.length
+}

tests/terraform/modules/random-pet/outputs.tf

+output "random_pet" {
+  value = random_pet.random_pet.id
+}

tests/terraform/modules/random-pet/variables.tf

+variable "length" {
+  default = 1
+  type    = number
+}
\ No newline at end of file

tests/unit-tests.gitlab-ci.yml

+.tofu-test-base:
+  image: "$GITLAB_OPENTOFU_IMAGE_NAME"
+  variables:
+    TF_STATE_NAME: ci-unit-$CI_JOB_ID
+  before_script:
+    - gitlab-tofu version
+    - jq --version
+  cache:
+    key: "$OPENTOFU_VERSION-$CI_COMMIT_REF_SLUG"
+    paths:
+      - tests/terraform/.terraform/
+
+.tofu-test:
+  extends:
+    - .tofu-test-base
+  before_script:
+    - !reference [.tofu-test-base, before_script]
+    - cd tests/terraform
+
+.test-tofu-root:
+  extends:
+    - .tofu-test-base
+  variables:
+    TF_ROOT: tests/terraform
+
+tofu-test-init:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - gitlab-tofu init
+
+tofu-test-init-with-args:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - gitlab-tofu init -get=true -no-color
+
+tofu-test-init-with-flags:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - export TF_INIT_FLAGS="-get=true -no-color"
+    - gitlab-tofu init
+
+tofu-test-init-with-flags-and-args:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - export TF_INIT_FLAGS="-get=true"
+    - gitlab-tofu init -no-color
+
+tofu-test-init-tf-root:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - gitlab-tofu init
+
+tofu-test-init-tf-root-with-cd:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - cd tests/terraform
+    - export DEBUG_OUTPUT=true
+    - gitlab-tofu init
+
+tofu-test-init-tf-root-with-args:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - gitlab-tofu init -get=true -no-color
+
+tofu-test-init-tf-root-with-flags:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - export TF_INIT_FLAGS="-get=true -no-color"
+    - gitlab-tofu init
+
+tofu-test-init-tf-root-with-flags-and-args:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - export DEBUG_OUTPUT=true
+    - export TF_INIT_FLAGS="-get=true"
+    - gitlab-tofu init -no-color
+
+tofu-test-init-without-reconfigure:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - gitlab-tofu init
+    - |
+      cat <<EOF > $TF_ROOT/backend_override.tf
+      terraform {
+        backend "local" {}
+      }
+      EOF
+    - export TF_INIT_NO_RECONFIGURE=true
+    - FAILED=false
+    - gitlab-tofu init -no-color >/tmp/output.txt 2>&1 || FAILED=true
+    - cat /tmp/output.txt
+    - test $FAILED = true
+    - 'cat /tmp/output.txt | grep "Error: Backend configuration changed"'
+
+tofu-test-init-with-reconfigure:
+  extends:
+    - .test-tofu-root
+    - .opentofu-versions
+  stage: test
+  script:
+    - gitlab-tofu init
+    - |
+      cat <<EOF > $TF_ROOT/backend_override.tf
+      terraform {
+        backend "local" {}
+      }
+      EOF
+    - gitlab-tofu init
+
+tofu-test-init-with-prepared-registry-token:
+  extends:
+    - .tofu-test
+  stage: test
+  variables:
+    OPENTOFU_VERSION: $STABLE_OPENTOFU_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      export TF_TOKEN_gitlab_com=mysecrettoken
+      . $(which gitlab-tofu)
+      terraform_authenticate_private_registry
+      test "$TF_TOKEN_gitlab_com" = "mysecrettoken"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
+tofu-test-init-without-prepared-registry-token:
+  extends:
+    - .tofu-test
+  stage: test
+  variables:
+    OPENTOFU_VERSION: $STABLE_OPENTOFU_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      . $(which gitlab-tofu)
+      terraform_authenticate_private_registry
+      test -n "$TF_TOKEN_gitlab_com"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
