feat: remove OpenTofu support

cf30bb59 · Timo Furrer · 4f066612 · cf30bb59 · 4f066612 · 4f066612
Unverified Commit cf30bb59 authored 1 year ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,6 @@ workflow:
 include:
  - local: .gitlab/terraform-test.gitlab-ci.yml
-  - local: .gitlab/tofu-test.gitlab-ci.yml
  - project: "gitlab-org/quality/pipeline-common"
    file:
      - "/ci/danger-review.yml"
@@ -15,13 +14,11 @@ include:
 variables:
  BASE_IMAGE: "alpine:3.18.4"
  TERRAFORM_IMAGE_NAME: "$CI_REGISTRY_IMAGE/branches/$CI_COMMIT_REF_SLUG-$TERRAFORM_VERSION:$CI_COMMIT_SHA"
-  TOFU_IMAGE_NAME: "$CI_REGISTRY_IMAGE/branches/$CI_COMMIT_REF_SLUG-$TOFU_VERSION:$CI_COMMIT_SHA"
  DOCKER_DIND_IMAGE: "docker:24.0.7-dind"
  NODE_IMAGE: "node:lts-slim"
  PLATFORMS: linux/amd64,linux/arm64
  STABLE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/stable:latest"
  STABLE_VERSION: "1.5"
-  STABLE_TOFU_VERSION: "1.6"
  TF_STATE_NAME: ci-$CI_JOB_ID
 .terraform-versions:
@@ -38,13 +35,6 @@ variables:
      - TERRAFORM_BINARY_VERSION: "1.1.9"
        TERRAFORM_VERSION: "1.1"
-.tofu-versions:
-  parallel:
-    matrix:
-      # latest version from https://pkgs.alpinelinux.org/packages?name=opentofu
-      - TOFU_BINARY_VERSION: "1.6.0-r0"
-        TOFU_VERSION: "1.6"
 stages:
  - lint
  - build
@@ -95,7 +85,6 @@ dockerfile check:
  parallel:
    matrix:
      - FILE: Dockerfile.terraform
-      - FILE: Dockerfile.tofu
  before_script:
    - hadolint --version
@@ -135,34 +124,6 @@ build terraform:
      --push
      .
-build tofu:
-  extends: .tofu-versions
-  stage: build
-  services:
-    - "$DOCKER_DIND_IMAGE"
-  image: "$DOCKER_DIND_IMAGE"
-  before_script:
-    # See note on the `build terraform` job about this image
-    - docker run --rm --privileged tonistiigi/binfmt
-    # Registry auth
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
-  script:
-    - docker buildx create --use
-    # NOTE: we disable provenance for now
-    # because it causes troubles with the registry and older clients.
-    # See
-    # - https://gitlab.com/gitlab-org/terraform-images/-/issues/104
-    # - https://gitlab.com/gitlab-org/terraform-images/-/merge_requests/184#note_1328485943
-    - docker buildx build
-      --platform "$PLATFORMS"
-      --build-arg BASE_IMAGE=$BASE_IMAGE
-      --build-arg TOFU_BINARY_VERSION=$TOFU_BINARY_VERSION
-      --file Dockerfile.tofu
-      --tag "$TOFU_IMAGE_NAME"
-      --provenance=false
-      --push
-      .
