From a6bc5c554914181a4d151fc9a8fd648d0dab74d5 Mon Sep 17 00:00:00 2001 From: Timo Furrer <tfurrer@gitlab.com> Date: Wed, 13 Nov 2024 15:36:37 +0100 Subject: [PATCH] Deprecate `TF_STATE_NAME` and introduce `GITLAB_TOFU_STATE_NAME` as replacement Changelog: changed --- .gitlab/README.md.template | 1 + README.md | 1 + src/gitlab-tofu.sh | 23 +++++++++++++++---- templates/apply.yml | 6 ++--- templates/delete-state.yml | 6 ++--- templates/destroy.yml | 6 ++--- templates/graph.yml | 2 +- templates/module-release.yml | 2 +- templates/plan.yml | 2 +- templates/test.yml | 2 +- templates/validate.yml | 2 +- .../integration-tests/Defaults.gitlab-ci.yml | 2 +- tests/integration-tests/Destroy.gitlab-ci.yml | 4 ++-- ...pelineTriggerInChildPipeline.gitlab-ci.yml | 2 +- .../JobTemplates.gitlab-ci.yml | 2 +- tests/integration-tests/TestJob.gitlab-ci.yml | 2 +- .../TriggerInChildPipeline.gitlab-ci.yml | 6 ++--- ...estroyTriggerInChildPipeline.gitlab-ci.yml | 4 ++-- tests/integration-tests/VarFile.gitlab-ci.yml | 2 +- .../WarningOnNonEmptyPlan.gitlab-ci.yml | 4 ++-- tests/integration.gitlab-ci.yml | 2 +- tests/unit/gitlab-tofu.bats | 8 +++---- 22 files changed, 53 insertions(+), 38 deletions(-) diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template index 1930a95..0c0e3f1 100644 --- a/.gitlab/README.md.template +++ b/.gitlab/README.md.template @@ -518,6 +518,7 @@ When migrating from the GitLab Terraform CI/CD templates you can use the followi - Although the `TF_ROOT` variable is still used and maybe overwritten after the import on individual jobs. - Migrate the `TF_STATE_NAME` variable to the `state_name` input. - Although the `TF_STATE_NAME` variable is still used and maybe overwritten after the import on individual jobs. + - Note that this component deprecated the `TF_STATE_NAME` variable and uses `GITLAB_TOFU_STATE_NAME` instead. - Migrate the `TF_AUTO_DEPLOY` variable to custom `rules` inputs. - Used other variables -> Use the same variables with this component. diff --git a/README.md b/README.md index 9a43bc7..50905cb 100644 --- a/README.md +++ b/README.md @@ -533,6 +533,7 @@ When migrating from the GitLab Terraform CI/CD templates you can use the followi - Although the `TF_ROOT` variable is still used and maybe overwritten after the import on individual jobs. - Migrate the `TF_STATE_NAME` variable to the `state_name` input. - Although the `TF_STATE_NAME` variable is still used and maybe overwritten after the import on individual jobs. + - Note that this component deprecated the `TF_STATE_NAME` variable and uses `GITLAB_TOFU_STATE_NAME` instead. - Migrate the `TF_AUTO_DEPLOY` variable to custom `rules` inputs. - Used other variables -> Use the same variables with this component. diff --git a/src/gitlab-tofu.sh b/src/gitlab-tofu.sh index a82737f..4bf9e65 100644 --- a/src/gitlab-tofu.sh +++ b/src/gitlab-tofu.sh @@ -20,6 +20,7 @@ # GITLAB_TOFU_IMPLICIT_INIT: if set to true will perform an implicit `tofu init` before any command that require it. Defaults to `true`. # GITLAB_TOFU_IGNORE_INIT_ERRORS: if set to true will ignore errors in the `tofu init` command. # GITLAB_TOFU_INIT_NO_RECONFIGURE: if set to true will not pass `-reconfigure` to the `tofu init` command. +# GITLAB_TOFU_STATE_NAME: the name of the GitLab-managed Terraform state backend endpoint. # # Respected OpenTofu Environment Variables: # > these are variables that are @@ -97,6 +98,18 @@ if [ -n "$ZSH_VERSION" ]; then unsetopt sh_word_split fi +# Deprecations +# ============ +if [ -n "$TF_STATE_NAME" ]; then + echo 'WARNING: you have manually set the deprecated TF_STATE_NAME environment variable. Please use the GITLAB_TOFU_STATE_NAME environment variable instead. The TF_STATE_NAME variable will be removed soon.' >&2 + + if [ -n "$GITLAB_TOFU_STATE_NAME" ]; then + echo 'WARNING: you have set GITLAB_TOFU_STATE_NAME environment variable in addition to the deprecated TF_STATE_NAME. This causes a conflict and GITLAB_TOFU_STATE_NAME