+tofu-test-fmt:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - gitlab-tofu fmt
+
+tofu-test-validate:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  script:
+    - gitlab-tofu validate
+
+tofu-test-plan:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  variables:
+    TF_PLAN_CACHE: $OPENTOFU_VERSION-plan.cache
+  script:
+    - gitlab-tofu plan
+    - if [[ ! -f "$OPENTOFU_VERSION-plan.cache" ]]; then echo "expected to find a plan.cache file"; exit 1; fi
+    - gitlab-tofu plan-json
+    - if [[ ! -f "plan.json" ]]; then echo "expected to find a plan.json file"; exit 1; fi
+  artifacts:
+    paths:
+      - "tests/terraform/*-plan.cache"
+
+tofu-test-apply:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  needs: [tofu-test-plan]
+  variables:
+    TF_PLAN_CACHE: $OPENTOFU_VERSION-plan.cache
+  script:
+    - gitlab-tofu apply
+
+tofu-test-destroy:
+  extends:
+    - .tofu-test
+    - .opentofu-versions
+  stage: test
+  needs: [tofu-test-apply]
+  script:
+    - gitlab-tofu destroy
+
+tofu-test-source-script:
+  extends:
+    - .tofu-test
+  stage: test
+  variables:
+    OPENTOFU_VERSION: $STABLE_OPENTOFU_VERSION
+  before_script:
+    - !reference [.tofu-test-base, before_script]
+    - apk add --update $PKG
+  script:
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      test -z "$TF_GITLAB_SOURCED"
+      . $(which gitlab-tofu)
+      test $TF_GITLAB_SOURCED
+      EOF
+    - |
+      mkdir /usr/local/sbin
+      cat <<'EOF' > /usr/local/sbin/terraform
+      #/!usr/bin/env sh -e
+      echo "Called Terraform, but shouldn't have!!"
+      false
+      EOF
+      chmod +x /usr/local/sbin/terraform
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
+tofu-test-without-implicit-init:
+  extends:
+    - .tofu-test
+  stage: test
+  cache:
+  variables:
+    OPENTOFU_VERSION: $STABLE_OPENTOFU_VERSION
+    STATE_NAME: $CI_JOB_NAME
+  script:
+    - export TF_IMPLICIT_INIT=false
+    - FAILED=false
+    - gitlab-tofu $CMD -no-color >/tmp/output.txt 2>&1 || FAILED=true
+    - cat /tmp/output.txt
+    - test $FAILED = true
+    - 'cat /tmp/output.txt | grep "$ERROR"'
+  parallel:
+    matrix:
+      - CMD: apply
+        ERROR: 'Error: Failed to load "plan.cache" as a plan'
+      - CMD: destroy
+        ERROR: 'Error: Backend initialization required, please run "tofu init"'
+      - CMD: plan
+        ERROR: 'Error: Backend initialization required, please run "tofu init"'
+      - CMD: validate
+        ERROR: 'Run "tofu init" to install all modules'
+
+tofu-test-no-wrapper:
+  extends:
+    - .tofu-test
+  stage: test
+  cache:
+  variables:
+    OPENTOFU_VERSION: $STABLE_OPENTOFU_VERSION
+    STATE_NAME: $CI_JOB_NAME
+  script:
+    # NOTE: running `gitlab-tofu apply` wouldn't fail
+    #       because of the implicit `terraform init`.
+    - FAILED=false
+    - gitlab-tofu -- apply -no-color >/tmp/output.txt 2>&1 || FAILED=true
+    - cat /tmp/output.txt
+    - test $FAILED = true
+    - 'cat /tmp/output.txt | grep "Error: Backend initialization required, please run \"tofu init\""'
+
+# tofu-integration-test-template:
+#   stage: test-integration
+#   variables:
+#     IMAGE: $TOFU_IMAGE_NAME
+#     # Hard-coded for now since there's no tofu stable version yet
+#     TOFU_VERSION: "1.6"
+#     TF_STATE_NAME: ci-tofu-integration-test-template-$CI_PIPELINE_IID-$CI_NODE_INDEX
+#     TF_ROOT: tests
+#   trigger:
+#     include: .gitlab/integration-test/Test-$TEMPLATE
+#     strategy: depend
+#   rules:
+#     - if: '$CI_PROJECT_PATH == "gitlab-org/terraform-images"'
+#     - if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"'
+#   parallel:
+#     matrix:
+#       - TEMPLATE: [Terraform.gitlab-ci.yml, Terraform.latest.gitlab-ci.yml]