 upload:
  stage: upload-test-module
  script:
@@ -193,24 +154,6 @@ release-terraform:
  rules:
    - if: $CI_COMMIT_TAG
-release-tofu:
-  extends: .tofu-versions
-  stage: release
-  image:
-    name: gcr.io/go-containerregistry/crane:debug
-    entrypoint: [""]
-  variables:
-    RELEASE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/releases-tofu/$TOFU_VERSION"
-  script:
-    # https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md
-    - crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
-    - crane copy "$TOFU_IMAGE_NAME" "$RELEASE_IMAGE_NAME:latest"
-    - crane copy "$TOFU_IMAGE_NAME" "$CI_REGISTRY_IMAGE/releases-tofu:$TOFU_BINARY_VERSION"
-    - crane copy "$TOFU_IMAGE_NAME" "$RELEASE_IMAGE_NAME:$CI_COMMIT_TAG"
-    # Removed the "stable" release for now, since tofu is still in beta itself
-  rules:
-    - if: $CI_COMMIT_TAG
 .semantic-release:
  image: "$NODE_IMAGE"
  stage: prepare-release

--- a/.gitlab/tofu-test.gitlab-ci.yml
+++ b/.gitlab/tofu-test.gitlab-ci.yml
-.tofu-test-base:
-  image: "$TOFU_IMAGE_NAME"
-  before_script:
-    - gitlab-terraform version
-    - jq --version
-  cache:
-    key: "$TOFU_VERSION-$CI_COMMIT_REF_SLUG"
-    paths:
-      - tests/.terraform/
-.tofu-test:
-  extends:
-    - .tofu-test-base
-  before_script:
-    - !reference [.tofu-test-base, before_script]
-    - cd tests
-.test-tofu-root:
-  extends:
-    - .tofu-test-base
-  variables:
-    TF_ROOT: tests
-tofu-test-init:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - gitlab-terraform init
-tofu-test-init-with-args:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - gitlab-terraform init -get=true -no-color
-tofu-test-init-with-flags:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - export TF_INIT_FLAGS="-get=true -no-color"
-    - gitlab-terraform init
-tofu-test-init-with-flags-and-args:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - export TF_INIT_FLAGS="-get=true"
-    - gitlab-terraform init -no-color
-tofu-test-init-tf-root:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - gitlab-terraform init
-tofu-test-init-tf-root-with-cd:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - cd tests
-    - export DEBUG_OUTPUT=true
-    - gitlab-terraform init
-tofu-test-init-tf-root-with-args:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - gitlab-terraform init -get=true -no-color
-tofu-test-init-tf-root-with-flags:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - export TF_INIT_FLAGS="-get=true -no-color"
-    - gitlab-terraform init
-tofu-test-init-tf-root-with-flags-and-args:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - export DEBUG_OUTPUT=true
-    - export TF_INIT_FLAGS="-get=true"
-    - gitlab-terraform init -no-color
-tofu-test-init-without-reconfigure:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - gitlab-terraform init
-    - |
-      cat <<EOF > $TF_ROOT/backend_override.tf
-      terraform {
-        backend "local" {}
-      }
-      EOF
-    - export TF_INIT_NO_RECONFIGURE=true
-    - FAILED=false
-    - gitlab-terraform init -no-color >/tmp/output.txt 2>&1 || FAILED=true
-    - cat /tmp/output.txt
-    - test $FAILED = true
-    - 'cat /tmp/output.txt | grep "Error: Backend configuration changed"'
-tofu-test-init-with-reconfigure:
-  extends:
-    - .test-tofu-root
-    - .tofu-versions
-  stage: test-init
-  script:
-    - gitlab-terraform init
-    - |
-      cat <<EOF > $TF_ROOT/backend_override.tf
-      terraform {
-        backend "local" {}
-      }
-      EOF
-    - gitlab-terraform init
-tofu-test-init-with-prepared-registry-token:
-  extends:
-    - .tofu-test
-  stage: test-init
-  variables:
-    TOFU_VERSION: $STABLE_TOFU_VERSION
-  script:
-    - apk add --update $PKG
-    - |
-      cat <<'EOF' > test.sh
-      set -x
-      export TF_TOKEN_gitlab_com=mysecrettoken
-      . $(which gitlab-terraform)
-      terraform_authenticate_private_registry
-      test "$TF_TOKEN_gitlab_com" = "mysecrettoken"
-      EOF
-    - $SHELL test.sh
-  parallel:
-    matrix:
-      - SHELL: "bash"
-        PKG: "bash"
-      - SHELL: "zsh"
-        PKG: "zsh"
-      - SHELL: "ksh"
-        PKG: "loksh"
-tofu-test-init-without-prepared-registry-token:
-  extends:
-    - .tofu-test
-  stage: test-init
-  variables:
-    TOFU_VERSION: $STABLE_TOFU_VERSION
-  script:
-    - apk add --update $PKG
-    - |
-      cat <<'EOF' > test.sh
-      set -x
-      . $(which gitlab-terraform)
-      terraform_authenticate_private_registry
-      test -n "$TF_TOKEN_gitlab_com"
-      EOF
-    - $SHELL test.sh
-  parallel:
-    matrix:
-      - SHELL: "bash"
-        PKG: "bash"
-      - SHELL: "zsh"
-        PKG: "zsh"
-      - SHELL: "ksh"
-        PKG: "loksh"
-tofu-test-fmt:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-fmt
-  script:
-    - gitlab-terraform fmt
-tofu-test-validate:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-validate
-  script:
-    - gitlab-terraform validate
-tofu-test-plan:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-plan
-  variables:
-    TF_PLAN_CACHE: $TOFU_VERSION-plan.cache
-  script:
-    - gitlab-terraform plan
-    - if [[ ! -f "$TOFU_VERSION-plan.cache" ]]; then echo "expected to find a plan.cache file"; exit 1; fi
-    - gitlab-terraform plan-json
-    - if [[ ! -f "plan.json" ]]; then echo "expected to find a plan.json file"; exit 1; fi
-  artifacts:
-    paths:
-      - "tests/*-plan.cache"
-tofu-test-apply:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-apply
-  variables:
-    TF_PLAN_CACHE: $TOFU_VERSION-plan.cache
-  script:
-    - gitlab-terraform apply
-tofu-test-destroy:
-  extends:
-    - .tofu-test
-    - .tofu-versions
-  stage: test-destroy
-  script:
-    - gitlab-terraform destroy
-tofu-test-source-script:
-  extends:
-    - .tofu-test
-  stage: test-misc
-  needs: [build tofu]
-  variables:
-    TOFU_VERSION: $STABLE_TOFU_VERSION
-  before_script:
-    - !reference [.tofu-test-base, before_script]
-    - apk add --update $PKG
-  script:
-    - |
-      cat <<'EOF' > test.sh
-      set -x
-      test -z "$TF_GITLAB_SOURCED"
-      . $(which gitlab-terraform)
-      test $TF_GITLAB_SOURCED
-      EOF
-    - |
-      mkdir /usr/local/sbin
-      cat <<'EOF' > /usr/local/sbin/terraform
-      #/!usr/bin/env sh -e
-      echo "Called Terraform, but shouldn't have!!"
-      false
-      EOF
-      chmod +x /usr/local/sbin/terraform
-    - $SHELL test.sh
-  parallel:
-    matrix:
-      - SHELL: "bash"
-        PKG: "bash"
-      - SHELL: "zsh"
-        PKG: "zsh"
-      - SHELL: "ksh"
-        PKG: "loksh"
-tofu-test-without-implicit-init:
-  extends:
-    - .tofu-test
-  stage: test-misc
-  needs: [build tofu]
-  cache:
-  variables:
-    TOFU_VERSION: $STABLE_TOFU_VERSION
-    STATE_NAME: $CI_JOB_NAME
-  script:
-    - export TF_IMPLICIT_INIT=false
-    - FAILED=false
-    - gitlab-terraform $CMD -no-color >/tmp/output.txt 2>&1 || FAILED=true
-    - cat /tmp/output.txt
-    - test $FAILED = true
-    - 'cat /tmp/output.txt | grep "$ERROR"'
-  parallel:
-    matrix:
-      - CMD: apply
-        ERROR: 'Error: Failed to load "plan.cache" as a plan'
-      - CMD: destroy
-        ERROR: 'Error: Backend initialization required, please run "tofu init"'
-      - CMD: plan
-        ERROR: 'Error: Backend initialization required, please run "tofu init"'
-      - CMD: validate
-        ERROR: 'Run "tofu init" to install all modules'
-tofu-test-no-wrapper:
-  extends:
-    - .tofu-test
-  stage: test-misc
-  needs: [build tofu]
-  cache:
-  variables:
-    TOFU_VERSION: $STABLE_TOFU_VERSION
-    STATE_NAME: $CI_JOB_NAME
-  script:
-    # NOTE: running `gitlab-terraform apply` wouldn't fail
-    #       because of the implicit `terraform init`.
-    - FAILED=false
-    - gitlab-terraform -- apply -no-color >/tmp/output.txt 2>&1 || FAILED=true
-    - cat /tmp/output.txt
-    - test $FAILED = true
-    - 'cat /tmp/output.txt | grep "Error: Backend initialization required, please run \"tofu init\""'
-tofu-integration-test-template:
-  stage: test-integration
-  variables:
-    IMAGE: $TOFU_IMAGE_NAME
-    # Hard-coded for now since there's no tofu stable version yet
-    TOFU_VERSION: "1.6"
-    TF_STATE_NAME: ci-tofu-integration-test-template-$CI_PIPELINE_IID-$CI_NODE_INDEX
-    TF_ROOT: tests
-  trigger:
-    include: .gitlab/integration-test/Test-$TEMPLATE
-    strategy: depend
-  rules:
-    - if: '$CI_PROJECT_PATH == "gitlab-org/terraform-images"'
-    - if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"'
-  parallel:
-    matrix:
-      - TEMPLATE: [Terraform.gitlab-ci.yml, Terraform.latest.gitlab-ci.yml]
--- a/Dockerfile.tofu
+++ b/Dockerfile.tofu
-ARG BASE_IMAGE
-FROM $BASE_IMAGE
-ARG TOFU_BINARY_VERSION
-RUN apk add --no-cache \
-  curl \
-  gcompat \
-  git \
-  idn2-utils \
-  jq \
-  openssh
-# Install tofu from the alpine registry and symlink to terraform (for the utility script)
-RUN apk add --no-cache opentofu=$TOFU_BINARY_VERSION --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing/ && \
-    ln -s "$(which tofu)" /usr/local/bin/terraform && \
-    terraform --version && \
-    tofu --version
-WORKDIR /
-COPY src/bin/gitlab-terraform.sh /usr/bin/gitlab-terraform
-RUN chmod +x /usr/bin/gitlab-terraform
-# Override ENTRYPOINT
-ENTRYPOINT []
--- a/README.md
+++ b/README.md
 # Terraform Images
-> 🚨 This repository won't upgrade to any new Terraform releases with the BSL license for now.
+> 🚨 This repository won't upgrade to any new Terraform releases with the BSL license.
 > Please follow [this issue](https://gitlab.com/gitlab-org/terraform-images/-/issues/114) for updates.
 > 
 > We'd like to advise you to use the new [**OpenTofu CI/CD component**](https://gitlab.com/components/opentofu).
 >
 > Alternatively, you may build this project with the latest Terraform release yourself and 
 > host it in your own registry.
+>
+> The OpenTofu support in this repository has been removed in favor of the
+> aforementioned new [OpenTofu CI/CD component](https://gitlab.com/components/opentofu).
 This repository provides a docker image which contains the `gitlab-terraform` shell script. This script is a thin wrapper around the `terraform` binary. Its main purpose is to serve the [Infrastructure as code with Terraform and GitLab

--- a/src/bin/gitlab-terraform.sh
+++ b/src/bin/gitlab-terraform.sh
@@ -11,14 +11,6 @@ terraform_is_at_least() {
  return $?
 }
-# Check if the script is using OpenTofu or Terraform, returns 0
-# if tofu is present, 1 if it's not
-using_open_tofu() {
-  # If tofu is on the path, we're using tofu, not terraform.
-  [ "$(which tofu)" ]
-  return $?
-}
 # Evaluate if this script is being sourced or executed directly.
 # See https://stackoverflow.com/a/28776166
 sourced=0
@@ -112,8 +104,8 @@ fi
 terraform_authenticate_private_registry() {
-  if terraform_is_at_least 1.2.0 || using_open_tofu ; then
+  if terraform_is_at_least 1.2.0; then
-    # From Terraform 1.2.0 and later (or all versions of OpenTofu), we can use TF_TOKEN_your_domain_name to authenticate to registry.
+    # From Terraform 1.2.0 and later, we can use TF_TOKEN_your_domain_name to authenticate to registry.
    # The credential environment variable has the following requirements:
    # - Domain names containing non-ASCII characters are converted to their punycode equivalent with an ACE prefix
    # - Periods are encoded as underscores