Merge branch 'allow-overwrite-of-tf-token' into 'master'

fix: add ability to specify your own TF_TOKEN

See merge request https://gitlab.com/gitlab-org/terraform-images/-/merge_requests/179



Merged-by: Tiger Watson <twatson@gitlab.com>
Approved-by: Tiger Watson <twatson@gitlab.com>
Approved-by: Timo Furrer <tfurrer@gitlab.com>
Co-authored-by: Timo Furrer <tfurrer@gitlab.com>
Co-authored-by: Tobias Mueller <tm@eriksterck.de>
Co-authored-by: Tobias <tobias.mueller83@gmail.com>

.gitlab-ci.yml

@@ -269,6 +269,57 @@ test-init-with-reconfigure:
       EOF
     - gitlab-terraform init
 
+test-init-with-prepared-registry-token:
+  extends:
+    - .test
+  stage: test-init
+  variables:
+    TERRAFORM_VERSION: $STABLE_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      export TF_TOKEN_gitlab_com=mysecrettoken
+      . $(which gitlab-terraform)
+      terraform_authenticate_private_registry
+      test "$TF_TOKEN_gitlab_com" = "mysecrettoken"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
+test-init-without-prepared-registry-token:
+  extends:
+    - .test
+  stage: test-init
+  variables:
+    TERRAFORM_VERSION: $STABLE_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      . $(which gitlab-terraform)
+      terraform_authenticate_private_registry
+      test -n "$TF_TOKEN_gitlab_com"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
 test-fmt:
   extends:
     - .test

src/bin/gitlab-terraform.sh

@@ -13,13 +13,13 @@ terraform_is_at_least() {
 # Evaluate if this script is being sourced or executed directly.
 # See https://stackoverflow.com/a/28776166
 sourced=0
-if [ -n "$ZSH_VERSION" ]; then 
+if [ -n "$ZSH_VERSION" ]; then
   case $ZSH_EVAL_CONTEXT in *:file) sourced=1;; esac
 elif [ -n "$KSH_VERSION" ]; then
   # shellcheck disable=SC2296
   [ "$(cd -- "$(dirname -- "$0")" && pwd -P)/$(basename -- "$0")" != "$(cd -- "$(dirname -- "${.sh.file}")" && pwd -P)/$(basename -- "${.sh.file}")" ] && sourced=1
 elif [ -n "$BASH_VERSION" ]; then
-  (return 0 2>/dev/null) && sourced=1 
+  (return 0 2>/dev/null) && sourced=1
 else # All other shells: examine $0 for known shell binary filenames.
      # Detects `sh` and `dash`; add additional shell filenames as needed.
   case ${0##*/} in sh|-sh|dash|-dash) sourced=1;; esac
@@ -108,7 +108,10 @@ terraform_authenticate_private_registry() {
     # For more info, see https://www.terraform.io/cli/config/config-file#environment-variable-credentials
     if [ "${CI_SERVER_PROTOCOL}" = "https" ] && [ -n "${CI_SERVER_HOST}" ]; then
       tf_token_var_name=TF_TOKEN_$(idn2 "${CI_SERVER_HOST}" | sed 's/\./_/g' | sed 's/-/__/g')
-      export "${tf_token_var_name}"="${CI_JOB_TOKEN}"
+      # If TF_TOKEN_ for the Gitlab domain is not set then use the CI_JOB_TOKEN
+      if [ -z "$(eval "echo \${${tf_token_var_name}:-}")" ]; then
+        export "${tf_token_var_name}"="${CI_JOB_TOKEN}"
+      fi
     fi
   else
     # If we have a version older than 1.2.0, we use the credentials file.
@@ -189,4 +192,4 @@ else
   # This variable can be used if the script is sourced
   # shellcheck disable=SC2034
   TF_GITLAB_SOURCED=true
-fi
+fi
\ No newline at end of file