Remove support for `TF_USERNAME` and `TF_PASSWORD` environment variables

Please use `TF_HTTP_USERNAME` and `TF_HTTP_PASSWORD` environment variables directly. Changelog: removed

Remove support for `TF_USERNAME` and `TF_PASSWORD` environment variables
df9639ea · Timo Furrer · 4545a68d · df9639ea
Unverified Commit df9639ea authored 7 months ago by Timo Furrer
--- a/src/gitlab-tofu.sh
+++ b/src/gitlab-tofu.sh
 #!/usr/bin/env sh

+# gitlab-tofu is a wrapper around the tofu command
+# from the OpenTofu project.
+#
+# It's main purpose is to setup tofu to work inside
+# GitLab pipelines and together with the
+# OpenTofu CI/CD component.
+# Detailed information about it is in the README:
+# https://gitlab.com/components/opentofu
+#
+# Respected Environment Variables:
+# --------------------------------
+# GITLAB_TOFU_SOURCE: forces this script in source-mode. Required when source auto-detection fails.
+#
+# OpenTofu Environment Variables:
+# > these are variables that are
+# > respected if set and avoid using
+# > the gitlab-tofu values for them.
+# ----------------------------------
+# TF_HTTP_USERNAME: username for the HTTP backend. Defaults to `gitlab-ci-token`.
+# TF_HTTP_PASSWORD: password for the HTTP backend. Defaults to `$CI_JOB_TOKEN`.
+#
+# Respected GitLab CI/CD Variables:
+# > these are variables exposed by
+# > GitLab CI/CD and respected by
+# > the gitlab-tofu script for
+# > certain configurations.
+# CI_JOB_TOKEN:
+#   - used as default value for TF_HTTP_PASSWORD.
+#   - used as value for TF_TOKEN_<host> variable.
+
 # set some shell options
 set -o errexit

@@ -66,14 +96,9 @@ JQ_PLAN='
  }
 '

-# If TF_USERNAME is unset then default to GITLAB_USER_LOGIN
-TF_USERNAME="${TF_USERNAME:-${GITLAB_USER_LOGIN}}"
-
-# If TF_PASSWORD is unset then default to gitlab-ci-token/CI_JOB_TOKEN
-if [ -z "${TF_PASSWORD}" ]; then
-  TF_USERNAME="gitlab-ci-token"
-  TF_PASSWORD="${CI_JOB_TOKEN}"
-fi
+# Default state backend credentials to gitlab-ci-token/CI_JOB_TOKEN
+state_backend_username="gitlab-ci-token"
+state_backend_password="${CI_JOB_TOKEN}"

 # If TF_ADDRESS is unset but TF_STATE_NAME is provided, then default to GitLab backend in current project
 if [ -n "${TF_STATE_NAME}" ] && [ -z "${TF_ADDRESS}" ]; then
@@ -117,8 +142,8 @@ export TF_HTTP_LOCK_ADDRESS="${TF_HTTP_LOCK_ADDRESS:-${TF_ADDRESS}/lock}"
 export TF_HTTP_LOCK_METHOD="${TF_HTTP_LOCK_METHOD:-POST}"
 export TF_HTTP_UNLOCK_ADDRESS="${TF_HTTP_UNLOCK_ADDRESS:-${TF_ADDRESS}/lock}"
 export TF_HTTP_UNLOCK_METHOD="${TF_HTTP_UNLOCK_METHOD:-DELETE}"
-export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${TF_USERNAME}}"
-export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${TF_PASSWORD}}"
+export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${state_backend_username}}"
+export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${state_backend_password}}"
 export TF_HTTP_RETRY_WAIT_MIN="${TF_HTTP_RETRY_WAIT_MIN:-5}"

 # Expose Gitlab specific variables to terraform since no -tf-var is available