From 0b2384a3efaaf946a2a433572c93f98c58721735 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Thu, 18 Jul 2024 08:11:39 -0400 Subject: [PATCH 01/19] Backport/v1.8/1826 (#1829) Signed-off-by: James Humphries Co-authored-by: James Humphries --- internal/backend/local/backend_local.go | 2 +- internal/command/e2etest/static_plan_test.go | 241 +++++++++--------- .../static_plan_typed_variables/main.tf | 19 ++ .../static_plan_typed_variables/mod/mod.tf | 3 + internal/command/show.go | 5 +- 5 files changed, 151 insertions(+), 119 deletions(-) create mode 100644 internal/command/e2etest/testdata/static_plan_typed_variables/main.tf create mode 100644 internal/command/e2etest/testdata/static_plan_typed_variables/mod/mod.tf diff --git a/internal/backend/local/backend_local.go b/internal/backend/local/backend_local.go index 82706857a73..9ae703eb4e2 100644 --- a/internal/backend/local/backend_local.go +++ b/internal/backend/local/backend_local.go @@ -280,7 +280,7 @@ func (b *Local) localRunForPlanFile(op *backend.Operation, pf *planfile.Reader, return variable.Default, nil } - parsed, parsedErr := v.Decode(variable.Type) + parsed, parsedErr := v.Decode(cty.DynamicPseudoType) if parsedErr != nil { diags = diags.Append(&hcl.Diagnostic{ Severity: hcl.DiagError, diff --git a/internal/command/e2etest/static_plan_test.go b/internal/command/e2etest/static_plan_test.go index f91b95ccd97..828fb7d1b7a 100644 --- a/internal/command/e2etest/static_plan_test.go +++ b/internal/command/e2etest/static_plan_test.go @@ -6,6 +6,7 @@ package e2etest import ( + "fmt" "path/filepath" "testing" @@ -15,121 +16,129 @@ import ( // This is an e2e test as it relies on very specific configuration // within the meta object that is currently very hard to mock out. func TestStaticPlanVariables(t *testing.T) { - fixturePath := filepath.Join("testdata", "static_plan_variables") - tf := e2e.NewBinary(t, tofuBin, fixturePath) - - run := func(args ...string) tofuResult { - stdout, stderr, err := tf.Run(args...) - return tofuResult{t, stdout, stderr, err} + fixtures := []string{ + "static_plan_variables", + "static_plan_typed_variables", + } + for _, fixture := range fixtures { + t.Run(fmt.Sprintf("TestStaticPlanVariables/%s", fixture), func(t *testing.T) { + fixturePath := filepath.Join("testdata", fixture) + tf := e2e.NewBinary(t, tofuBin, fixturePath) + + run := func(args ...string) tofuResult { + stdout, stderr, err := tf.Run(args...) + return tofuResult{t, stdout, stderr, err} + } + + statePath := "custom.tfstate" + stateVar := "-var=state_path=" + statePath + modVar := "-var=src=./mod" + planfile := "static.plan" + + modErr := "module.mod.source depends on var.src which is not available" + backendErr := "backend.local depends on var.state_path which is not available" + + // Init + run("init").Failure().StderrContains(modErr) + run("init", stateVar, modVar).Success() + + // Get + run("get").Failure().StderrContains(modErr) + run("get", stateVar, modVar).Success() + + // Validate + run("validate").Failure().StderrContains(modErr) + run("validate", stateVar, modVar).Success() + + // Providers + run("providers").Failure().StderrContains(modErr) + run("providers", stateVar, modVar).Success() + run("providers", "lock").Failure().StderrContains(modErr) + run("providers", "lock", stateVar, modVar).Success() + run("providers", "mirror", "./tempproviders").Failure().StderrContains(modErr) + run("providers", "mirror", stateVar, modVar, "./tempproviders").Failure().StderrContains("Could not scan the output directory to get package metadata for the JSON") + run("providers", "schema", "-json").Failure().StderrContains(backendErr) + run("providers", "schema", "-json", stateVar, modVar).Success() + + // Check console init (early exits due to stdin setup) + run("console").Failure().StderrContains(backendErr) + run("console", stateVar, modVar).Success() + + // Check graph (without plan) + run("graph").Failure().StderrContains(backendErr) + run("graph", stateVar, modVar).Success() + + // Plan with static variable + run("plan", stateVar, modVar, "-out="+planfile).Success() + + // Show plan without static variable (embedded) + run("show", planfile).Success() + + // Check graph (without plan) + run("graph", "-plan="+planfile).Success() + + // Apply plan without static variable (embedded) + run("apply", planfile).Success() + + // Show State + run("show", statePath).Failure().StderrContains(modErr) + run("show", stateVar, modVar, statePath).Success().Contains(`out = "placeholder"`) + + // Force Unlock + run("force-unlock", "ident").Failure().StderrContains(backendErr) + run("force-unlock", stateVar, modVar, "ident").Failure().StderrContains("Local state cannot be unlocked by another process") + + // Output values + run("output").Failure().StderrContains(backendErr) + run("output", stateVar, modVar).Success().Contains(`out = "placeholder"`) + + // Refresh + run("refresh").Failure().StderrContains(backendErr) + run("refresh", stateVar, modVar).Success().Contains("There are currently no remote objects tracked in the state") + + // Import + run("import", "resource.addr", "id").Failure().StderrContains(modErr) + run("import", stateVar, modVar, "resource.addr", "id").Failure().StderrContains("Before importing this resource, please create its configuration in the root module.") + + // Taint + run("taint", "resource.addr").Failure().StderrContains(modErr) + run("taint", stateVar, modVar, "resource.addr").Failure().StderrContains("There is no resource instance in the state with the address resource.addr.") + run("untaint", "resource.addr").Failure().StderrContains(backendErr) + run("untaint", stateVar, modVar, "resource.addr").Failure().StderrContains("There is no resource instance in the state with the address resource.addr.") + + // State + run("state", "list").Failure().StderrContains(backendErr) + run("state", "list", stateVar, modVar).Success() + run("state", "mv", "foo.bar", "foo.baz").Failure().StderrContains(modErr) + run("state", "mv", stateVar, modVar, "foo.bar", "foo.baz").Failure().StderrContains("Cannot move foo.bar: does not match anything in the current state.") + run("state", "pull").Failure().StderrContains(modErr) + run("state", "pull", stateVar, modVar).Success().Contains(`"outputs":{"out":{"value":"placeholder","type":"string"}}`) + run("state", "push", statePath).Failure().StderrContains(modErr) + run("state", "push", stateVar, modVar, statePath).Success() + run("state", "replace-provider", "foo", "bar").Failure().StderrContains(modErr) + run("state", "replace-provider", stateVar, modVar, "foo", "bar").Success().Contains("No matching resources found.") + run("state", "rm", "foo.bar").Failure().StderrContains(modErr) + run("state", "rm", stateVar, modVar, "foo.bar").Failure().StderrContains("No matching objects found.") + run("state", "show", "out").Failure().StderrContains(backendErr) + run("state", "show", stateVar, modVar, "invalid.resource").Failure().StderrContains("No instance found for the given address!") + + // Workspace + run("workspace", "list").Failure().StderrContains(backendErr) + run("workspace", "list", stateVar, modVar).Success().Contains(`default`) + run("workspace", "new", "foo").Failure().StderrContains(backendErr) + run("workspace", "new", stateVar, modVar, "foo").Success().Contains(`foo`) + run("workspace", "select", "default").Failure().StderrContains(backendErr) + run("workspace", "select", stateVar, modVar, "default").Success().Contains(`default`) + run("workspace", "delete", "foo").Failure().StderrContains(backendErr) + run("workspace", "delete", stateVar, modVar, "foo").Success().Contains(`foo`) + + // Test + run("test").Failure().StderrContains(modErr) + run("test", stateVar, modVar).Success().Contains(`Success!`) + + // Destroy + run("destroy", "-auto-approve").Failure().StderrContains(backendErr) + run("destroy", stateVar, modVar, "-auto-approve").Success().Contains("You can apply this plan to save these new output values") + }) } - - statePath := "custom.tfstate" - stateVar := "-var=state_path=" + statePath - modVar := "-var=src=./mod" - planfile := "static.plan" - - modErr := "module.mod.source depends on var.src which is not available" - backendErr := "backend.local depends on var.state_path which is not available" - - // Init - run("init").Failure().StderrContains(modErr) - run("init", stateVar, modVar).Success() - - // Get - run("get").Failure().StderrContains(modErr) - run("get", stateVar, modVar).Success() - - // Validate - run("validate").Failure().StderrContains(modErr) - run("validate", stateVar, modVar).Success() - - // Providers - run("providers").Failure().StderrContains(modErr) - run("providers", stateVar, modVar).Success() - run("providers", "lock").Failure().StderrContains(modErr) - run("providers", "lock", stateVar, modVar).Success() - run("providers", "mirror", "./tempproviders").Failure().StderrContains(modErr) - run("providers", "mirror", stateVar, modVar, "./tempproviders").Failure().StderrContains("Could not scan the output directory to get package metadata for the JSON") - run("providers", "schema", "-json").Failure().StderrContains(backendErr) - run("providers", "schema", "-json", stateVar, modVar).Success() - - // Check console init (early exits due to stdin setup) - run("console").Failure().StderrContains(backendErr) - run("console", stateVar, modVar).Success() - - // Check graph (without plan) - run("graph").Failure().StderrContains(backendErr) - run("graph", stateVar, modVar).Success() - - // Plan with static variable - run("plan", stateVar, modVar, "-out="+planfile).Success() - - // Show plan without static variable (embedded) - run("show", planfile).Success() - - // Check graph (without plan) - run("graph", "-plan="+planfile).Success() - - // Apply plan without static variable (embedded) - run("apply", planfile).Success() - - // Show State - run("show", statePath).Failure().StderrContains(modErr) - run("show", stateVar, modVar, statePath).Success().Contains(`out = "placeholder"`) - - // Force Unlock - run("force-unlock", "ident").Failure().StderrContains(backendErr) - run("force-unlock", stateVar, modVar, "ident").Failure().StderrContains("Local state cannot be unlocked by another process") - - // Output values - run("output").Failure().StderrContains(backendErr) - run("output", stateVar, modVar).Success().Contains(`out = "placeholder"`) - - // Refresh - run("refresh").Failure().StderrContains(backendErr) - run("refresh", stateVar, modVar).Success().Contains("There are currently no remote objects tracked in the state") - - // Import - run("import", "resource.addr", "id").Failure().StderrContains(modErr) - run("import", stateVar, modVar, "resource.addr", "id").Failure().StderrContains("Before importing this resource, please create its configuration in the root module.") - - // Taint - run("taint", "resource.addr").Failure().StderrContains(modErr) - run("taint", stateVar, modVar, "resource.addr").Failure().StderrContains("There is no resource instance in the state with the address resource.addr.") - run("untaint", "resource.addr").Failure().StderrContains(backendErr) - run("untaint", stateVar, modVar, "resource.addr").Failure().StderrContains("There is no resource instance in the state with the address resource.addr.") - - // State - run("state", "list").Failure().StderrContains(backendErr) - run("state", "list", stateVar, modVar).Success() - run("state", "mv", "foo.bar", "foo.baz").Failure().StderrContains(modErr) - run("state", "mv", stateVar, modVar, "foo.bar", "foo.baz").Failure().StderrContains("Cannot move foo.bar: does not match anything in the current state.") - run("state", "pull").Failure().StderrContains(modErr) - run("state", "pull", stateVar, modVar).Success().Contains(`"outputs":{"out":{"value":"placeholder","type":"string"}}`) - run("state", "push", statePath).Failure().StderrContains(modErr) - run("state", "push", stateVar, modVar, statePath).Success() - run("state", "replace-provider", "foo", "bar").Failure().StderrContains(modErr) - run("state", "replace-provider", stateVar, modVar, "foo", "bar").Success().Contains("No matching resources found.") - run("state", "rm", "foo.bar").Failure().StderrContains(modErr) - run("state", "rm", stateVar, modVar, "foo.bar").Failure().StderrContains("No matching objects found.") - run("state", "show", "out").Failure().StderrContains(backendErr) - run("state", "show", stateVar, modVar, "invalid.resource").Failure().StderrContains("No instance found for the given address!") - - // Workspace - run("workspace", "list").Failure().StderrContains(backendErr) - run("workspace", "list", stateVar, modVar).Success().Contains(`default`) - run("workspace", "new", "foo").Failure().StderrContains(backendErr) - run("workspace", "new", stateVar, modVar, "foo").Success().Contains(`foo`) - run("workspace", "select", "default").Failure().StderrContains(backendErr) - run("workspace", "select", stateVar, modVar, "default").Success().Contains(`default`) - run("workspace", "delete", "foo").Failure().StderrContains(backendErr) - run("workspace", "delete", stateVar, modVar, "foo").Success().Contains(`foo`) - - // Test - run("test").Failure().StderrContains(modErr) - run("test", stateVar, modVar).Success().Contains(`Success!`) - - // Destroy - run("destroy", "-auto-approve").Failure().StderrContains(backendErr) - run("destroy", stateVar, modVar, "-auto-approve").Success().Contains("You can apply this plan to save these new output values") } diff --git a/internal/command/e2etest/testdata/static_plan_typed_variables/main.tf b/internal/command/e2etest/testdata/static_plan_typed_variables/main.tf new file mode 100644 index 00000000000..8e81a1a767c --- /dev/null +++ b/internal/command/e2etest/testdata/static_plan_typed_variables/main.tf @@ -0,0 +1,19 @@ +variable "state_path" {} + +variable "src" { + type = string +} + +terraform { + backend "local" { + path = var.state_path + } +} + +module "mod" { + source = var.src +} + +output "out" { + value = module.mod.out +} diff --git a/internal/command/e2etest/testdata/static_plan_typed_variables/mod/mod.tf b/internal/command/e2etest/testdata/static_plan_typed_variables/mod/mod.tf new file mode 100644 index 00000000000..95473f39dab --- /dev/null +++ b/internal/command/e2etest/testdata/static_plan_typed_variables/mod/mod.tf @@ -0,0 +1,3 @@ +output "out" { + value = "placeholder" +} diff --git a/internal/command/show.go b/internal/command/show.go index 460e5818393..2a783d9e170 100644 --- a/internal/command/show.go +++ b/internal/command/show.go @@ -13,6 +13,8 @@ import ( "strings" "github.com/hashicorp/hcl/v2" + "github.com/zclconf/go-cty/cty" + "github.com/opentofu/opentofu/internal/backend" "github.com/opentofu/opentofu/internal/cloud" "github.com/opentofu/opentofu/internal/cloud/cloudplan" @@ -27,7 +29,6 @@ import ( "github.com/opentofu/opentofu/internal/tfdiags" "github.com/opentofu/opentofu/internal/tofu" "github.com/opentofu/opentofu/internal/tofumigrate" - "github.com/zclconf/go-cty/cty" ) // Many of the methods we get data from can emit special error types if they're @@ -382,7 +383,7 @@ func getDataFromPlanfileReader(planReader *planfile.Reader, rootCall configs.Sta return variable.Default, nil } - parsed, parsedErr := v.Decode(variable.Type) + parsed, parsedErr := v.Decode(cty.DynamicPseudoType) if parsedErr != nil { diags = diags.Append(&hcl.Diagnostic{ Severity: hcl.DiagError, From eb61c454f4fd4724d111aac46a397d3058c3a9b2 Mon Sep 17 00:00:00 2001 From: Ronny Orot Date: Tue, 23 Jul 2024 15:50:32 +0300 Subject: [PATCH 02/19] Backport[V1.8] #1841: Add documentation about the new .tofu extension (#1844) --- website/docs/cli/commands/index.mdx | 5 ++-- website/docs/cli/commands/plan.mdx | 7 +++--- website/docs/cli/commands/test/index.mdx | 22 +++++++++++++--- website/docs/cli/config/config-file.mdx | 4 +-- .../docs/language/files/dependency-lock.mdx | 8 +++--- website/docs/language/files/index.mdx | 25 ++++++++++++++----- website/docs/language/files/override.mdx | 25 +++++++++++++------ .../docs/language/modules/develop/index.mdx | 6 ++--- website/docs/language/modules/index.mdx | 8 +++--- website/docs/language/modules/syntax.mdx | 4 +-- website/docs/language/syntax/json.mdx | 17 +++++++++++-- 11 files changed, 93 insertions(+), 38 deletions(-) diff --git a/website/docs/cli/commands/index.mdx b/website/docs/cli/commands/index.mdx index 79da4e1ce99..8b154c087eb 100644 --- a/website/docs/cli/commands/index.mdx +++ b/website/docs/cli/commands/index.mdx @@ -65,8 +65,9 @@ command's page for details. ## Switching working directory with `-chdir` The usual way to run OpenTofu is to first switch to the directory containing -the `.tf` files for your root module (for example, using the `cd` command), so -that OpenTofu will find those files automatically without any extra arguments. +the `.tf` or `.tofu` files for your root module (for example, using the `cd` +command), so that OpenTofu will find those files automatically without any +extra arguments. In some cases though — particularly when wrapping OpenTofu in automation scripts — it can be convenient to run OpenTofu from a different directory than diff --git a/website/docs/cli/commands/plan.mdx b/website/docs/cli/commands/plan.mdx index b2ecd51572b..a6eec71f5e6 100644 --- a/website/docs/cli/commands/plan.mdx +++ b/website/docs/cli/commands/plan.mdx @@ -314,9 +314,10 @@ The available options are: OpenTofu will allow any filename for the plan file, but a typical convention is to name it `tfplan`. **Do not** name the file with a suffix - that OpenTofu recognizes as another file format; if you use a `.tf` suffix - then OpenTofu will try to interpret the file as a configuration source - file, which will then cause syntax errors for subsequent commands. + that OpenTofu recognizes as another file format; if you use a `.tf` or + `.tofu` suffix then OpenTofu will try to interpret the file as a + configuration source file, which will then cause syntax errors for subsequent + commands. The generated file is not in any standard format intended for consumption by other software, but the file _does_ contain your full configuration, diff --git a/website/docs/cli/commands/test/index.mdx b/website/docs/cli/commands/test/index.mdx index 5296378bcc5..0c5f4330226 100644 --- a/website/docs/cli/commands/test/index.mdx +++ b/website/docs/cli/commands/test/index.mdx @@ -44,8 +44,8 @@ the required conditions (assertions) are met. Once the test is complete, OpenTof Usage: `tofu test [options]`. -This command will execute all `*.tftest.hcl` files in the current directory or in a directory called `tests`. You can -customize this behavior using the [options](#options) below. +This command will execute all `*.tftest.hcl`, `*.tftest.json`, `*.tofutest.hcl`, and `*.tofutest.json` files in the +current directory or in a directory called `tests`. You can customize this behavior using the [options](#options) below. :::info Example @@ -67,6 +67,22 @@ below. ::: +## Extension Precedence +When both `.tftest.hcl` and `.tofutest.hcl` files with the same base name are present in a +directory, OpenTofu will prioritize the `.tofutest.hcl` file and ignore the `.tftest.hcl` file. +For example: + +- If both `main.tftest.hcl` and `main.tofutest.hcl` exist in the same directory, OpenTofu will +only load `main.tofutest.hcl` and ignore `main.tftest.hcl`. + +This ensures that `.tofu` files always take precedence over `.tf` files when +both are available. This scenario can be useful for module authors who want +their modules to support both OpenTofu and Terraform and want to create different tests for each. + +The same rule applies to JSON-based test files: +- if both `main.tftest.json` and `main.tofutest.json` exist in the same directory, OpenTofu will +only load `main.tofutest.json` and ignore `main.tftest.json`. + ## Options * `-test-directory=path` Set the test directory (default: "tests"). OpenTofu will search for test files in the specified @@ -124,7 +140,7 @@ times to run more than one test file. ::: -## The `*.tftest.hcl` file structure +## The `*.tftest.hcl` / `*.tofutest.hcl` file structure The testing language of OpenTofu is similar to the main OpenTofu language and uses the same block structure. diff --git a/website/docs/cli/config/config-file.mdx b/website/docs/cli/config/config-file.mdx index 0b8c00604ab..3271915d042 100644 --- a/website/docs/cli/config/config-file.mdx +++ b/website/docs/cli/config/config-file.mdx @@ -43,8 +43,8 @@ Any such file should follow the naming pattern `*.tfrc`. ## Configuration File Syntax -The configuration file uses the same _HCL_ syntax as `.tf` files, but with -different attributes and blocks. The following example illustrates the +The configuration file uses the same _HCL_ syntax as `.tf` and `.tofu` files, +but with different attributes and blocks. The following example illustrates the general syntax; see the following section for information on the meaning of each of these settings: diff --git a/website/docs/language/files/dependency-lock.mdx b/website/docs/language/files/dependency-lock.mdx index a0137b499f0..24c4f4d514f 100644 --- a/website/docs/language/files/dependency-lock.mdx +++ b/website/docs/language/files/dependency-lock.mdx @@ -39,8 +39,8 @@ to ensure that OpenTofu will always select the same module version. The dependency lock file is a file that belongs to the configuration as a whole, rather than to each separate module in the configuration. For that reason OpenTofu creates it and expects to find it in your current working directory -when you run OpenTofu, which is also the directory containing the `.tf` files -for the root module of your configuration. +when you run OpenTofu, which is also the directory containing the `.tf` or +`.tofu` files for the root module of your configuration. The lock file is always named `.terraform.lock.hcl`, and this name is intended to signify that it is a lock file for various items that OpenTofu caches in @@ -54,8 +54,8 @@ would discuss potential changes to your configuration itself. The dependency lock file uses the same low-level syntax as the main OpenTofu language, but the dependency lock file is not itself an OpenTofu language -configuration file. It is named with the suffix `.hcl` instead of `.tf` in -order to signify that difference. +configuration file. It is named with the suffix `.hcl` instead of `.tf` or +`.tofu` in order to signify that difference. ## Dependency Installation Behavior diff --git a/website/docs/language/files/index.mdx b/website/docs/language/files/index.mdx index d213d70f5e1..40ceb834ebe 100644 --- a/website/docs/language/files/index.mdx +++ b/website/docs/language/files/index.mdx @@ -8,13 +8,26 @@ description: >- ## File Extension -Code in the OpenTofu language is stored in plain text files with the `.tf` file -extension. There is also -[a JSON-based variant of the language](../../language/syntax/json.mdx) that is named with -the `.tf.json` file extension. +Code in the OpenTofu language is stored in plain text files with the `.tf` +or `.tofu` file extensions. There is also +[a JSON-based variant of the language](../../language/syntax/json.mdx) that is +named with the `.tf.json` or `.tofu.json` file extensions. Files containing OpenTofu code are often called _configuration files._ +### Extension Precedence + +When both `.tf` and `.tofu` files with the same base name are present in a +directory, OpenTofu will prioritize the `.tofu` file and ignore the `.tf` file. +For example: + +- If both `foo.tf` and `foo.tofu` exist in the same directory, OpenTofu will +only load `foo.tofu` and ignore `foo.tf`. + +This ensures that `.tofu` files always take precedence over `.tf` files when +both are available. This scenario can be useful for module authors who want +their modules to support both OpenTofu and Terraform. + ## Text Encoding Configuration files must always use UTF-8 encoding, and by convention @@ -23,8 +36,8 @@ line endings (CRLF), though both are accepted. ## Directories and Modules -A _module_ is a collection of `.tf` and/or `.tf.json` files kept together in a -directory. +A _module_ is a collection of one or many `.tf`, `.tf.json`, `.tofu`, +`.tofu.json` files kept together in a directory. An OpenTofu module only consists of the top-level configuration files in a directory; nested directories are treated as completely separate modules, and diff --git a/website/docs/language/files/override.mdx b/website/docs/language/files/override.mdx index 0e9801c0e94..d1934a4dd53 100644 --- a/website/docs/language/files/override.mdx +++ b/website/docs/language/files/override.mdx @@ -6,10 +6,10 @@ description: >- # Override Files -OpenTofu normally loads all of the `.tf` and `.tf.json` files within a -directory and expects each one to define a distinct set of configuration -objects. If two files attempt to define the same object, OpenTofu returns -an error. +OpenTofu normally loads all of the `.tf`, `.tofu`, `.tf.json` and `.tofu.json` +files within a directory and expects each one to define a distinct set of +configuration objects. If two files attempt to define the same object, OpenTofu +returns an error. In some rare cases, it is convenient to be able to override specific portions of an existing configuration object in a separate file. For example, a @@ -18,9 +18,20 @@ could be partially overridden using a programmatically-generated file in JSON syntax. For these rare situations, OpenTofu has special handling of any configuration -file whose name ends in `_override.tf` or `_override.tf.json`. This special -handling also applies to a file named literally `override.tf` or -`override.tf.json`. +file whose name ends in `_override.tf`, `_override.tofu`, `_override.tf.json` +or `_override.tofu.json`. This special handling also applies to a file named +literally `override.tf`, `override.tofu`, `override.tf.json` or +`override.tofu.json`. + +:::note +[Extension Precedence](./index.mdx#extension-precedence) is important when +dealing with override files. If both `foo_override.tf` and `foo_override.tofu` +exist in the same directory, OpenTofu will only load `foo_override.tofu` and +disregard `foo_override.tf`. The same rule applies to JSON-based files - if +both `foo_override.tofu.json` and `foo_override.tf.json` exist in the same +directory, OpenTofu will only load `foo_override.tofu.json` and ignore +`foo_override.tf.json`. +::: OpenTofu initially skips these _override files_ when loading configuration, and then afterwards processes each one in turn (in lexicographical order). For diff --git a/website/docs/language/modules/develop/index.mdx b/website/docs/language/modules/develop/index.mdx index 9c1a614b6eb..bda0abd6ed4 100644 --- a/website/docs/language/modules/develop/index.mdx +++ b/website/docs/language/modules/develop/index.mdx @@ -11,9 +11,9 @@ You can use modules to create lightweight abstractions, so that you can describe your infrastructure in terms of its architecture, rather than directly in terms of physical objects. -The `.tf` files in your working directory when you run [`tofu plan`](../../../cli/commands/plan.mdx) -or [`tofu apply`](../../../cli/commands/apply.mdx) together form the _root_ -module. That module may [call other modules](../../../language/modules/syntax.mdx#calling-a-child-module) +The `.tf` and/or `.tofu` files in your working directory when you run +[`tofu plan`](../../../cli/commands/plan.mdx) or [`tofu apply`](../../../cli/commands/apply.mdx) +together form the _root_ module. That module may [call other modules](../../../language/modules/syntax.mdx#calling-a-child-module) and connect them together by passing output values from one to input values of another. diff --git a/website/docs/language/modules/index.mdx b/website/docs/language/modules/index.mdx index 3da481d4f1c..7241635a9d4 100644 --- a/website/docs/language/modules/index.mdx +++ b/website/docs/language/modules/index.mdx @@ -7,8 +7,8 @@ description: >- # Modules _Modules_ are containers for multiple resources that are used together. A module -consists of a collection of `.tf` and/or `.tf.json` files kept together in a -directory. +consists of a collection of `.tf`, `.tofu`, `.tf.json`, and/or `.tofu.json` +files that are kept together in a directory. Modules are the main way to package and reuse resource configurations with OpenTofu. @@ -16,8 +16,8 @@ OpenTofu. ## The Root Module Every OpenTofu configuration has at least one module, known as its -_root module_, which consists of the resources defined in the `.tf` files in -the main working directory. +_root module_, which consists of the resources defined in the `.tf` or `.tofu` +files in the main working directory. ## Child Modules diff --git a/website/docs/language/modules/syntax.mdx b/website/docs/language/modules/syntax.mdx index 9bb9d1b60bb..2145641558a 100644 --- a/website/docs/language/modules/syntax.mdx +++ b/website/docs/language/modules/syntax.mdx @@ -10,8 +10,8 @@ description: >- A _module_ is a container for multiple resources that are used together. Every OpenTofu configuration has at least one module, known as its -_root module_, which consists of the resources defined in the `.tf` files in -the main working directory. +_root module_, which consists of the resources defined in the `.tf` and `.tofu` +files in the main working directory. A module can call other modules, which lets you include the child module's resources into the configuration in a concise way. Modules diff --git a/website/docs/language/syntax/json.mdx b/website/docs/language/syntax/json.mdx index 4ae872bbac8..f60d68847f3 100644 --- a/website/docs/language/syntax/json.mdx +++ b/website/docs/language/syntax/json.mdx @@ -20,8 +20,8 @@ be expressed in native syntax can also be expressed in JSON syntax, but some constructs are more complex to represent in JSON due to limitations of the JSON grammar. -OpenTofu expects native syntax for files named with a `.tf` suffix, and -JSON syntax for files named with a `.tf.json` suffix. +OpenTofu expects native syntax for files named with a `.tf` or `.tofu` suffix, +and JSON syntax for files named with a `.tf.json` or `.tofu.json` suffix. The low-level JSON syntax, just as with the native syntax, is defined in terms of a specification called _HCL_. It is not necessary to know all of the details @@ -30,6 +30,19 @@ summarizes the most important differences between native and JSON syntax. If you are interested, you can find a full definition of HCL's JSON syntax in [its specification](https://github.com/hashicorp/hcl/blob/main/json/spec.md). +### Extension Precedence + +When both `.tf.json` and `.tofu.json` files with the same base name are present +in a directory, OpenTofu will prioritize the `.tofu.json` file and ignore the +`.tf.json` file. For example: + +- If both `foo.tf.json` and `foo.tofu.json` exist in the same directory, +OpenTofu will only load `foo.tofu.json` and ignore `foo.tf.json`. + +This ensures that `.tofu.json` files always take precedence over `.tf.json` +files when both are available. This scenario can be useful for module authors +who want their modules to support both OpenTofu and Terraform. + ## JSON File Structure At the root of any JSON-based OpenTofu configuration is a JSON object. The From d28afdab5a2c448dcbfc4e6e661dccbbfb0bd683 Mon Sep 17 00:00:00 2001 From: James Humphries Date: Tue, 23 Jul 2024 14:24:36 +0100 Subject: [PATCH 03/19] [Backport #1801] Sensitive path usage in templatefile shouldn't panic (#1846) Signed-off-by: James Humphries --- CHANGELOG.md | 2 +- internal/lang/funcs/filesystem.go | 11 ++++++----- internal/lang/funcs/filesystem_test.go | 22 ++++++++++++++++++++-- 3 files changed, 27 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba24ae27af9..bd3c7d939db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,7 +34,7 @@ BUG FIXES: * Fixed issue with migration between versions can cause an update in-place for resources when no changes are needed. ([#1640](https://github.com/opentofu/opentofu/pull/1640)) * Add source context for the 'insufficient feature blocks' error ([#1777](https://github.com/opentofu/opentofu/pull/1777)) * Remove encryption diags from autocomplete ([#1793](https://github.com/opentofu/opentofu/pull/1793)) - +* Ensure that using a sensitive path for templatefile that it doesn't panic([#1801](https://github.com/opentofu/opentofu/issues/1801)) ## Previous Releases diff --git a/internal/lang/funcs/filesystem.go b/internal/lang/funcs/filesystem.go index 25b6f62b5b8..3e55c117264 100644 --- a/internal/lang/funcs/filesystem.go +++ b/internal/lang/funcs/filesystem.go @@ -121,7 +121,6 @@ func MakeTemplateFileFunc(baseDir string, funcsCb func() map[string]function.Fun return makeTemplateFileFuncImpl(baseDir, funcsCb, 0) } func makeTemplateFileFuncImpl(baseDir string, funcsCb func() map[string]function.Function, depth int) function.Function { - params := []function.Parameter{ { Name: "path", @@ -134,7 +133,7 @@ func makeTemplateFileFuncImpl(baseDir string, funcsCb func() map[string]function }, } - loadTmpl := func(fn string, marks cty.ValueMarks) (hcl.Expression, error) { + loadTmpl := func(path string, marks cty.ValueMarks) (hcl.Expression, error) { maxDepth, err := templateMaxRecursionDepth() if err != nil { return nil, err @@ -146,12 +145,15 @@ func makeTemplateFileFuncImpl(baseDir string, funcsCb func() map[string]function // We re-use File here to ensure the same filename interpretation // as it does, along with its other safety checks. - tmplVal, err := File(baseDir, cty.StringVal(fn).WithMarks(marks)) + templateValue, err := File(baseDir, cty.StringVal(path).WithMarks(marks)) if err != nil { return nil, err } - expr, diags := hclsyntax.ParseTemplate([]byte(tmplVal.AsString()), fn, hcl.Pos{Line: 1, Column: 1}) + // unmark the template ready to be handled + templateValue, _ = templateValue.Unmark() + + expr, diags := hclsyntax.ParseTemplate([]byte(templateValue.AsString()), path, hcl.Pos{Line: 1, Column: 1}) if diags.HasErrors() { return nil, diags } @@ -206,7 +208,6 @@ func makeTemplateFileFuncImpl(baseDir string, funcsCb func() map[string]function return result.WithMarks(pathMarks), err }, }) - } // MakeFileExistsFunc constructs a function that takes a path diff --git a/internal/lang/funcs/filesystem_test.go b/internal/lang/funcs/filesystem_test.go index addb9b74a26..a64da91e3bd 100644 --- a/internal/lang/funcs/filesystem_test.go +++ b/internal/lang/funcs/filesystem_test.go @@ -6,16 +6,18 @@ package funcs import ( + "errors" "fmt" "os" "path/filepath" "testing" homedir "github.com/mitchellh/go-homedir" - "github.com/opentofu/opentofu/internal/lang/marks" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/function" "github.com/zclconf/go-cty/cty/function/stdlib" + + "github.com/opentofu/opentofu/internal/lang/marks" ) func TestFile(t *testing.T) { @@ -181,6 +183,21 @@ func TestTemplateFile(t *testing.T) { cty.True, // since this template contains only an interpolation, its true value shines through ``, }, + { + // write to a sensitive file path that exists + cty.StringVal("testdata/hello.txt").Mark(marks.Sensitive), + cty.EmptyObjectVal, + cty.StringVal("Hello World").Mark(marks.Sensitive), + ``, + }, + { + cty.StringVal("testdata/bare.tmpl"), + cty.ObjectVal(map[string]cty.Value{ + "val": cty.True.Mark(marks.Sensitive), + }), + cty.True.Mark(marks.Sensitive), + ``, + }, } templateFileFn := MakeTemplateFileFunc(".", func() map[string]function.Function { @@ -194,7 +211,8 @@ func TestTemplateFile(t *testing.T) { t.Run(fmt.Sprintf("TemplateFile(%#v, %#v)", test.Path, test.Vars), func(t *testing.T) { got, err := templateFileFn.Call([]cty.Value{test.Path, test.Vars}) - if argErr, ok := err.(function.ArgError); ok { + var argErr function.ArgError + if errors.As(err, &argErr) { if argErr.Index < 0 || argErr.Index > 1 { t.Errorf("ArgError index %d is out of range for templatefile (must be 0 or 1)", argErr.Index) } From fbb9bd6b8ad69f537c3245b22694e923384b1646 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Tue, 23 Jul 2024 09:34:34 -0400 Subject: [PATCH 04/19] Backport/v1.8/1843 (#1847) Signed-off-by: Christian Mesh Signed-off-by: ollevche Co-authored-by: ollevche --- website/docs/cli/commands/console.mdx | 12 ++++++++ website/docs/cli/commands/force-unlock.mdx | 23 +++++++++++++++ website/docs/cli/commands/get.mdx | 22 ++++++++++++++ website/docs/cli/commands/graph.mdx | 24 +++++++++++++++ website/docs/cli/commands/import.mdx | 8 +++++ website/docs/cli/commands/init.mdx | 27 +++++++++++++++++ website/docs/cli/commands/output.mdx | 26 +++++++++++++++++ website/docs/cli/commands/providers/index.mdx | 29 ++++++++++++++++++- website/docs/cli/commands/providers/lock.mdx | 24 +++++++++++++++ .../docs/cli/commands/providers/mirror.mdx | 26 ++++++++++++++++- .../docs/cli/commands/providers/schema.mdx | 24 +++++++++++++++ website/docs/cli/commands/refresh.mdx | 8 +++++ website/docs/cli/commands/state/list.mdx | 24 +++++++++++++++ website/docs/cli/commands/state/mv.mdx | 24 +++++++++++++++ website/docs/cli/commands/state/pull.mdx | 26 +++++++++++++++++ website/docs/cli/commands/state/push.mdx | 28 +++++++++++++++--- .../cli/commands/state/replace-provider.mdx | 24 +++++++++++++++ website/docs/cli/commands/state/rm.mdx | 24 +++++++++++++++ website/docs/cli/commands/state/show.mdx | 24 +++++++++++++++ website/docs/cli/commands/taint.mdx | 24 +++++++++++++++ website/docs/cli/commands/test/index.mdx | 8 +++++ website/docs/cli/commands/untaint.mdx | 24 +++++++++++++++ website/docs/cli/commands/validate.mdx | 29 +++++++++++++++++-- .../docs/cli/commands/workspace/delete.mdx | 26 +++++++++++++++++ website/docs/cli/commands/workspace/list.mdx | 26 +++++++++++++++++ website/docs/cli/commands/workspace/new.mdx | 26 +++++++++++++++++ .../docs/cli/commands/workspace/select.mdx | 24 +++++++++++++++ website/docs/language/modules/sources.mdx | 4 +-- .../settings/backends/configuration.mdx | 20 +++++++++++++ website/docs/language/settings/tf-cloud.mdx | 10 ++++++- website/docs/language/state/encryption.mdx | 4 +++ 31 files changed, 640 insertions(+), 12 deletions(-) diff --git a/website/docs/cli/commands/console.mdx b/website/docs/cli/commands/console.mdx index cbacb216e30..ef7dd87f019 100644 --- a/website/docs/cli/commands/console.mdx +++ b/website/docs/cli/commands/console.mdx @@ -28,6 +28,14 @@ For configurations using `tofu console` accepts the legacy command line option [`-state`](../../language/settings/backends/local.mdx#command-line-arguments). +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu console`. +::: + This command also accepts the following options for tofu console: - `-var 'NAME=VALUE'` - Sets a value for a single @@ -42,6 +50,10 @@ This command also accepts the following options for tofu console: ["tfvars" file](/docs/language/values/variables#variable-definitions-tfvars-files). Use this option multiple times to include values from more than one file. +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Scripting The `tofu console` command can be used in non-interactive scripts diff --git a/website/docs/cli/commands/force-unlock.mdx b/website/docs/cli/commands/force-unlock.mdx index 42458f109ce..0c9c046db10 100644 --- a/website/docs/cli/commands/force-unlock.mdx +++ b/website/docs/cli/commands/force-unlock.mdx @@ -24,6 +24,29 @@ state for the current configuration. The behavior of this lock is dependent on the backend being used. Local state files cannot be unlocked by another process. +:::note +Use of variables in [backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu force-unlock`. +::: + Options: * `-force` - Don't ask for input for unlock confirmation. + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. diff --git a/website/docs/cli/commands/get.mdx b/website/docs/cli/commands/get.mdx index b4cafcfde48..53f6ae615df 100644 --- a/website/docs/cli/commands/get.mdx +++ b/website/docs/cli/commands/get.mdx @@ -15,6 +15,12 @@ The modules are downloaded into a `.terraform` subdirectory of the current working directory. Don't commit this directory to your version control repository. +:::note +Use of [variables in module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu get`. +::: + The `get` command supports the following option: * `-update` - If specified, modules that are already downloaded will be @@ -24,3 +30,19 @@ The `get` command supports the following option: * `-json` Produce output in a machine-readable JSON format, suitable for use in text editor integrations and other automated systems. Always disables color. + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. diff --git a/website/docs/cli/commands/graph.mdx b/website/docs/cli/commands/graph.mdx index 44867003c79..0bfb6b0a70f 100644 --- a/website/docs/cli/commands/graph.mdx +++ b/website/docs/cli/commands/graph.mdx @@ -28,6 +28,14 @@ for the list of types supported. The default type is "plan" if a configuration is given, and "apply" if a plan file is passed as an argument. +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu graph`. +::: + Options: * `-plan=tfplan` - Render graph using the specified plan file instead of the @@ -41,6 +49,22 @@ Options: * `-module-depth=n` - (deprecated) In prior versions of OpenTofu, specified the depth of modules to show in the output. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Generating Images The output of `tofu graph` is in the DOT format, which can diff --git a/website/docs/cli/commands/import.mdx b/website/docs/cli/commands/import.mdx index 7ec374055a9..02f7392b735 100644 --- a/website/docs/cli/commands/import.mdx +++ b/website/docs/cli/commands/import.mdx @@ -34,6 +34,14 @@ behavior. For more information on this assumption, see [the State section](../../language/state/index.mdx). ::: +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu import`. +::: + The command-line flags are all optional. The following flags are available: - `-config=path` - Path to directory of OpenTofu configuration files that diff --git a/website/docs/cli/commands/init.mdx b/website/docs/cli/commands/init.mdx index 03782317691..5c1831d37fd 100644 --- a/website/docs/cli/commands/init.mdx +++ b/website/docs/cli/commands/init.mdx @@ -25,6 +25,11 @@ directory up to date with changes in the configuration. Though subsequent runs may give errors, this command will never delete your existing configuration or state. +This command requires value assignment for variables used in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation) +and [backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals) +blocks. Refer to [Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +for more information. + ## General Options The following options apply to all of (or several of) the initialization steps: @@ -46,6 +51,22 @@ The following options apply to all of (or several of) the initialization steps: * `-json` Produce output in a machine-readable JSON format, suitable for use in text editor integrations and other automated systems. Always disables color. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Copy a Source Module By default, `tofu init` assumes that the working directory already @@ -77,6 +98,12 @@ During init, the root configuration directory is consulted for [backend configuration](../../language/settings/backends/configuration.mdx) and the chosen backend is initialized using the given configuration settings. +:::note +Use of [variables in the backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals) +block requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu init`. +::: + Re-running init with an already-initialized backend will update the working directory to use the new backend settings. Either `-reconfigure` or `-migrate-state` must be supplied to update the backend configuration. diff --git a/website/docs/cli/commands/output.mdx b/website/docs/cli/commands/output.mdx index f2b33381e64..ddedb75b45b 100644 --- a/website/docs/cli/commands/output.mdx +++ b/website/docs/cli/commands/output.mdx @@ -17,20 +17,46 @@ With no additional arguments, `output` will display all the outputs for the root module. If an output `NAME` is specified, only the value of that output is printed. +:::note +Use of variables in [backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals) +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu output`. +::: + The command-line flags are all optional. The following flags are available: * `-json` - If specified, the outputs are formatted as a JSON object, with a key per output. If `NAME` is specified, only the output specified will be returned. This can be piped into tools such as `jq` for further processing. + * `-raw` - If specified, OpenTofu will convert the specified output value to a string and print that string directly to the output, without any special formatting. This can be convenient when working with shell scripts, but it only supports string, number, and boolean values. Use `-json` instead for processing complex data types. + * `-no-color` - If specified, output won't contain any color. + * `-state=path` - Path to the state file. Defaults to "terraform.tfstate". Ignored when [remote state](../../language/state/remote.mdx) is used. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + :::note When using the `-json` or `-raw` command-line flag, any sensitive values in OpenTofu state will be displayed in plain text. For more information, diff --git a/website/docs/cli/commands/providers/index.mdx b/website/docs/cli/commands/providers/index.mdx index ae4a62bdef7..fabacb20b2e 100644 --- a/website/docs/cli/commands/providers/index.mdx +++ b/website/docs/cli/commands/providers/index.mdx @@ -15,7 +15,8 @@ This command also has several subcommands with different purposes. ## Usage -Usage: +Usage: `tofu providers [options]` + ``` $ tofu providers @@ -29,3 +30,29 @@ Providers required by state: provider[registry.opentofu.org/hashicorp/tfcoremock] ``` + +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu providers`. +::: + +This command accepts the following options: + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. diff --git a/website/docs/cli/commands/providers/lock.mdx b/website/docs/cli/commands/providers/lock.mdx index 562d4d7b539..3c9d6c07821 100644 --- a/website/docs/cli/commands/providers/lock.mdx +++ b/website/docs/cli/commands/providers/lock.mdx @@ -40,6 +40,30 @@ automatic approach may not be sufficient: Usage: `tofu providers lock [options] [providers...]` +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu providers lock`. +::: + +This command accepts the following generic options: + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + With no additional command line arguments, `tofu providers lock` will analyze the configuration in the current working directory to find all of the providers it depends on, and it will fetch the necessary data about those diff --git a/website/docs/cli/commands/providers/mirror.mdx b/website/docs/cli/commands/providers/mirror.mdx index 3c684a7028a..1fcd0f5a3fb 100644 --- a/website/docs/cli/commands/providers/mirror.mdx +++ b/website/docs/cli/commands/providers/mirror.mdx @@ -34,6 +34,30 @@ directory the path structure that is expected for filesystem-based provider plugin mirrors, populating it with `.zip` files containing the plugins themselves. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu providers mirror`. +::: + +This command accepts the following generic options: + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + OpenTofu will also generate various `.json` index files which contain suitable responses to implement [the network mirror protocol](../../../internals/provider-network-mirror-protocol.mdx), @@ -41,7 +65,7 @@ if you upload the resulting directory to a static website host. OpenTofu ignores those index files when using the directory as a filesystem mirror, because the directory entries themselves are authoritative in that case. -This command supports the following additional option: +This command supports the following additional options: * `-platform=OS_ARCH` - Choose which target platform to build a mirror for. By default OpenTofu will obtain plugin packages suitable for the platform diff --git a/website/docs/cli/commands/providers/schema.mdx b/website/docs/cli/commands/providers/schema.mdx index 1ac4b758da2..cf5557b42cd 100644 --- a/website/docs/cli/commands/providers/schema.mdx +++ b/website/docs/cli/commands/providers/schema.mdx @@ -14,10 +14,34 @@ The `tofu providers schema` command is used to print detailed schemas for the pr Usage: `tofu providers schema [options]` +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu providers schema`. +::: + The following flags are available: - `-json` - Displays the schemas in a machine-readable, JSON format. +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + Please note that, at this time, the `-json` flag is a _required_ option. In future releases, this command will be extended to allow for additional options. The output includes a `format_version` key, which has diff --git a/website/docs/cli/commands/refresh.mdx b/website/docs/cli/commands/refresh.mdx index 0a36c2f3b3f..b7b2608b72b 100644 --- a/website/docs/cli/commands/refresh.mdx +++ b/website/docs/cli/commands/refresh.mdx @@ -43,6 +43,14 @@ Consequently, it supports all of the same options as plan file, it doesn't allow selecting a planning mode other than "refresh only", and `-auto-approve` is always enabled. +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu refresh`. +::: + Automatically applying the effect of a refresh is risky. If you have misconfigured credentials for one or more providers, OpenTofu may be misled into thinking that all of the managed objects have been deleted, diff --git a/website/docs/cli/commands/state/list.mdx b/website/docs/cli/commands/state/list.mdx index 8f7890c929f..1c4e099fa48 100644 --- a/website/docs/cli/commands/state/list.mdx +++ b/website/docs/cli/commands/state/list.mdx @@ -25,12 +25,36 @@ For complex infrastructures, the state can contain thousands of resources. To filter these, provide one or more patterns to the command. Patterns are in [resource addressing format](../../../cli/state/resource-addressing.mdx). +:::note +Use of variables in [backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals) +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state list`. +::: + The command-line flags are all optional. The following flags are available: * `-state=path` - Path to the state file. Defaults to "terraform.tfstate". Ignored when [remote state](../../../language/state/remote.mdx) is used. + * `-id=id` - ID of resources to show. Ignored when unset. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Example: All Resources This example will list all resources, including modules: diff --git a/website/docs/cli/commands/state/mv.mdx b/website/docs/cli/commands/state/mv.mdx index aa230a7a730..b328030d7aa 100644 --- a/website/docs/cli/commands/state/mv.mdx +++ b/website/docs/cli/commands/state/mv.mdx @@ -53,6 +53,14 @@ a plan that will destroy the old object and create a new object at the new address. ::: +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state mv`. +::: + This command also accepts the following options: - `-dry-run` - Report all of the resource instances that match the given @@ -67,6 +75,22 @@ This command also accepts the following options: returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + For configurations using the [`cloud` backend](../../../cli/cloud/index.mdx) or the [`remote` backend](../../../language/settings/backends/remote.mdx) only, `tofu state mv` also accepts the option diff --git a/website/docs/cli/commands/state/pull.mdx b/website/docs/cli/commands/state/pull.mdx index d991d39cc68..ead0e4b9a3b 100644 --- a/website/docs/cli/commands/state/pull.mdx +++ b/website/docs/cli/commands/state/pull.mdx @@ -29,3 +29,29 @@ version before output. :::note OpenTofu state files must be in UTF-8 format without a byte order mark (BOM). For PowerShell on Windows, use `Set-Content` to automatically encode files in UTF-8 format. For example, run `tofu state pull | sc terraform.tfstate`. ::: + +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state pull`. +::: + +The command support the following command-line arguments: + +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. diff --git a/website/docs/cli/commands/state/push.mdx b/website/docs/cli/commands/state/push.mdx index 29401fa3bf8..bd23f7c1b84 100644 --- a/website/docs/cli/commands/state/push.mdx +++ b/website/docs/cli/commands/state/push.mdx @@ -44,10 +44,15 @@ Both of these safety checks can be disabled with the `-force` flag. pushing state, the destination state will be overwritten. For configurations using the [`cloud` backend](../../../cli/cloud/index.mdx) or the [`remote` backend](../../../language/settings/backends/remote.mdx) -only, `tofu state push` -also accepts the option +only, `tofu state push` also accepts the option [`-ignore-remote-version`](/docs/cli/cloud/command-line-arguments#ignore-remote-version). -[`-ignore-remote-version`](/docs/cli/cloud/command-line-arguments#ignore-remote-version). +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state push`. +::: This command also accepts the following options for tofu state push: @@ -60,5 +65,20 @@ This command also accepts the following options for tofu state push: returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds. -[`-ignore-remote-version`](../../../cli/cloud/command-line-arguments.mdx#ignore-remote-version). +- [`ignore-remote-version`](../../../cli/cloud/command-line-arguments.mdx#ignore-remote-version). + +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. diff --git a/website/docs/cli/commands/state/replace-provider.mdx b/website/docs/cli/commands/state/replace-provider.mdx index a1ca2bafcf8..0d0bba9e701 100644 --- a/website/docs/cli/commands/state/replace-provider.mdx +++ b/website/docs/cli/commands/state/replace-provider.mdx @@ -21,6 +21,14 @@ This command will output a backup copy of the state prior to saving any changes. The backup cannot be disabled. Due to the destructive nature of this command, backups are required. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state replace-providers`. +::: + This command also accepts the following options: - `-auto-approve` - Skip interactive approval. @@ -31,6 +39,22 @@ This command also accepts the following options: - `-lock-timeout=0s` - Duration to retry a state lock. +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + For configurations using the [`cloud` backend](../../../cli/cloud/index.mdx) or the [`remote` backend](../../../language/settings/backends/remote.mdx) only, `tofu state replace-provider` also accepts the option diff --git a/website/docs/cli/commands/state/rm.mdx b/website/docs/cli/commands/state/rm.mdx index 4ac0a9f51cb..f7b9e9ae49f 100644 --- a/website/docs/cli/commands/state/rm.mdx +++ b/website/docs/cli/commands/state/rm.mdx @@ -34,6 +34,14 @@ instances. Depending on the constraints imposed by the remote system, creating those objects might fail if their names or other identifiers conflict with the old objects still present. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu state rm`. +::: + This command also accepts the following options: - `-dry-run` - Report all of the resource instances that match the given @@ -48,6 +56,22 @@ This command also accepts the following options: returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds. +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + For configurations using the [`cloud` backend](../../../cli/cloud/index.mdx) or the [`remote` backend](../../../language/settings/backends/remote.mdx) only, `tofu state rm` also accepts the option diff --git a/website/docs/cli/commands/state/show.mdx b/website/docs/cli/commands/state/show.mdx index 87923dcd26f..4bfe93e05f5 100644 --- a/website/docs/cli/commands/state/show.mdx +++ b/website/docs/cli/commands/state/show.mdx @@ -21,11 +21,35 @@ This command requires an address that points to a single resource in the state. Addresses are in [resource addressing format](../../../cli/state/resource-addressing.mdx). +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu show`. +::: + The command-line flags are all optional. The following flags are available: * `-state=path` - Path to the state file. Defaults to "terraform.tfstate". Ignored when [remote state](../../../language/state/remote.mdx) is used. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + The output of `tofu state show` is intended for human consumption, not programmatic consumption. To extract state data for use in other software, use [`tofu show -json`](../../../cli/commands/show.mdx#json-output) and decode the result diff --git a/website/docs/cli/commands/taint.mdx b/website/docs/cli/commands/taint.mdx index 1c1e05ffb08..16a7db275d2 100644 --- a/website/docs/cli/commands/taint.mdx +++ b/website/docs/cli/commands/taint.mdx @@ -41,6 +41,14 @@ as shown in the output from other commands, such as: - `aws_instance.baz[\"key\"]` (quotes in resource addresses must be escaped on the command line, so that they will not be interpreted by your shell) - `module.foo.module.bar.aws_instance.qux` +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu taint`. +::: + This command accepts the following options: - `-allow-missing` - If specified, the command will succeed (exit code 0) @@ -56,6 +64,22 @@ This command accepts the following options: returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds. +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + For configurations using the [`cloud` backend](../../cli/cloud/index.mdx) or the [`remote` backend](../../language/settings/backends/remote.mdx) only, `tofu taint` also accepts the option [`-ignore-remote-version`](../../cli/cloud/command-line-arguments.mdx#ignore-remote-version). diff --git a/website/docs/cli/commands/test/index.mdx b/website/docs/cli/commands/test/index.mdx index 0c5f4330226..c94921899a7 100644 --- a/website/docs/cli/commands/test/index.mdx +++ b/website/docs/cli/commands/test/index.mdx @@ -98,6 +98,14 @@ only load `main.tofutest.json` and ignore `main.tftest.json`. * `-no-color` Disable colorized output in the command output. * `-verbose` Print the plan or state for each test run block as it executes. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu test`. +::: + ## Directory structure The `tofu test` command supports two directory layouts, flat or nested: diff --git a/website/docs/cli/commands/untaint.mdx b/website/docs/cli/commands/untaint.mdx index f7aabe62384..8d67f31dd28 100644 --- a/website/docs/cli/commands/untaint.mdx +++ b/website/docs/cli/commands/untaint.mdx @@ -40,6 +40,14 @@ Usage: `tofu untaint [options] address` The `address` argument is a [resource address](../../cli/state/resource-addressing.mdx) identifying a particular resource instance which is currently tainted. +:::note +Use of variables in [module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu untaint`. +::: + This command also accepts the following options: - `-allow-missing` - If specified, the command will succeed (exit code 0) @@ -60,6 +68,22 @@ This command also accepts the following options: if you are running OpenTofu in a context where its output will be rendered by a system that cannot interpret terminal formatting. +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + For configurations using the [`cloud` backend](../../cli/cloud/index.mdx) or the [`remote` backend](../../language/settings/backends/remote.mdx) only, `tofu untaint` also accepts the option diff --git a/website/docs/cli/commands/validate.mdx b/website/docs/cli/commands/validate.mdx index 3591294ee46..f70d6658cd1 100644 --- a/website/docs/cli/commands/validate.mdx +++ b/website/docs/cli/commands/validate.mdx @@ -10,10 +10,16 @@ The `tofu validate` command validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc. +:::note +Use of [variables in module sources](../../language/modules/sources.mdx#support-for-variable-and-local-evaluation) +requires [assigning values to root module variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu validate`. +::: + Validate runs checks that verify whether a configuration is syntactically -valid and internally consistent, regardless of any provided variables or -existing state. It is thus primarily useful for general verification of -reusable modules, including correctness of attribute names and value types. +valid and internally consistent, regardless of existing state. It is thus +primarily useful for general verification of reusable modules, including +correctness of attribute names and value types. It is safe to run this command automatically, for example as a post-save check in a text editor or as a test step for a re-usable module in a CI @@ -41,6 +47,23 @@ This command accepts the following options: * `-no-color` - If specified, output won't contain any color. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + + ## JSON Output Format When you use the `-json` option, OpenTofu will produce validation results diff --git a/website/docs/cli/commands/workspace/delete.mdx b/website/docs/cli/commands/workspace/delete.mdx index 55b84308dc4..948562cf655 100644 --- a/website/docs/cli/commands/workspace/delete.mdx +++ b/website/docs/cli/commands/workspace/delete.mdx @@ -26,14 +26,40 @@ OpenTofu to stop managing resources, so they can be managed some other way. Most of the time, however, this is not intended and so OpenTofu protects you from getting into this situation. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu workspace delete`. +::: + The command-line flags are all optional. The only supported flags are: * `-force` - Delete the workspace even if it is tracking resources. After deletion, OpenTofu can no longer track or manage the workspace's infrastructure. Defaults to false. + * `-lock=false` - Don't hold a state lock during the operation. This is dangerous if others might concurrently run commands against the same workspace. + * `-lock-timeout=DURATION` - Duration to retry a state lock. Default 0s. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Example ``` diff --git a/website/docs/cli/commands/workspace/list.mdx b/website/docs/cli/commands/workspace/list.mdx index 362899a6d70..78898f94881 100644 --- a/website/docs/cli/commands/workspace/list.mdx +++ b/website/docs/cli/commands/workspace/list.mdx @@ -13,6 +13,32 @@ Usage: `tofu workspace list [DIR]` The command will list all existing workspaces. The current workspace is indicated using an asterisk (`*`) marker. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu workspace list`. +::: + +This command also accepts the following options: + +- `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +- `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Example ``` diff --git a/website/docs/cli/commands/workspace/new.mdx b/website/docs/cli/commands/workspace/new.mdx index acd00544058..aec2477b22b 100644 --- a/website/docs/cli/commands/workspace/new.mdx +++ b/website/docs/cli/commands/workspace/new.mdx @@ -16,14 +16,40 @@ this name must not already exist. If the `-state` flag is given, the state specified by the given path will be copied to initialize the state for this new workspace. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu workspace new`. +::: + The command-line flags are all optional. The supported flags are: * `-lock=false` - Don't hold a state lock during the operation. This is dangerous if others might concurrently run commands against the same workspace. + * `-lock-timeout=DURATION` - Duration to retry a state lock. Default 0s. + * `-state=path` - Path to an existing state file to initialize the state of this environment. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Example: Create ``` diff --git a/website/docs/cli/commands/workspace/select.mdx b/website/docs/cli/commands/workspace/select.mdx index feeabe0a1e2..e9fe7fefec3 100644 --- a/website/docs/cli/commands/workspace/select.mdx +++ b/website/docs/cli/commands/workspace/select.mdx @@ -14,10 +14,34 @@ Usage: `tofu workspace select NAME [DIR]` This command will select another workspace. The named workspace must already exist. +:::note +Use of variables in [module sources](../../../language/modules/sources.mdx#support-for-variable-and-local-evaluation), +[backend configuration](../../../language/settings/backends/configuration.mdx#variables-and-locals), +or [encryption block](../../../language/state/encryption.mdx#configuration) +requires [assigning values to root module variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) +when running `tofu workspace select`. +::: + The supported flags are: * `-or-create` - If the workspace that is being selected does not exist, create it. Default is `false`. +* `-var 'NAME=VALUE'` - Sets a value for a single + [input variable](../../../language/values/variables.mdx) declared in the + root module of the configuration. Use this option multiple times to set + more than one variable. Refer to + [Input Variables on the Command Line](../plan.mdx#input-variables-on-the-command-line) for more information. + +* `-var-file=FILENAME` - Sets values for potentially many + [input variables](../../../language/values/variables.mdx) declared in the + root module of the configuration, using definitions from a + ["tfvars" file](../../../language/values/variables.mdx#variable-definitions-tfvars-files). + Use this option multiple times to include values from more than one file. + +There are several other ways to set values for input variables in the root +module, aside from the `-var` and `-var-file` options. Refer to +[Assigning Values to Root Module Variables](../../../language/values/variables.mdx#assigning-values-to-root-module-variables) for more information. + ## Example ``` diff --git a/website/docs/language/modules/sources.mdx b/website/docs/language/modules/sources.mdx index 44d72f31cad..e107eb122c0 100644 --- a/website/docs/language/modules/sources.mdx +++ b/website/docs/language/modules/sources.mdx @@ -464,7 +464,7 @@ the module from the subdirectory. As a result, it is safe for a module in a sub-directory of a package to use [a local path](#local-paths) to another module as long as it is in the _same_ package. -## Support for Variable and Local Interpolation +## Support for Variable and Local Evaluation As projects grow in complexity and requirements, it is prudent to consider using locals and variables in the module source and version fields. @@ -486,5 +486,5 @@ module "compute" { It is quite easy to then update the version for a patch release, or to switch to a fork of the repository. :::note -The source and version fields may not contain any references to data in the state or provider defined functions. All value must be able to be resolved during `tofu init` before the state is available. +The source and version fields may not contain any references to data in the state or provider defined functions. All values must be able to be resolved during `tofu init` before the state is available. ::: diff --git a/website/docs/language/settings/backends/configuration.mdx b/website/docs/language/settings/backends/configuration.mdx index 6373ad9516e..a2ff2e05b39 100644 --- a/website/docs/language/settings/backends/configuration.mdx +++ b/website/docs/language/settings/backends/configuration.mdx @@ -174,6 +174,26 @@ or `CONSUL_HTTP_AUTH` environment variables. See the documentation of your chosen backend to learn how to provide credentials to it outside of its main configuration. +## Variables and Locals + +You may use variables and locals in backend configurations (with restrictions). Backend configuration may not contain any references to data in the state or provider defined functions. All values must be able to be resolved during `tofu init` before the state is available. + +:::danger Warning +We recommend against using variables to specify secrets or other sensitive data in your backend configuration. This can leak sensitive credentials if improperly configured. +::: + +```hcl +locals { + region = "us-east-1" +} + +terraform { + backend "s3" { + region = local.region + } +} +``` + ## Changing Configuration You can change your backend configuration at any time. You can change diff --git a/website/docs/language/settings/tf-cloud.mdx b/website/docs/language/settings/tf-cloud.mdx index 8e1ebaf987f..e3d58756a56 100644 --- a/website/docs/language/settings/tf-cloud.mdx +++ b/website/docs/language/settings/tf-cloud.mdx @@ -15,9 +15,13 @@ To configure the cloud CLI integration, add a nested `cloud` block within the `t Refer to [Using the Cloud Backend](../../cli/cloud/index.mdx) in the OpenTofu CLI documentation for full configuration details, migration instructions, and command line arguments. ```hcl +locals { + org = "example_corp" +} + terraform { cloud { - organization = "example_corp" + organization = local.org hostname = "app.example.io" workspaces { @@ -26,3 +30,7 @@ terraform { } } ``` + +:::note +Cloud fields may not contain any references to data in the state or provider defined functions. All values must be able to be resolved during `tofu init` before the state is available. +::: diff --git a/website/docs/language/state/encryption.mdx b/website/docs/language/state/encryption.mdx index 4fa9bab75af..aef5a06d4db 100644 --- a/website/docs/language/state/encryption.mdx +++ b/website/docs/language/state/encryption.mdx @@ -112,6 +112,10 @@ When you first configure encryption on an existing project, your state and plan {FallbackFromUnencrypted} +:::note +Variables and locals can be used in configuration, but may not contain any references to data in the state or provider defined functions. All values must be able to be resolved during `tofu init` before the state is available. +::: + ## Rolling back encryption Similar to the initial setup above, migrating to unencrypted state and plan files is also possible by using the `unencrypted` method as follows: From ec67c3fad649a4ac8cb758e1f1e9e8b243aec101 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Tue, 23 Jul 2024 09:36:42 -0400 Subject: [PATCH 05/19] Bump to 1.8.0-rc1 (#1848) Signed-off-by: Christian Mesh --- version/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/VERSION b/version/VERSION index 495ea0f0c97..5a77cc62872 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -1.8.0-beta2 +1.8.0-rc1 From 9260e00bc2e72b3d97f087378e642d300e20abe3 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 29 Jul 2024 07:45:14 -0400 Subject: [PATCH 06/19] Bump to v1.8.0 for release (#1866) Signed-off-by: Christian Mesh --- CHANGELOG.md | 2 +- version/VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd3c7d939db..7cfede9aaab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## 1.8.0 (Unreleased) +## 1.8.0 UPGRADE NOTES: * BREAKING CHANGE - `use_legacy_workflow` field has been removing from the S3 backend configuration. ([#1730](https://github.com/opentofu/opentofu/pull/1730)) diff --git a/version/VERSION b/version/VERSION index 5a77cc62872..27f9cd322bb 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -1.8.0-rc1 +1.8.0 From b1834a291027c5d4f14ca6e6acd4152bb42b6c65 Mon Sep 17 00:00:00 2001 From: Janos <86970079+janosdebugs@users.noreply.github.com> Date: Mon, 29 Jul 2024 13:47:40 +0200 Subject: [PATCH 07/19] Added what's new docs for 1.8 (#1865) Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com> --- website/docs/intro/whats-new.mdx | 288 +++++++++++++++++-------------- 1 file changed, 162 insertions(+), 126 deletions(-) diff --git a/website/docs/intro/whats-new.mdx b/website/docs/intro/whats-new.mdx index c2578f1c5af..ef5175366d0 100644 --- a/website/docs/intro/whats-new.mdx +++ b/website/docs/intro/whats-new.mdx @@ -1,209 +1,245 @@ --- sidebar_position: 2 -sidebar_label: What's new in version 1.7? +sidebar_label: What's new in version 1.8? description: |- - Learn all about the new features in OpenTofu 1.7. + Learn all about the new features in OpenTofu 1.8. --- -# What's new in OpenTofu 1.7? +# What's new in OpenTofu 1.8? -This page will run you through the most important changes in OpenTofu 1.7: +This page will run you through the most important changes in OpenTofu 1.8: -- [State encryption](#state-encryption) -- [Provider-defined functions](#provider-defined-functions) -- [Removed block](#removed-block) -- [Loopable import blocks](#loopable-import-blocks) -- [Built-in function changes](#built-in-function-changes) -- [CLI changes](#cli-changes) -- [Testing feature changes](#testing-feature-changes) +- [Early variable/locals evaluation](#early-variablelocals-evaluation) +- [Provider mocking in `tofu test`](#provider-mocking-in-tofu-test) +- [Resource overrides in `tofu test`](#resource-overrides-in-tofu-test) +- [Override files for OpenTofu: keeping compatibility](#override-files-for-opentofu-keeping-compatibility) +- [Deprecation: `use_legacy_workflow` has been removed from the S3 backend](#deprecation-use_legacy_workflow-has-been-removed-from-the-s3-backend) +- [Smaller improvements](#smaller-improvements) +- [Bugfixes](#bugfixes) -## State encryption +## Early variable/locals evaluation -State encryption is one of the flagship features of this release. We have prepared a [full documentation](../language/state/encryption.mdx) for this feature. +This feature lets you use variables and locals for **backends**, **module sources** and **encryption configuration** as long as they are not dependent on resources, data sources or module outputs. This works even if a local is referencing a variable, for example. This is only the first in a series of improvements that will make the .tf code more flexible with more improvements coming in future releases. -Before you test this feature, please **make a backup** of your state file. You can then add the following block to enable state encryption: +The `tofu init` command will now consume your `.tfvars` file and let you specify variables using the `-var` and `-var-file` options. Please note that this alpha release will *not* prompt you for missing variables, which is a feature we will add later. Note, that `tofu init` will fail if it is missing variables needed for static evaluation. + +For example, if you wanted to use the same configuration for your S3 backend and your AWS provider, you can now do this: ```hcl +variable "aws_region" { + default = "us-east-1" +} + terraform { - encryption { - key_provider "pbkdf2" "my_passphrase" { - ## Enter a passphrase here: - passphrase = "" - } + backend "s3" { + region = var.aws_region + } +} - method "aes_gcm" "my_method" { - keys = key_provider.pbkdf2.my_passphrase - } +provider "aws" { + region = var.aws_region +} +``` - ## Remove this after the migration: - method "unencrypted" "migration" { - } +You can also use this to manage module versions with both registry references and git URLs. - state { - method = method.aes_gcm.my_method +```hcl +locals { + aws_module_version = "5.6.1" +} - ## Remove the fallback block after migration: - fallback{ - method = method.unencrypted.migration - } - ## Enable this after migration: - #enforced = true - } - } +module "webserver" { + source = "terraform-aws-modules/ec2-instance/aws" + version = local.aws_module_version + + // Other ec2_instance options +} + +module "db" { + source = "https://github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=v${local.aws_module_version}" + + // Other ec2_instance options } ``` -You can migrate back using the following syntax: +Finally, here's how you can set up encryption with a passphrase using a variable: ```hcl +variable "passphrase" { + type = string +} + terraform { encryption { key_provider "pbkdf2" "my_passphrase" { - ## Enter a passphrase here: - passphrase = "" + passphrase = var.passphrase } method "aes_gcm" "my_method" { keys = key_provider.pbkdf2.my_passphrase } - method "unencrypted" "migration" { - } - state { - method = method.unencrypted.migration - enforced = false - fallback{ - method = method.aes_gcm.my_method - } + method = method.aes_gcm.my_method } } } ``` -If you have access to an AWS, GCP account, or an OpenBao/MPL-licensed HashiCorp Vault installation, you can also [test these key providers](../language/state/encryption.mdx#key-providers). - -## Provider-defined functions - -The new Terraform Plugin SDK added support for [provider-defined functions](../language/functions/index.mdx#provider-defined-functions) that you can use directly in OpenTofu. This is a significant improvement over using data sources as provider-defined functions don't increase the size of your state file and require less code to write. +## Provider mocking in `tofu test` -If you want to test provider-defined functions, you can use the [corefunc](https://library.tf/providers/northwood-labs/corefunc/latest) provider by [Ryan Parman](https://github.com/skyzyx): +Building on the existing ability to override specific data sources, resources, and module calls, `tofu test` now supports mocking entire provider definitions. This new feature allows you to automatically generate mock values for resources and data sources on a per-provider basis. As an example, consider the following code that spins up an m6i.2xlarge instance on AWS: ```hcl -terraform { - required_providers { - corefunc = { - source = "northwood-labs/corefunc" - version = "1.4.0" - } - } +provider "aws" { + region = "us-east-1" } -provider "corefunc" { +data "aws_ami" "ubuntu" { + most_recent = true + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-24.04-amd64-server-*"] + } + owners = ["099720109477"] } -output "test" { - value = provider::corefunc::str_snake("Hello world!") - # Prints: hello_world +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "m6i.2xlarge" } ``` -What's more, we added an OpenTofu-only feature to let providers dynamically define custom functions based on your configuration. This enhancement allows you to fully integrate other programming languages as [shown in our live stream](https://www.youtube.com/watch?v=6OXBv0MYalY). You can try out this functionality with our experimental [Lua](https://github.com/opentofu/terraform-provider-lua) and [Go](https://github.com/opentofu/terraform-provider-go) providers. - -## Removed block - -The removed block lets you remove a resource from the state file but keep it on the infrastructure. We have prepared a [full documentation](../language/resources/syntax.mdx#removing-resources) for this feature. You can test it by creating a resource first: - +Instead of querying the AMI ID and spinning up the instance, we can write test code as follows: ```hcl -resource "local_file" "test" { - content = "Hello world!" - filename = "test.txt" +// This block will prevent OpenTofu from configuring aws provider. +// All provider's resources and data sources will be mocked. +mock_provider "aws" { + mock_data "aws_ami" { + defaults = { + id = "ami-12345" + } + } } -``` -After applying, you can replace the resource with a removed block: - -```hcl -removed { - from = local_file.test +run "test" { + assert { + condition = aws_instance.web.ami == "ami-12345" + error_message = "Incorrect AMI ID passed to aws_instance.web: ${aws_instance.web.ami}" + } } ``` -After the next apply, you will see that the `local_file.test` resource no longer exists in your state file, but the `test.txt` file should still exist on your disk. You can now remove the removed block safely. - -## Loopable import blocks +While this will not fully test the entire provisioning, it will highlight errors that may be caused by incorrectly connecting resources together without the need for an actual AWS account. -We made several improvements to the declarative import blocks, most prominently you can now use the `for_each` instruction on the block. We have prepared a [full documentation](../language/import/index.mdx#importing-multiple-resources) for this feature. +## Resource overrides in `tofu test` -In previous OpenTofu versions, you could already use the `import` block to declaratively import resources, for example: +You can now override resources, data sources and entire modules from your tests, allowing you to create similar behavior to mocks in traditional software testing. As an example, consider the following code that spins up an `m6i.2xlarge` instance on AWS: ```hcl -resource "random_id" "test_id" { - byte_length = 8 +provider "aws" { + region = "us-east-1" } -import { - to = random_id.test_id - id = "Y2FpOGV1Mkk" +data "aws_ami" "ubuntu" { + most_recent = true + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-24.04-amd64-server-*"] + } + owners = ["099720109477"] } -output "id" { - value = random_id.test_id.b64_url +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "m6i.2xlarge" } ``` -In this new version you can now also declaratively import resources in a loop: +Instead of querying the AMI ID and spinning up the instance, we can write test code as follows: ```hcl -variable "server_ids" { - type = list(string) +provider "aws" { + access_key = "foo" + secret_key = "bar" + + skip_credentials_validation = true + skip_region_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true } -resource "random_id" "test_id" { - byte_length = 8 - count = 2 +# This block disables refreshing the aws_ami.ubuntu data source +# and lets you manually specify the values: +override_data { + target = data.aws_ami.ubuntu + values = { + id = "ami-12345" + } } -import { - to = random_id.test_id[tonumber(each.key)] - id = each.value - for_each = { - for idx, item in var.server_ids: idx => item +run "test" { + # This block disables provisioning the aws_instance.web resource: + override_resource { + target = aws_instance.web + values = { + # You can add values here. + } } -} -output "id" { - value = random_id.test_id.*.b64_url + assert { + condition = aws_instance.web.ami == "ami-12345" + error_message = "Incorrect AMI ID passed to aws_instance.web: ${aws_instance.web.ami}" + } } ``` -The example above will let you specify some random IDs from a variable, and let others be automatically generated. +While this will not fully test the entire provisioning, it will highlight errors that may be caused by incorrectly connecting resources together without the need for an actual AWS account. Similarly, you can use `override_module` to override an entire module. + +## Override files for OpenTofu: keeping compatibility + +Since we are now adding features to OpenTofu that are not present in Terraform, we want to give module authors the ability to write code for both OpenTofu and Terraform without needing to maintain two copies of their modules. You can now create files named `.tofu` that are exclusive to OpenTofu. If you create a file named `foo.tofu`, OpenTofu will ignore the similarly-named `foo.tf` file. You can use this functionality to put your Terraform-specific code in the `.tf` file and then override it for OpenTofu in the `.tofu` file. + +The following replacement files are available: + +- `foo.tf` → `foo.tofu` +- `foo.tf.json` → `foo.tofu.json` +- `foo.tftest.hcl` → `foo.tofutest.hcl` +- `foo.tftest.json` → `foo.tofutest.json` +- `foo_override.tf` → `foo_override.tofu` +- `foo_override.tf.json` → `foo_override.tofu.json` -## Built-in function changes +You can still use the `.tf` extension for all your code, this functionality is intended for module authors who want to provide compatible code for both OpenTofu and Terraform while using new OpenTofu features. -This release also contains several new functions and changes to existing functions: +## Bugfixes, improvements, deprecations -- New function: [templatestring](../language/functions/templatestring.mdx) -- New function: [base64gunzip](../language/functions/base64gunzip.mdx) -- New function: [cidrcontains](../language/functions/cidrcontains.mdx) -- New function: [urldecode](../language/functions/urldecode.mdx) -- New function: [issensitive](../language/functions/issensitive.mdx) -- [nonsensitive](../language/functions/nonsensitive.mdx) no longer returns an error when the applied values are not sensitive. -- [templatefile](../language/functions/templatefile.mdx) now supports recursion up to a depth of 1024. +### Deprecation: `use_legacy_workflow` has been removed from the S3 backend -## CLI changes +The `use_legacy_workflow` option has now been removed from the S3 backend configuration. -There are also several changes to the CLI: +### Smaller improvements -- `tofu init` now supports the `-json` flag for JSON output. -- `tofu plan` now has a `-concise` flag to shorten the plan output. -- `tofu console` now works on Solaris and AIX. -- The CLI now supports the XDG directory specification. -- Aliases for: - - `state list` → `state ls` - - `state mv` → `state move` - - `state rm` → `state remove` +- The machine-readable UI documentation now contains the `tofu test -json` types. +- `tofu plan` now generates `jsonencode()` when using `generate-config-out`. +- The state persistence interval is now configurable with the `TF_STATE_PERSIST_INTERVAL` environment variable. +- Improved performance when writing state files and reducing state file size using compact JSON encoding. +- You can now reference variables inside the `variables` block of a test file. +- Provider functions are now included in the `tofu providers schema` command. -## Testing feature changes +### Bugfixes -- Tofu now reads the `.tfvars` file from the tests folder. +* Fixed validation for `enforced` flag in encryption configuration. ([#1711](https://github.com/opentofu/opentofu/pull/1711)) +* Fixed crash in gcs backend when using certain commands. ([#1618](https://github.com/opentofu/opentofu/pull/1618)) +* Fixed inmem backend crash due to missing struct field. ([#1619](https://github.com/opentofu/opentofu/pull/1619)) +* Added a check in the `tofu test` to validate that the names of test run blocks do not contain spaces. ([#1489](https://github.com/opentofu/opentofu/pull/1489)) +* `tofu test` now supports accessing module outputs when the module has no resources. ([#1409](https://github.com/opentofu/opentofu/pull/1409)) +* Fixed support for provider functions in tests ([#1603](https://github.com/opentofu/opentofu/pull/1603)) +* Only hide sensitive attributes in plan detail when plan on a set of resources ([#1313](https://github.com/opentofu/opentofu/pull/1313)) +* Added a better error message on `for_each` block with sensitive value of unsuitable type. ([#1485](https://github.com/opentofu/opentofu/pull/1485)) +* Fix race condition on locking in gcs backend ([#1342](https://github.com/opentofu/opentofu/pull/1342)) +* Fix bug where provider functions were unusable in variables and outputs ([#1689](https://github.com/opentofu/opentofu/pull/1689)) +* Fix bug where lower-case `http_proxy`/`https_proxy` env variables were no longer supported in the S3 backend ([#1594](https://github.com/opentofu/opentofu/issues/1594)) +* Fixed issue with migration between versions can cause an update in-place for resources when no changes are needed. ([#1640](https://github.com/opentofu/opentofu/pull/1640)) +* Add source context for the 'insufficient feature blocks' error ([#1777](https://github.com/opentofu/opentofu/pull/1777)) +* Remove encryption diags from autocomplete ([#1793](https://github.com/opentofu/opentofu/pull/1793)) +* Ensure that using a sensitive path for templatefile that it doesn't panic([#1801](https://github.com/opentofu/opentofu/issues/1801)) \ No newline at end of file From ebdcae790efd7498a265e71be429f91988c140c2 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 29 Jul 2024 08:21:05 -0400 Subject: [PATCH 08/19] Run releases on larger workers. (#1587) (#1867) Signed-off-by: Jakub Martin Signed-off-by: Christian Mesh Co-authored-by: Kuba Martin --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6144dda2e5f..e12422f7acd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,8 @@ on: jobs: release: name: Release - runs-on: ubuntu-latest + runs-on: + group: larger-runners environment: gpg permissions: contents: write From d9e162c75a51bbe827c95caf971885b6c95c9f49 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 29 Jul 2024 08:40:25 -0400 Subject: [PATCH 09/19] Switch to alternate runner group (#1868) Signed-off-by: Christian Mesh --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e12422f7acd..e01838f4af5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: release: name: Release runs-on: - group: larger-runners + group: fix-the-build-group environment: gpg permissions: contents: write From 81b6b6773e8fab518331bcb6c91d26d2f5e492d6 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 29 Jul 2024 11:35:08 -0400 Subject: [PATCH 10/19] Fix 1.8 release workers (#1870) Signed-off-by: Christian Mesh Signed-off-by: Jakub Martin Co-authored-by: Jakub Martin --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e01838f4af5..58e6ece3546 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,8 +18,7 @@ on: jobs: release: name: Release - runs-on: - group: fix-the-build-group + runs-on: larger-runners environment: gpg permissions: contents: write From 8609dbe71bd05632fb7e3e17df27cb42d004f63d Mon Sep 17 00:00:00 2001 From: Andrew Hayes Date: Fri, 2 Aug 2024 14:50:46 +0100 Subject: [PATCH 11/19] 1666/tacos website docs backport to 1.8 (#1883) Signed-off-by: Andrew Hayes --- website/docs/cli/auth/index.mdx | 10 +++++----- website/docs/cli/index.mdx | 2 +- website/docs/intro/core-workflow.mdx | 2 +- website/docs/intro/tacos.mdx | 17 +++++++++++++++++ website/docs/language/checks/index.mdx | 2 +- website/docs/language/files/index.mdx | 2 +- website/docs/language/index.mdx | 2 +- website/docs/language/modules/index.mdx | 2 +- website/docs/language/modules/sources.mdx | 4 ++-- website/docs/language/modules/syntax.mdx | 2 +- website/docs/language/providers/index.mdx | 4 ++-- .../docs/language/providers/requirements.mdx | 2 +- .../settings/backends/configuration.mdx | 4 ++-- .../docs/language/settings/backends/remote.mdx | 14 +++++++------- website/docs/language/state/index.mdx | 2 +- website/docs/language/state/remote.mdx | 6 +++--- 16 files changed, 47 insertions(+), 30 deletions(-) create mode 100644 website/docs/intro/tacos.mdx diff --git a/website/docs/cli/auth/index.mdx b/website/docs/cli/auth/index.mdx index 61925ba92a0..2f493926600 100644 --- a/website/docs/cli/auth/index.mdx +++ b/website/docs/cli/auth/index.mdx @@ -6,18 +6,18 @@ description: >- # CLI Authentication -TACOS (TF Automation and Collaboration Software) are platforms that perform as part of their +[TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) are platforms that perform as part of their offering OpenTofu runs to provision infrastructure, offering a collaboration-focused environment that makes it easier for teams to use OpenTofu together. -OpenTofu CLI integrates with TACOS in several ways — it can be a -front-end for CLI-driven runs, and can also use some TACOS as a state backend, a private module +OpenTofu CLI integrates with [TACOS](../../intro/tacos.mdx) in several ways — it can be a +front-end for CLI-driven runs, and can also use some [TACOS](../../intro/tacos.mdx) as a state backend, a private module registry, or a private provider registry. All of these integrations require you to authenticate OpenTofu CLI -with your TACOS account. +with your [TACOS](../../intro/tacos.mdx) account. The best way to handle CLI authentication is with the `login` and `logout` commands, which help automate the process of getting an API token for your -TACOS user account. +[TACOS](../../intro/tacos.mdx) user account. For details, see: diff --git a/website/docs/cli/index.mdx b/website/docs/cli/index.mdx index 474ed90348d..a1ec4924207 100644 --- a/website/docs/cli/index.mdx +++ b/website/docs/cli/index.mdx @@ -11,7 +11,7 @@ description: >- This is the documentation for OpenTofu CLI. It is relevant to anyone working with OpenTofu's CLI-based workflows; this includes people who use OpenTofu CLI by itself, as well as those who use OpenTofu CLI in conjunction with -TACOS (TF Automation and Collaboration Software). +[TACOS](../intro/tacos.mdx) (TF Automation and Collaboration Software). Notably, this documentation does not cover the syntax and usage of the OpenTofu language. For that, see the diff --git a/website/docs/intro/core-workflow.mdx b/website/docs/intro/core-workflow.mdx index 341cb881f17..e6919831ce3 100644 --- a/website/docs/intro/core-workflow.mdx +++ b/website/docs/intro/core-workflow.mdx @@ -217,5 +217,5 @@ There are many different ways to use OpenTofu: as an individual user, a single team, or an entire organization at scale. Choosing the best approach for the density of collaboration needed will provide the most return on your investment in the core OpenTofu workflow. For organizations using OpenTofu at scale, -TACOS (TF Automation and Collaboration Software) introduces new layers that build on this core workflow to +[TACOS](../intro/tacos.mdx) (TF Automation and Collaboration Software) introduces new layers that build on this core workflow to solve problems unique to teams and organizations. diff --git a/website/docs/intro/tacos.mdx b/website/docs/intro/tacos.mdx new file mode 100644 index 00000000000..20b90ed4e6d --- /dev/null +++ b/website/docs/intro/tacos.mdx @@ -0,0 +1,17 @@ +--- +sidebar_position: 7 +sidebar_label: What are TACOS? +description: |- + Learn all about TACOS. +--- + +# What are TACOS? + +TF Automation and Collaboration Software (TACOS) are platforms which allow teams to manage and orchestrate OpenTofu execution. They offer a wide variety of services to provide a streamlined and collaborative experience. + +# What are some examples? + +There are a variety of platforms which offer OpenTofu support, both Open Source and Commercial. Many of these organizations support OpenTofu directly and can be found on our [supporters](../../../supporters) page. + + + diff --git a/website/docs/language/checks/index.mdx b/website/docs/language/checks/index.mdx index 6a534b34cc7..348a350521d 100644 --- a/website/docs/language/checks/index.mdx +++ b/website/docs/language/checks/index.mdx @@ -68,7 +68,7 @@ Check blocks do not currently support [meta-arguments](../../language/resources/ ## Continuous validation in TACOS (TF Automation and Collaboration Software) -TACOS (TF Automation and Collaboration Software) can automatically validate whether checks in a workspace’s configuration continue to pass after OpenTofu provisions new infrastructure. +[TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) can automatically validate whether checks in a workspace’s configuration continue to pass after OpenTofu provisions new infrastructure. ## Choosing Checks or other Custom Conditions diff --git a/website/docs/language/files/index.mdx b/website/docs/language/files/index.mdx index 40ceb834ebe..ee838edb000 100644 --- a/website/docs/language/files/index.mdx +++ b/website/docs/language/files/index.mdx @@ -64,7 +64,7 @@ called by those modules, etc.). - In OpenTofu CLI, the root module is the working directory where OpenTofu is invoked. (You can use command line options to specify a root module outside the working directory, but in practice this is rare.) -- In TACOS (TF Automation and Collaboration Software), the root module for a workspace +- In [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software), the root module for a workspace defaults to the top level of the configuration directory (supplied via version control repository or direct upload), but the workspace settings can specify a subdirectory to use instead. diff --git a/website/docs/language/index.mdx b/website/docs/language/index.mdx index e110e44d70b..cd896fa6834 100644 --- a/website/docs/language/index.mdx +++ b/website/docs/language/index.mdx @@ -8,7 +8,7 @@ description: >- # OpenTofu Language Documentation This is the documentation for OpenTofu's configuration language. It is relevant -to users of [OpenTofu CLI](../cli/index.mdx), and TACOS (TF Automation and Collaboration Software). +to users of [OpenTofu CLI](../cli/index.mdx), and [TACOS](../intro/tacos.mdx) (TF Automation and Collaboration Software). OpenTofu's language is its primary user interface. Configuration files you write in OpenTofu language tell OpenTofu what plugins to install, what infrastructure to create, and what data to fetch. OpenTofu language also lets you define dependencies diff --git a/website/docs/language/modules/index.mdx b/website/docs/language/modules/index.mdx index 7241635a9d4..117b8e4f568 100644 --- a/website/docs/language/modules/index.mdx +++ b/website/docs/language/modules/index.mdx @@ -41,7 +41,7 @@ download them automatically if you specify the appropriate source and version in a module call block. Also, members of your organization might produce modules specifically crafted -for your own infrastructure needs. TACOS (TF Automation and Collaboration Software) include a private +for your own infrastructure needs. [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) include a private module registry for sharing modules internally within your organization. ## Using Modules diff --git a/website/docs/language/modules/sources.mdx b/website/docs/language/modules/sources.mdx index e107eb122c0..07415470226 100644 --- a/website/docs/language/modules/sources.mdx +++ b/website/docs/language/modules/sources.mdx @@ -95,7 +95,7 @@ community. You can also use a [private registry](../../internals/module-registry-protocol.mdx), either -via TACOS (TF Automation and Collaboration Software), or by running a custom +via [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software), or by running a custom service that implements [the module registry protocol](../../internals/module-registry-protocol.mdx). @@ -135,7 +135,7 @@ You can learn more about the registry at the To access modules from a private registry, you may need to configure an access token [in the CLI config](../../cli/config/config-file.mdx#credentials). Use the same hostname as used in the module source string. For a private registry -within TACOS (TF Automation and Collaboration Software), use the same authentication token as you would +within [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software), use the same authentication token as you would use with the API or command-line clients. ## GitHub diff --git a/website/docs/language/modules/syntax.mdx b/website/docs/language/modules/syntax.mdx index 2145641558a..b7e5c42a375 100644 --- a/website/docs/language/modules/syntax.mdx +++ b/website/docs/language/modules/syntax.mdx @@ -98,7 +98,7 @@ version that meets the constraint. Version constraints are supported only for modules installed from a module registry, such as the [Public OpenTofu Registry](https://registry.opentofu.org/) -or any TACOS (TF Automation and Collaboration Software) private modules registry. +or any [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) private modules registry. Other module sources can provide their own versioning mechanisms within the source string itself, or might not support versions at all. In particular, modules sourced from local file paths do not support `version`; since diff --git a/website/docs/language/providers/index.mdx b/website/docs/language/providers/index.mdx index 1c18b212e8f..3be98d8b8bf 100644 --- a/website/docs/language/providers/index.mdx +++ b/website/docs/language/providers/index.mdx @@ -63,7 +63,7 @@ about it in your configuration. See the following pages for details: ## Provider Installation -- TACOS (TF Automation and Collaboration Software) install providers as part of every run. +- [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) install providers as part of every run. - OpenTofu CLI finds and installs providers when [initializing a working directory](../../cli/init/index.mdx). It can @@ -79,7 +79,7 @@ To ensure OpenTofu always installs the same provider versions for a given configuration, you can use OpenTofu CLI to create a [dependency lock file](../../language/files/dependency-lock.mdx) and commit it to version control along with your configuration. If a lock file -is present, OpenTofu CLI, and TACOS (TF Automation and Collaboration Software) will all obey it when +is present, OpenTofu CLI, and [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) will all obey it when installing providers. ## How to Find Providers diff --git a/website/docs/language/providers/requirements.mdx b/website/docs/language/providers/requirements.mdx index f1584cc0424..d421bc64582 100644 --- a/website/docs/language/providers/requirements.mdx +++ b/website/docs/language/providers/requirements.mdx @@ -203,7 +203,7 @@ To ensure OpenTofu always installs the same provider versions for a given configuration, you can use OpenTofu CLI to create a [dependency lock file](../../language/files/dependency-lock.mdx) and commit it to version control along with your configuration. If a lock file -is present, OpenTofu CLI, and TACOS (TF Automation and Collaboration Software) will all obey it when +is present, OpenTofu CLI, and [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) will all obey it when installing providers. ### Best Practices for Provider Versions diff --git a/website/docs/language/settings/backends/configuration.mdx b/website/docs/language/settings/backends/configuration.mdx index a2ff2e05b39..5e7ebaf7a34 100644 --- a/website/docs/language/settings/backends/configuration.mdx +++ b/website/docs/language/settings/backends/configuration.mdx @@ -8,7 +8,7 @@ description: >- A backend defines where OpenTofu stores its [state](../../../language/state/index.mdx) data files. -OpenTofu uses persisted state data to keep track of the resources it manages. Most non-trivial OpenTofu configurations either integrate with TACOS (TF Automation and Collaboration Software) or use a backend to store state remotely. This lets multiple people access the state data and work together on that collection of infrastructure resources. +OpenTofu uses persisted state data to keep track of the resources it manages. Most non-trivial OpenTofu configurations either integrate with [TACOS](../../../intro/tacos.mdx) (TF Automation and Collaboration Software) or use a backend to store state remotely. This lets multiple people access the state data and work together on that collection of infrastructure resources. This page describes how to configure a backend by adding the [`backend` block](#using-a-backend-block) to your configuration. @@ -20,7 +20,7 @@ Some of these backends act like plain remote disks for state files, while others ## Using a Backend Block -You do not need to configure a backend when using TACOS (TF Automation and Collaboration Software) because +You do not need to configure a backend when using [TACOS](../../../intro/tacos.mdx) (TF Automation and Collaboration Software) because it automatically manages state in the workspaces associated with your configuration. If your configuration includes a [`cloud` block](../../../language/settings/tf-cloud.mdx), it cannot include a `backend` block. To configure a backend, add a nested `backend` block within the top-level diff --git a/website/docs/language/settings/backends/remote.mdx b/website/docs/language/settings/backends/remote.mdx index e05e75fdabf..f80f67ca4de 100644 --- a/website/docs/language/settings/backends/remote.mdx +++ b/website/docs/language/settings/backends/remote.mdx @@ -11,16 +11,16 @@ description: >- **We recommend using the [`cloud` built-in integration](../../../cli/cloud/settings.mdx)** instead of this backend. The `cloud` option includes an improved user experience and more features. ::: -The remote backend is unique among all other OpenTofu backends because it can both store state snapshots and execute CLI-driven run workflow operations for TF Automation and Collaboration Software (TACOS) backends. It used to be called an "enhanced" backend. +The remote backend is unique among all other OpenTofu backends because it can both store state snapshots and execute CLI-driven run workflow operations for TF Automation and Collaboration Software ([TACOS](../../../intro/tacos.mdx)) backends. It used to be called an "enhanced" backend. -If your TACOS provider enables full remote operations, you can execute commands such as `tofu plan` or `tofu apply` within the TACOS runtime environment, with log output streaming directly to your local terminal. Remote plans and applies use variable values from the associated remote workspace. +If your [TACOS](../../../intro/tacos.mdx) provider enables full remote operations, you can execute commands such as `tofu plan` or `tofu apply` within the [TACOS](../../../intro/tacos.mdx) runtime environment, with log output streaming directly to your local terminal. Remote plans and applies use variable values from the associated remote workspace. -You can also use TACOS with local operations, where only state is stored in the TACOS remote backend. +You can also use [TACOS](../../../intro/tacos.mdx) with local operations, where only state is stored in the [TACOS](../../../intro/tacos.mdx) remote backend. ## Command Support :::note -Features implementation might vary between different TACOS. +Features implementation might vary between different [TACOS](../../../intro/tacos.mdx). ::: The remote backend supports the following OpenTofu commands: @@ -66,7 +66,7 @@ setting both results in a configuration error. If previous state is present when you run `tofu init` and the corresponding remote workspaces are empty or absent, OpenTofu will create workspaces and update the remote state accordingly. However, if your workspace requires variables or a specific version of OpenTofu for remote operations, we -recommend that you create your remote workspaces on TACOS before +recommend that you create your remote workspaces on [TACOS](../../../intro/tacos.mdx) before running any remote operations against them. ### Workspace Names @@ -179,7 +179,7 @@ The following configuration options are supported: only the default workspace can be used. This option conflicts with `prefix`. - `prefix` - (Optional) A prefix used in the names of one or more remote workspaces, all of which can be used with this configuration. The full - workspace names are used in TACOS, and the short names + workspace names are used in [TACOS](../../../intro/tacos.mdx), and the short names (minus the prefix) are used on the command line for OpenTofu CLI workspaces. If omitted, only the default workspace can be used. This option conflicts with `name`. @@ -212,7 +212,7 @@ the remote workspace accept the following option to modify that behavior: ## Excluding Files from Upload with .terraformignore When executing a remote `plan` or `apply` in a CLI-driven run, -an archive of your configuration directory is uploaded to TACOS. You can define +an archive of your configuration directory is uploaded to [TACOS](../../../intro/tacos.mdx). You can define paths to ignore from upload via a `.terraformignore` file at the root of your configuration directory. If this file is not present, the archive will exclude the following by default: - `.git/` directories diff --git a/website/docs/language/state/index.mdx b/website/docs/language/state/index.mdx index 962569ffcd5..80a7fa4bf57 100644 --- a/website/docs/language/state/index.mdx +++ b/website/docs/language/state/index.mdx @@ -12,7 +12,7 @@ resources to your configuration, keep track of metadata, and to improve performance for large infrastructures. This state is stored by default in a local file named "terraform.tfstate", -but we recommend storing it in TACOS (TF Automation and Collaboration Software) +but we recommend storing it in [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) to version, encrypt, and securely share it with your team. OpenTofu uses state to determine which changes to make to your diff --git a/website/docs/language/state/remote.mdx b/website/docs/language/state/remote.mdx index 7a374baae10..1037fdcb353 100644 --- a/website/docs/language/state/remote.mdx +++ b/website/docs/language/state/remote.mdx @@ -14,11 +14,11 @@ OpenTofu at the same time. With _remote_ state, OpenTofu writes the state data to a remote data store, which can then be shared between all members of a team. OpenTofu supports -storing state in TACOS (TF Automation and Collaboration Software), +storing state in [TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software), [HashiCorp Consul](https://www.consul.io/), Amazon S3, Azure Blob Storage, Google Cloud Storage, Alibaba Cloud OSS, and more. Remote state is implemented by a [backend](../../language/settings/backends/configuration.mdx) or by -TACOS (TF Automation and Collaboration Software), both of which you can configure in your configuration's root module. +[TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software), both of which you can configure in your configuration's root module. ## Delegation and Teamwork @@ -54,7 +54,7 @@ For fully-featured remote backends, OpenTofu can also use [state locking](../../language/state/locking.mdx) to prevent concurrent runs of OpenTofu against the same state. -TACOS (TF Automation and Collaboration Software) is a commercial offering +[TACOS](../../intro/tacos.mdx) (TF Automation and Collaboration Software) is a commercial offering that supports an even stronger locking concept that can also detect attempts to create a new plan when an existing plan is already awaiting approval, by queuing OpenTofu operations in a central location. From daa85bd203579200c43fe1f79ee3e47989ab3987 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 5 Aug 2024 07:39:15 -0400 Subject: [PATCH 12/19] Backport/v1.8/1876 (#1886) Signed-off-by: RLRabinowitz Signed-off-by: Christian Mesh Co-authored-by: RLRabinowitz Co-authored-by: Janos <86970079+janosdebugs@users.noreply.github.com> --- website/docs/intro/upgrading.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/website/docs/intro/upgrading.mdx b/website/docs/intro/upgrading.mdx index 9ea72cadf7b..2311b3539de 100644 --- a/website/docs/intro/upgrading.mdx +++ b/website/docs/intro/upgrading.mdx @@ -15,7 +15,7 @@ upgrading OpenTofu to version 1.8.0. Although OpenTofu 1.8 is mostly compatible with version 1.6 and 1.7, you should take the necessary precautions to prevent accidents. Make sure you have an up to date and *tested* disaster recovery plan. -## Step 1: Remove any use of `use_legacy_workflow` from S3 backend configurations, if any +## Step 1: If using an S3 backend - Remove any use of `use_legacy_workflow` from S3 backend configurations If you are using the S3 backend, with `use_legacy_workflow` set, you'd have to remove it. This field has been deprecated in version 1.7.0, and has been changed to default to `false`. The legacy workflow of authentication is no longer supported. Please start using the new authentication method, which is more consistent with other AWS tools @@ -69,6 +69,12 @@ If you suspect the failure may be the result of a bug in OpenTofu, Now you are ready to migrate. Run `tofu init` in the directory where your code resides. OpenTofu will download any providers and modules referenced in your configuration from the OpenTofu registry. +:::note + +If you are using the S3 backend - You will need to run `tofu init -reconfigure` to reinitialize the backend. + +::: + ## Step 6: Inspect the plan Once initialized, run `tofu plan` and ensure that there are no pending changes similar to step 1 above. If there are From 6832136f13bedaeff0770f727a84a2cdaf7d7b94 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 5 Aug 2024 12:33:12 -0400 Subject: [PATCH 13/19] Fix missing module source panic (#1888) (#1889) Signed-off-by: Christian Mesh --- CHANGELOG.md | 5 +++++ internal/configs/config_build.go | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cfede9aaab..84191ea0b69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +## 1.8.1 (Unreleased) + +BUG FIXES: +* Fixed crash when module source is not present ([#1888](https://github.com/opentofu/opentofu/pull/1888)) + ## 1.8.0 UPGRADE NOTES: diff --git a/internal/configs/config_build.go b/internal/configs/config_build.go index 6d0babeb28a..d95eba691d0 100644 --- a/internal/configs/config_build.go +++ b/internal/configs/config_build.go @@ -138,12 +138,15 @@ func buildChildModules(parent *Config, walker ModuleWalker) (map[string]*Config, Name: call.Name, Path: path, SourceAddr: call.SourceAddr, - SourceAddrRange: call.Source.Range(), VersionConstraint: call.Version, Parent: parent, CallRange: call.DeclRange, Call: NewStaticModuleCall(path, call.Variables, parent.Root.Module.SourceDir, call.Workspace), } + if call.Source != nil { + // Invalid modules sometimes have a nil source field which is handled through loadModule below + req.SourceAddrRange = call.Source.Range() + } child, modDiags := loadModule(parent.Root, &req, walker) diags = append(diags, modDiags...) if child == nil { From 7cdad9e993b23f6e0d3762ca1842ba62da231f16 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Wed, 7 Aug 2024 09:16:02 -0400 Subject: [PATCH 14/19] Bump to 1.8.1 (#1893) Signed-off-by: Christian Mesh --- CHANGELOG.md | 2 +- version/VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84191ea0b69..c3cddaa11b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## 1.8.1 (Unreleased) +## 1.8.1 BUG FIXES: * Fixed crash when module source is not present ([#1888](https://github.com/opentofu/opentofu/pull/1888)) diff --git a/version/VERSION b/version/VERSION index 27f9cd322bb..a8fdfda1c78 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -1.8.0 +1.8.1 From 2b1167debd8244638ddda1c3b27ba1c2d4182897 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Mon, 12 Aug 2024 08:23:04 -0400 Subject: [PATCH 15/19] Fix Docusaurus "broken link" warnings on 1.8 branch of docs (#1884) (#1898) Signed-off-by: Tom Spurling Signed-off-by: Christian Mesh Co-authored-by: may every hack help <137650446+mehhhhhhhhhhhhhhh@users.noreply.github.com> Co-authored-by: Tom Spurling --- website/docs/intro/tacos.mdx | 2 +- website/docs/language/expressions/references.mdx | 6 +++--- website/docs/language/providers/requirements.mdx | 6 +++--- website/docs/language/settings/backends/oss.mdx | 3 +-- website/docs/language/settings/index.mdx | 4 ++-- 5 files changed, 10 insertions(+), 11 deletions(-) diff --git a/website/docs/intro/tacos.mdx b/website/docs/intro/tacos.mdx index 20b90ed4e6d..4c65ab8ecf4 100644 --- a/website/docs/intro/tacos.mdx +++ b/website/docs/intro/tacos.mdx @@ -11,7 +11,7 @@ TF Automation and Collaboration Software (TACOS) are platforms which allow teams # What are some examples? -There are a variety of platforms which offer OpenTofu support, both Open Source and Commercial. Many of these organizations support OpenTofu directly and can be found on our [supporters](../../../supporters) page. +There are a variety of platforms which offer OpenTofu support, both Open Source and Commercial. Many of these organizations support OpenTofu directly and can be found on our [supporters](/supporters) page. diff --git a/website/docs/language/expressions/references.mdx b/website/docs/language/expressions/references.mdx index 505f8c67da7..f46e6794648 100644 --- a/website/docs/language/expressions/references.mdx +++ b/website/docs/language/expressions/references.mdx @@ -179,9 +179,9 @@ where they appear. Some of most common local names are: :::note Local names are often referred to as _variables_ or -_temporary variables_ in their documentation. These are not [input -variables](../../language/values/variables.mdx); they are just arbitrary names -that temporarily represent a value. +_temporary variables_ in their documentation. These are not +[input variables](../../language/values/variables.mdx); they are just +arbitrary names that temporarily represent a value. ::: The names in this section relate to top-level configuration blocks only. diff --git a/website/docs/language/providers/requirements.mdx b/website/docs/language/providers/requirements.mdx index d421bc64582..1d10f004870 100644 --- a/website/docs/language/providers/requirements.mdx +++ b/website/docs/language/providers/requirements.mdx @@ -12,9 +12,9 @@ OpenTofu can install and use them. This page documents how to declare providers so OpenTofu can install them. Additionally, some providers require configuration (like endpoint URLs or cloud -regions) before they can be used. The [Provider -Configuration](../../language/providers/configuration.mdx) page documents how -to configure settings for providers. +regions) before they can be used. The +[Provider Configuration](../../language/providers/configuration.mdx) page +documents how to configure settings for providers. ## Requiring Providers diff --git a/website/docs/language/settings/backends/oss.mdx b/website/docs/language/settings/backends/oss.mdx index aafcc869655..d7e8b1b3371 100644 --- a/website/docs/language/settings/backends/oss.mdx +++ b/website/docs/language/settings/backends/oss.mdx @@ -36,8 +36,7 @@ OpenTofu state will be written into the file `path/mystate/version-1.tfstate`. T ## Data Source Configuration To make use of the OSS remote state in another configuration, use the -[`terraform_remote_state` data -source](../../../language/state/remote-state-data/index.mdx). +[`terraform_remote_state` data source](../../../language/state/remote-state-data.mdx). ```hcl terraform { diff --git a/website/docs/language/settings/index.mdx b/website/docs/language/settings/index.mdx index 36ccbbb5dce..d3eb6a5e6fd 100644 --- a/website/docs/language/settings/index.mdx +++ b/website/docs/language/settings/index.mdx @@ -40,8 +40,8 @@ following sections. The nested `backend` block configures which state backend OpenTofu should use. -The syntax and behavior of the `backend` block is described in [Backend -Configuration](../../language/settings/backends/configuration.mdx). +The syntax and behavior of the `backend` block is described in +[Backend Configuration](../../language/settings/backends/configuration.mdx). ## Specifying a Required OpenTofu Version From 56335a2c5f31a46d3222a2ab0d57416f30947a94 Mon Sep 17 00:00:00 2001 From: Syasusu Date: Mon, 12 Aug 2024 22:24:15 +0800 Subject: [PATCH 16/19] fix inconsistent sidebar title of functions on v1.8 branch (#1907) Signed-off-by: Syasusu --- website/docs/language/functions/base64gunzip.mdx | 2 +- website/docs/language/functions/cidrcontains.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/language/functions/base64gunzip.mdx b/website/docs/language/functions/base64gunzip.mdx index fb95f323c49..0e210964185 100644 --- a/website/docs/language/functions/base64gunzip.mdx +++ b/website/docs/language/functions/base64gunzip.mdx @@ -1,5 +1,5 @@ --- -page_title: base64gunzip - Functions - Configuration Language +sidebar_label: base64gunzip description: |- The base64gunzip function decodes a Base64-encoded string and uncompresses the result with gzip. --- diff --git a/website/docs/language/functions/cidrcontains.mdx b/website/docs/language/functions/cidrcontains.mdx index df1aeb7d8dd..09dd1abba59 100644 --- a/website/docs/language/functions/cidrcontains.mdx +++ b/website/docs/language/functions/cidrcontains.mdx @@ -1,5 +1,5 @@ --- -page_title: cidrcontains - Functions - Configuration Language +sidebar_label: cidrcontains description: |- The cidrcontains function determines whether a given IP address or an address prefix given in CIDR notation is within a given IP network address prefix. --- From 0abe7c59e0184b979a644f03e7c819c2b0cca8a4 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Tue, 3 Sep 2024 12:24:58 -0400 Subject: [PATCH 17/19] Better handling of key_provider references (#1921) (#1965) Signed-off-by: Christian Mesh --- internal/encryption/keyprovider.go | 20 +++++++++++++---- internal/encryption/targets_test.go | 34 +++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 4 deletions(-) diff --git a/internal/encryption/keyprovider.go b/internal/encryption/keyprovider.go index e60cfaf72a7..c8d453a62bd 100644 --- a/internal/encryption/keyprovider.go +++ b/internal/encryption/keyprovider.go @@ -127,15 +127,27 @@ func (e *targetBuilder) setupKeyProvider(cfg config.KeyProviderConfig, stack []c continue } - // TODO this should be more defensive + // This will always be a TraverseRoot, panic is OK if that's not the case depRoot := (dep[0].(hcl.TraverseRoot)).Name - depType := (dep[1].(hcl.TraverseAttr)).Name - depName := (dep[2].(hcl.TraverseAttr)).Name - if depRoot != "key_provider" { nonKeyProviderDeps = append(nonKeyProviderDeps, dep) continue } + depTypeAttr, typeOk := dep[1].(hcl.TraverseAttr) + depNameAttr, nameOk := dep[2].(hcl.TraverseAttr) + + if !typeOk || !nameOk { + diags = append(diags, &hcl.Diagnostic{ + Severity: hcl.DiagError, + Summary: "Invalid Key Provider expression format", + Detail: "Expected key_provider..", + Subject: dep.SourceRange().Ptr(), + }) + continue + } + + depType := depTypeAttr.Name + depName := depNameAttr.Name kpc, ok := e.cfg.GetKeyProvider(depType, depName) if !ok { diff --git a/internal/encryption/targets_test.go b/internal/encryption/targets_test.go index f48050cc16d..ec87e18f838 100644 --- a/internal/encryption/targets_test.go +++ b/internal/encryption/targets_test.go @@ -131,6 +131,22 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) { aesgcm.Is, }, }, + "key-from-complex-vars": { + rawConfig: ` + key_provider "static" "basic" { + key = var.obj[0].key + } + method "aes_gcm" "example" { + keys = key_provider.static.basic + } + state { + method = method.aes_gcm.example + } + `, + wantMethods: []func(method.Method) bool{ + aesgcm.Is, + }, + }, "undefined-key-from-vars": { rawConfig: ` key_provider "static" "basic" { @@ -145,6 +161,20 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) { `, wantErr: "Test Config Source:3,12-28: Undefined variable; Undefined variable var.undefinedkey", }, + "bad-keyprovider-format": { + rawConfig: ` + key_provider "static" "basic" { + key = key_provider.static[0] + } + method "aes_gcm" "example" { + keys = key_provider.static.basic + } + state { + method = method.aes_gcm.example + } + `, + wantErr: "Test Config Source:3,12-34: Invalid Key Provider expression format; Expected key_provider..", + }, } reg := lockingencryptionregistry.New() @@ -165,6 +195,10 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) { Default: cty.StringVal("6f6f706830656f67686f6834616872756f3751756165686565796f6f72653169"), Type: cty.String, }, + "obj": { + Name: "obj", + Default: cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"key": cty.StringVal("6f6f706830656f67686f6834616872756f3751756165686565796f6f72653169")})}), + }, }, } From 0e94739795bcf21cd4e8b583e31e92d8afd47480 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Tue, 3 Sep 2024 12:30:47 -0400 Subject: [PATCH 18/19] Backport bump go version to v1.8 (#1966) Signed-off-by: Kazimierz Budzyk Signed-off-by: Christian Mesh Co-authored-by: kazimierzbudzyk <62395833+kazimierzbudzyk@users.noreply.github.com> --- .go-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.go-version b/.go-version index bae5c7f667c..88863fd8e36 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.3 +1.21.11 From 57868a9b76476342ae6844bf504e97baf93a7064 Mon Sep 17 00:00:00 2001 From: Christian Mesh Date: Wed, 4 Sep 2024 14:04:32 -0400 Subject: [PATCH 19/19] Update version and changelog to 1.8.2 (#1968) Signed-off-by: Christian Mesh --- CHANGELOG.md | 8 ++++++++ version/VERSION | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3cddaa11b5..41958bb839d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 1.8.2 + +SECURITY: +* Update go version to 1.21.11 to fix CVE-2024-24790 + +BUG FIXES: +* Better handling of key_provider references ([#1965](https://github.com/opentofu/opentofu/pull/1965)) + ## 1.8.1 BUG FIXES: diff --git a/version/VERSION b/version/VERSION index a8fdfda1c78..53adb84c822 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -1.8.1 +1.8.2