will be used exclusively' >&2 + else + GITLAB_TOFU_STATE_NAME="$TF_STATE_NAME" + fi +fi + JQ_PLAN=' ( [.resource_changes[]?.change.actions?] | flatten @@ -111,11 +124,11 @@ JQ_PLAN=' state_backend_username="gitlab-ci-token" state_backend_password="${CI_JOB_TOKEN}" -# If TF_ADDRESS is unset but TF_STATE_NAME is provided, then default to GitLab backend in current project -if [ -n "${TF_STATE_NAME}" ] && [ -z "${TF_ADDRESS}" ]; then - # auto url-encode TF_STATE_NAME - TF_STATE_NAME="$(jq -rn --arg x "${TF_STATE_NAME}" '$x|@uri')" - TF_ADDRESS="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}" +# If TF_ADDRESS is unset but GITLAB_TOFU_STATE_NAME is provided, then default to GitLab backend in current project +if [ -n "${GITLAB_TOFU_STATE_NAME}" ] && [ -z "${TF_ADDRESS}" ]; then + # auto url-encode GITLAB_TOFU_STATE_NAME + GITLAB_TOFU_STATE_NAME="$(jq -rn --arg x "${GITLAB_TOFU_STATE_NAME}" '$x|@uri')" + TF_ADDRESS="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${GITLAB_TOFU_STATE_NAME}" fi if [ -z "${GITLAB_TOFU_PLAN_NAME}" ]; then diff --git a/templates/apply.yml b/templates/apply.yml index 4178f01..265f456 100644 --- a/templates/apply.yml +++ b/templates/apply.yml @@ -97,9 +97,9 @@ spec: '$[[ inputs.as ]]': stage: $[[ inputs.stage ]] environment: - name: $TF_STATE_NAME + name: $GITLAB_TOFU_STATE_NAME action: start - resource_group: $TF_STATE_NAME + resource_group: $GITLAB_TOFU_STATE_NAME rules: $[[ inputs.rules ]] cache: key: "$__CACHE_KEY_HACK" @@ -110,7 +110,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_APPLY_NO_PLAN: $[[ inputs.no_plan ]] GITLAB_TOFU_PLAN_NAME: $[[ inputs.plan_name ]] GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' diff --git a/templates/delete-state.yml b/templates/delete-state.yml index 3305cc6..cf6eee8 100644 --- a/templates/delete-state.yml +++ b/templates/delete-state.yml @@ -27,10 +27,10 @@ spec: '$[[ inputs.as ]]': stage: $[[ inputs.stage ]] - resource_group: $TF_STATE_NAME + resource_group: $GITLAB_TOFU_STATE_NAME image: curlimages/curl:latest variables: - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] script: - - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME" + - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$GITLAB_TOFU_STATE_NAME" rules: $[[ inputs.rules ]] diff --git a/templates/destroy.yml b/templates/destroy.yml index f1540b2..c3feb64 100644 --- a/templates/destroy.yml +++ b/templates/destroy.yml @@ -97,9 +97,9 @@ spec: '$[[ inputs.as ]]': stage: $[[ inputs.stage ]] environment: - name: $TF_STATE_NAME + name: $GITLAB_TOFU_STATE_NAME action: stop - resource_group: $TF_STATE_NAME + resource_group: $GITLAB_TOFU_STATE_NAME rules: $[[ inputs.rules ]] cache: key: "$__CACHE_KEY_HACK" @@ -110,7 +110,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_APPLY_NO_PLAN: $[[ inputs.no_plan ]] GITLAB_TOFU_PLAN_NAME: $[[ inputs.plan_name ]] GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' diff --git a/templates/graph.yml b/templates/graph.yml index 885252d..bf8c18a 100644 --- a/templates/graph.yml +++ b/templates/graph.yml @@ -104,7 +104,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' image: name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]' diff --git a/templates/module-release.yml b/templates/module-release.yml index 2d28d39..49010a6 100644 --- a/templates/module-release.yml +++ b/templates/module-release.yml @@ -23,7 +23,7 @@ spec: description: | System that this module can be used with. e.g. 'local' or 'azurerm' - + module_version: description: | Version of the module that should be published. diff --git a/templates/plan.yml b/templates/plan.yml index 2c1412c..b8e6293 100644 --- a/templates/plan.yml +++ b/templates/plan.yml @@ -156,7 +156,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_PLAN_NAME: $[[ inputs.plan_name ]] GITLAB_TOFU_PLAN_WITH_JSON: true GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' diff --git a/templates/test.yml b/templates/test.yml index c8cc5da..dc59764 100644 --- a/templates/test.yml +++ b/templates/test.yml @@ -107,7 +107,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' image: name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]' diff --git a/templates/validate.yml b/templates/validate.yml index 3bd868d..7a5beb7 100644 --- a/templates/validate.yml +++ b/templates/validate.yml @@ -103,7 +103,7 @@ spec: # FIXME: work around to make slashes work in `cache:key`. see https://gitlab.com/gitlab-org/gitlab/-/issues/439898 __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]" TF_ROOT: $[[ inputs.root_dir ]] - TF_STATE_NAME: $[[ inputs.state_name ]] + GITLAB_TOFU_STATE_NAME: $[[ inputs.state_name ]] GITLAB_TOFU_IGNORE_INIT_ERRORS: 'true' # Tofu can report errors which might be the reason init failed. GITLAB_TOFU_VAR_FILE: '$[[ inputs.var_file ]]' image: diff --git a/tests/integration-tests/Defaults.gitlab-ci.yml b/tests/integration-tests/Defaults.gitlab-ci.yml index 2c51ac1..2058ed7 100644 --- a/tests/integration-tests/Defaults.gitlab-ci.yml +++ b/tests/integration-tests/Defaults.gitlab-ci.yml @@ -6,7 +6,7 @@ include: base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME # Required to run everything immediately, instead of manually. fmt_rules: [{when: always}] validate_rules: [{when: always}] diff --git a/tests/integration-tests/Destroy.gitlab-ci.yml b/tests/integration-tests/Destroy.gitlab-ci.yml index b6e5605..b890b8c 100644 --- a/tests/integration-tests/Destroy.gitlab-ci.yml +++ b/tests/integration-tests/Destroy.gitlab-ci.yml @@ -7,7 +7,7 @@ include: as: 'setup:apply' stage: setup root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME no_plan: true # Required to run everything immediately, instead of manually. rules: [{when: always}] @@ -18,7 +18,7 @@ include: version: $CI_COMMIT_SHA opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME # Required to run everything immediately, instead of manually. fmt_rules: [{when: always}] validate_rules: [{when: always}] diff --git a/tests/integration-tests/FullPipelineTriggerInChildPipeline.gitlab-ci.yml b/tests/integration-tests/FullPipelineTriggerInChildPipeline.gitlab-ci.yml index 03047e6..f38b91d 100644 --- a/tests/integration-tests/FullPipelineTriggerInChildPipeline.gitlab-ci.yml +++ b/tests/integration-tests/FullPipelineTriggerInChildPipeline.gitlab-ci.yml @@ -6,7 +6,7 @@ include: base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME # Required to run everything immediately, instead of manually. fmt_rules: [{when: always}] validate_rules: [{when: always}] diff --git a/tests/integration-tests/JobTemplates.gitlab-ci.yml b/tests/integration-tests/JobTemplates.gitlab-ci.yml index 6c0acc9..9a862ff 100644 --- a/tests/integration-tests/JobTemplates.gitlab-ci.yml +++ b/tests/integration-tests/JobTemplates.gitlab-ci.yml @@ -5,7 +5,7 @@ include: version: $CI_COMMIT_SHA opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME stages: [validate, build, deploy, cleanup] diff --git a/tests/integration-tests/TestJob.gitlab-ci.yml b/tests/integration-tests/TestJob.gitlab-ci.yml index 96e90ee..dd1dd67 100644 --- a/tests/integration-tests/TestJob.gitlab-ci.yml +++ b/tests/integration-tests/TestJob.gitlab-ci.yml @@ -5,7 +5,7 @@ include: version: $CI_COMMIT_SHA opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME # Required to run everything immediately, instead of manually. rules: [{when: always}] diff --git a/tests/integration-tests/TriggerInChildPipeline.gitlab-ci.yml b/tests/integration-tests/TriggerInChildPipeline.gitlab-ci.yml index d1fd3cf..fcd4a0c 100644 --- a/tests/integration-tests/TriggerInChildPipeline.gitlab-ci.yml +++ b/tests/integration-tests/TriggerInChildPipeline.gitlab-ci.yml @@ -5,8 +5,8 @@ include: version: $CI_COMMIT_SHA base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS opentofu_version: $OPENTOFU_VERSION - root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + root_dir: $TEST_GITLAB_TOFU_ROOT_DIR + state_name: $TEST_GITLAB_TOFU_STATE_NAME fmt_rules: [{when: on_success}] validate_rules: [{when: on_success}] plan_rules: [{when: on_success}] @@ -19,7 +19,7 @@ include: - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/delete-state@$CI_COMMIT_SHA inputs: stage: cleanup - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME rules: [{when: always}] stages: [test, cleanup] diff --git a/tests/integration-tests/ValidatePlanDestroyTriggerInChildPipeline.gitlab-ci.yml b/tests/integration-tests/ValidatePlanDestroyTriggerInChildPipeline.gitlab-ci.yml index be08033..662cf67 100644 --- a/tests/integration-tests/ValidatePlanDestroyTriggerInChildPipeline.gitlab-ci.yml +++ b/tests/integration-tests/ValidatePlanDestroyTriggerInChildPipeline.gitlab-ci.yml @@ -7,7 +7,7 @@ include: as: 'setup:apply' stage: setup root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME no_plan: true # Required to run everything immediately, instead of manually. rules: [{when: always}] @@ -18,7 +18,7 @@ include: version: $CI_COMMIT_SHA opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME # Required to run everything immediately, instead of manually. fmt_rules: [{when: always}] validate_rules: [{when: always}] diff --git a/tests/integration-tests/VarFile.gitlab-ci.yml b/tests/integration-tests/VarFile.gitlab-ci.yml index f1505f3..429fe65 100644 --- a/tests/integration-tests/VarFile.gitlab-ci.yml +++ b/tests/integration-tests/VarFile.gitlab-ci.yml @@ -6,7 +6,7 @@ include: base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME var_file: varfile.integration-test.tfvars # Required to run everything immediately, instead of manually. fmt_rules: [{when: always}] diff --git a/tests/integration-tests/WarningOnNonEmptyPlan.gitlab-ci.yml b/tests/integration-tests/WarningOnNonEmptyPlan.gitlab-ci.yml index 38c4b3f..b7f13fb 100644 --- a/tests/integration-tests/WarningOnNonEmptyPlan.gitlab-ci.yml +++ b/tests/integration-tests/WarningOnNonEmptyPlan.gitlab-ci.yml @@ -6,13 +6,13 @@ include: base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS opentofu_version: $OPENTOFU_VERSION root_dir: $TEST_TF_ROOT - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME warning_on_non_empty_plan: true # For CI Terraform state cleanup - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/delete-state@$CI_COMMIT_SHA inputs: - state_name: $TEST_TF_STATE_NAME + state_name: $TEST_GITLAB_TOFU_STATE_NAME rules: [{when: always}] stages: [build, cleanup, verify] diff --git a/tests/integration.gitlab-ci.yml b/tests/integration.gitlab-ci.yml index cef1df3..140fa7f 100644 --- a/tests/integration.gitlab-ci.yml +++ b/tests/integration.gitlab-ci.yml @@ -2,7 +2,7 @@ component: stage: test-integration variables: OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION - TEST_TF_STATE_NAME: ci-integration-$CI_PIPELINE_IID-$CI_NODE_INDEX + TEST_GITLAB_TOFU_STATE_NAME: ci-integration-$CI_PIPELINE_IID-$CI_NODE_INDEX TEST_TF_ROOT: tests/iac trigger: include: tests/integration-tests/$PIPELINE_NAME.gitlab-ci.yml diff --git a/tests/unit/gitlab-tofu.bats b/tests/unit/gitlab-tofu.bats index bdf1c38..0637578 100644 --- a/tests/unit/gitlab-tofu.bats +++ b/tests/unit/gitlab-tofu.bats @@ -19,11 +19,11 @@ setup() { export TF_ROOT="$BATS_TEST_TMPDIR/$(basename "$TEST_PROJECT_DIR")" # Set state so that each test has its own - export TF_STATE_NAME="ci-unit-$CI_JOB_ID-$BATS_SUITE_TEST_NUMBER" + export GITLAB_TOFU_STATE_NAME="ci-unit-$CI_JOB_ID-$BATS_SUITE_TEST_NUMBER" } teardown() { - curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$TF_STATE_NAME" + curl --request DELETE -u "gitlab-ci-token:$CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$GITLAB_TOFU_STATE_NAME" } @test "gitlab-tofu init" { @@ -187,9 +187,9 @@ EOF cat <<'EOF' > test.sh set -x -export TF_STATE_NAME=production/europe +export GITLAB_TOFU_STATE_NAME=production/europe . $(which gitlab-tofu) -test "$TF_STATE_NAME" = "production%2Feurope" +test "$GITLAB_TOFU_STATE_NAME" = "production%2Feurope" EOF $SHELL test.sh -- GitLab