Support OpenTofu (epic) #3741
Comments
|
This Ticket should be renamed to |
jamengual
changed the title
|
Should be just |
|
@nitrocode @chenrui333 @raynigon I would like to work on this issue, could you assign me? |
|
@sirvantedbrl feel free to kick off a PR and we can start from there. Thanks! |
|
@chenrui333 İ'm starting to work on sending a PR, thank you. |
|
The idea is that we will still support both Terraform and OpenTofu. There may be some hard-code references to Terraform. We want to abstract that so that we don't have to do this again for even another tool. Atlantis long-term should be vendor-agnostic. |
|
opentofu just GA today, https://github.com/opentofu/opentofu/releases/tag/v1.6.0 |
|
A workaround for users that want to go down the opentofu path before support is official could do the following.
|
|
Worked for me Installation with helm:
initConfig:
enabled: true
image: alpine:latest
imagePullPolicy: IfNotPresent
# sharedDir is set as env var INIT_SHARED_DIR
sharedDir: /plugins
workDir: /tmp
sizeLimit: 250Mi
# example of how the script can be configured to install tools/providers required by the atlantis pod
script: |
#!/bin/sh
set -eoux pipefail
# terragrunt
TG_VERSION="0.55.10"
TG_SHA256_SUM="1ad609399352348a41bb5ea96fdff5c7a18ac223742f60603a557a54fc8c6cff"
TG_FILE="${INIT_SHARED_DIR}/terragrunt"
wget https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
chmod 755 "${TG_FILE}"
terragrunt -v
# OpenTofu
TF_VERSION="1.6.2"
TF_FILE="${INIT_SHARED_DIR}/tofu"
wget https://github.com/opentofu/opentofu/releases/download/v${TF_VERSION}/tofu_${TF_VERSION}_linux_amd64.zip
unzip tofu_${TF_VERSION}_linux_amd64.zip
mv tofu ${INIT_SHARED_DIR}
chmod 755 "${TF_FILE}"
tofu -venvironment:
ATLANTIS_TF_DOWNLOAD: false
TERRAGRUNT_TFPATH: /plugins/tofurepoConfig: |
---
repos:
- id: /.*/
apply_requirements: [approved, mergeable]
allow_custom_workflows: true
allowed_overrides: [workflow, apply_requirements, delete_source_branch_on_merge]
version: 3
automerge: true
parallel_plan: true
parallel_apply: false
projects:
- name: terragrunt
dir: .
workspace: terragrunt
delete_source_branch_on_merge: true
autoplan:
enabled: false
apply_requirements: [mergeable, approved]
workflow: terragrunt
workflows:
terragrunt:
plan:
steps:
- env:
name: TF_IN_AUTOMATION
value: 'true'
- run: find . -name '.terragrunt-cache' | xargs rm -rf
- run: terragrunt init -reconfigure
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing
apply:
steps:
- run: terragrunt apply $PLANFILEI hope it helps :) |
|
Nice work! I think the above is worth documenting on the site. The one suggestion I have would be to keep the version as a suffix in the binary name for consistency with how we currently use terraform. We'd also need to document without using a wrapper like terragrunt/atmos/terramate/etc Reading the description of this issue over and it's more targeting the auto download of opentofu than the usage of opentofu. Maybe we can document the above and re-title this issue as "Support autodownload of opentofu"? Your solution of installing opentofu manually and disabling auto download should work as expected. I also saw that the new aws 5.40 aws providers, which contain custom functions, are backwards compatible (but without custom function support) with older versions of terraform and current versions of opentofu. One less worry with switching from tf to opentofu. |
|
Perhaps since so many people have upvoted this issue, we should move the contents and title of this issue into its own issue for autodownloading opentofu Then this this issue can be (informally) an epic for full opentofu support so it can be broken up into smaller issues/subtasks |
|
This is my doc to deployment Atlantis with OpenTofu. https://medium.com/@contato.matthewd/deployment-atlantis-with-opentofu-85ca0fbe45e5 |
|
Trying to get this figured out; I'm running Atlantis in Nomad, and I can't get OpenTofu to be the tool being used. I have tried to install it as an artifact, but am met with "cannot parse terraform version" when running this way. I found #4341 which has me very confused - is the binary just floating in the image without any first party way to invoke it? All of this to say, I am not a DevOps or Terraform expert, so if there is something that I am missing, or can do to get this working in the mean time, please let me know. |
|
@ItsMeBrianD As the Atlantis still not have default support for opentofu, on this post, i make the deployment the atlantis use OpenTofu binary. How are your the deployment openTofu, now? |
|
I'm currently using a nomad job, I have tried with the noted Environment variables that you had listed in step 6 of your blog post, but it didn't make a difference. I also have not done any specific configuration in my repository, is the yaml that you've specified using terragrunt required? If so, is terragrunt also required or can I update it to refer to opentofu directly? This is a somewhat reduced version of the job file job "atlantis" {
group "atlantis" {
network {
port "ui" { to = 4141 }
}
task "atlantis" {
driver = "docker"
config {
image = "ghcr.io/runatlantis/atlantis"
entrypoint = ["atlantis"]
args = [
"server",
"--atlantis-url=$${URL}",
"--gh-user=$${USER}",
"--gh-token=$${TOKEN}",
"--gh-webhook-secret=$${SECRET}",
"--repo-allowlist=$${REPO_ALLOWLIST}",
"--tf-download=false"
]
ports = ["ui"]
volumes = [
"local/tofu/tofu:/usr/bin/tf"
]
}
artifact {
source = "https://github.com/opentofu/opentofu/releases/download/v1.8.1/tofu_1.8.1_linux_amd64.tar.gz"
destination = "local/tofu"
}
template {
destination = "secrets/.env"
env = true
data = <<EOF
{{ with secret "${secret-path}" }}
TOKEN="{{ .Data.data.gh_token }}"
USER="{{ .Data.data.gh_user }}"
SECRET="{{ .Data.data.hook_secret }}"
{{ end }}
URL="https://atlantis.${base-domain}"
REPO_ALLOWLIST="${repo}"
{{- range service "consul"}}
CONSUL_HTTP_ADDR="http://{{.Address}}:8500"
{{- end }}
EOF
}
}
}
} |
Why is this an example on how to use OpenTF with Atlantis? Maybe I am missing something, but that is using The issue that people is experiencing is while replacing Please, could you clarify? |
Yes, you can adapter for your scenario, instead of doing a the opentofu binary are available in container through the suggested installation configuration. |
|
I'm just an interested Atlantis user, but feat: Support project-level Terraform distribution selection #5167 looks like it could be a great way of resolving at least some of the OpenTofu concerns if I'm reading it right... |
|
If you are running Atlantis in a container in a recent version after #4341 was released , today you can use the OpenTofu built into the container pretty easily, as long as you are OK with the one version of OpenTofu built into the container. I tested this vs. See https://binaryronin.io/posts/atlantis-tofu/ for the post that inspired this minimal, working project configuration for a repository-level ---
version: 3
projects:
- name: opentofu-test
dir: terraform
workflow: opentofu
workflows:
opentofu:
plan:
steps:
- run: tofu --version
- run: rm -rf .terraform
- run: tofu init -reconfigure
- run: tofu plan
apply:
steps:
- run: tofu --version
- run: rm -rf .terraform
- run: tofu init -reconfigure
- run: tofu apply -auto-approveI haven't tested it yet but a workflow specified in the server-level configuration files should work well too. I'm going to keep experimenting. |
|
I've been using OpenTofu for a couple weeks now with Atlantis and have refined the custom workflow to the point where it works really well, either as a repository-level configuration, or a server-level configuration. I've tested the workflows:
opentofu:
plan:
steps:
- env: &tf_in_automation
# Reduce Terraform suggestion output
name: TF_IN_AUTOMATION
value: 'true'
- env: &escaped_args
name: TF_CLI_ARGS_PARSED
command: 'printf "%s" $COMMENT_ARGS | sed "s/,/ /g" | tr -d "\\"'
- run: echo TF_CLI_ARGS_PARSED="$TF_CLI_ARGS_PARSED"
- run: &tf_version
command: tofu --version
- run: &tf_rm
command: rm -rf .terraform
output: hide
- run: &tf_init
command: tofu init -reconfigure
output: hide
- run: tofu plan -out $PLANFILE $TF_CLI_ARGS_PARSED
apply:
steps:
- env: *tf_in_automation
- run: *tf_version
- run: tofu apply $PLANFILE
# Allow for imports as not supported for Terraform wrappers by default
import:
steps:
- env: *tf_in_automation
- env: *escaped_args
- run: *tf_version
- run: tofu import $TF_CLI_ARGS_PARSED
# State removals are not supported for Terraform wrappers by default
state_rm:
steps:
- env: *tf_in_automation
- env: *escaped_args
- run: *tf_version
- run: tofu state rm $TF_CLI_ARGS_PARSED(Note: edited per suggestion from @grimm26) Extra thanks to @binaryronin for the blog that inspired this. |
|
@obscurerichard why do you wipe |
|
Do I not need to do that? Thanks @grimm26 for the constructive feedback. I started by following the example at https://binaryronin.io/posts/atlantis-tofu/ which worked and I just went with it from there. I didn't look too closely at that. Perhaps that part is not really necessary... good point. I'll try it without and edit the comment to reflect the more concise version. I think this can also be skipped on the Update: I removed the rm / init from both |
|
Since feat: Support project-level Terraform distribution selection #5167 has been merged I'm guessing that the next released version of Atlantis will have pretty comprehensive OpenTofu support! This is exciting... 💪🏻 🥳 🥇 |
Community Note
Describe the user story
Please support usage of opentofu
https://github.com/opentffoundation/opentf
Describe the solution you'd like
See above
Describe the drawbacks of your solution
N/A
Describe alternatives you've considered
N/A
The text was updated successfully, but these errors were encountered: