Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support OpenTofu (epic) #3741

Open
1 task
nitrocode opened this issue Sep 5, 2023 · 24 comments · Fixed by #4499
Open
1 task

Support OpenTofu (epic) #3741

nitrocode opened this issue Sep 5, 2023 · 24 comments · Fixed by #4499
Assignees
Labels
docs Documentation feature New functionality/enhancement

Comments

@nitrocode
Copy link
Member

nitrocode commented Sep 5, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

Please support usage of opentofu

https://github.com/opentffoundation/opentf

Describe the solution you'd like

See above

Describe the drawbacks of your solution

N/A

Describe alternatives you've considered

N/A

@nitrocode nitrocode added feature New functionality/enhancement docs Documentation labels Sep 5, 2023
@raynigon
Copy link

raynigon commented Oct 9, 2023

This Ticket should be renamed to Support OpenTofu terraform fork, to make it easier to find.

@jamengual jamengual changed the title Support OpenTF terraform fork Support OpenTofu terraform fork Oct 10, 2023
@chenrui333 chenrui333 changed the title Support OpenTofu terraform fork Support OpenTofu Nov 22, 2023
@chenrui333
Copy link
Member

Should be just Support OpenTofu (I think almost everyone knows OpenTofu at this point)

@sirvantedbrl
Copy link

@nitrocode @chenrui333 @raynigon I would like to work on this issue, could you assign me?

@chenrui333
Copy link
Member

@sirvantedbrl feel free to kick off a PR and we can start from there. Thanks!

@sirvantedbrl
Copy link

@chenrui333 İ'm starting to work on sending a PR, thank you.

@GenPage
Copy link
Member

GenPage commented Dec 11, 2023

The idea is that we will still support both Terraform and OpenTofu. There may be some hard-code references to Terraform. We want to abstract that so that we don't have to do this again for even another tool. Atlantis long-term should be vendor-agnostic.

@chenrui333
Copy link
Member

opentofu just GA today, https://github.com/opentofu/opentofu/releases/tag/v1.6.0

@nitrocode
Copy link
Member Author

A workaround for users that want to go down the opentofu path before support is official could do the following.

  1. Set --tf-download=false to avoid downloading terraform versions
  2. Use a custom container to download a opentofu release as /usr/bin/opentofu_<version>
  3. Use a custom workflow to override the init, plan, and apply steps to use the opentofu cli instead of the terraform cli

@jmateusppay
Copy link

jmateusppay commented Mar 11, 2024

Worked for me

Installation with helm:

values.yaml

initConfig:
  enabled: true
  image: alpine:latest
  imagePullPolicy: IfNotPresent
  # sharedDir is set as env var INIT_SHARED_DIR
  sharedDir: /plugins
  workDir: /tmp
  sizeLimit: 250Mi
  # example of how the script can be configured to install tools/providers required by the atlantis pod
  script: |
    #!/bin/sh
    set -eoux pipefail

    # terragrunt
    TG_VERSION="0.55.10"
    TG_SHA256_SUM="1ad609399352348a41bb5ea96fdff5c7a18ac223742f60603a557a54fc8c6cff"
    TG_FILE="${INIT_SHARED_DIR}/terragrunt"
    wget https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
    echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
    chmod 755 "${TG_FILE}"
    terragrunt -v

    # OpenTofu
    TF_VERSION="1.6.2"
    TF_FILE="${INIT_SHARED_DIR}/tofu"
    wget https://github.com/opentofu/opentofu/releases/download/v${TF_VERSION}/tofu_${TF_VERSION}_linux_amd64.zip
    unzip tofu_${TF_VERSION}_linux_amd64.zip
    mv tofu ${INIT_SHARED_DIR}
    chmod 755 "${TF_FILE}"
    tofu -v
environment: 
  ATLANTIS_TF_DOWNLOAD: false
  TERRAGRUNT_TFPATH: /plugins/tofu
repoConfig: |
  ---
  repos:
  - id: /.*/
    apply_requirements: [approved, mergeable]
    allow_custom_workflows: true
    allowed_overrides: [workflow, apply_requirements, delete_source_branch_on_merge]

atlantis.yaml

version: 3
automerge: true
parallel_plan: true
parallel_apply: false
projects:
- name: terragrunt
  dir: .
  workspace: terragrunt
  delete_source_branch_on_merge: true
  autoplan:
    enabled: false
  apply_requirements: [mergeable, approved]
  workflow: terragrunt
workflows:
  terragrunt:
    plan:
      steps:
      - env:
          name: TF_IN_AUTOMATION
          value: 'true'
      - run: find . -name '.terragrunt-cache' | xargs rm -rf
      - run: terragrunt init -reconfigure
      - run:
          command: terragrunt plan -input=false -out=$PLANFILE
          output: strip_refreshing
    apply:  
      steps:      
        - run: terragrunt apply $PLANFILE

I hope it helps :)

@nitrocode
Copy link
Member Author

nitrocode commented Mar 11, 2024

Nice work! I think the above is worth documenting on the site. The one suggestion I have would be to keep the version as a suffix in the binary name for consistency with how we currently use terraform.

We'd also need to document without using a wrapper like terragrunt/atmos/terramate/etc

Reading the description of this issue over and it's more targeting the auto download of opentofu than the usage of opentofu. Maybe we can document the above and re-title this issue as "Support autodownload of opentofu"?

Your solution of installing opentofu manually and disabling auto download should work as expected.

I also saw that the new aws 5.40 aws providers, which contain custom functions, are backwards compatible (but without custom function support) with older versions of terraform and current versions of opentofu. One less worry with switching from tf to opentofu.

@nitrocode
Copy link
Member Author

nitrocode commented Mar 11, 2024

Perhaps since so many people have upvoted this issue, we should move the contents and title of this issue into its own issue for autodownloading opentofu

Then this this issue can be (informally) an epic for full opentofu support so it can be broken up into smaller issues/subtasks

@nitrocode nitrocode changed the title Support OpenTofu Support OpenTofu (epic) Mar 12, 2024
@kvendingoldo
Copy link

Hi! I think that in scope of it you can start to use tenv: tool for managing Terraform, Terragrunt and OpenTofu by a single binary file.

You're also welcome to open any issues or contribute to tenv.

@jmateusppay
Copy link

This is my doc to deployment Atlantis with OpenTofu.

https://medium.com/@contato.matthewd/deployment-atlantis-with-opentofu-85ca0fbe45e5

@ItsMeBrianD
Copy link

Trying to get this figured out; I'm running Atlantis in Nomad, and I can't get OpenTofu to be the tool being used.

I have tried to install it as an artifact, but am met with "cannot parse terraform version" when running this way.

I found #4341 which has me very confused - is the binary just floating in the image without any first party way to invoke it?

All of this to say, I am not a DevOps or Terraform expert, so if there is something that I am missing, or can do to get this working in the mean time, please let me know.

@jmateusppay
Copy link

@ItsMeBrianD As the Atlantis still not have default support for opentofu, on this post, i make the deployment the atlantis use OpenTofu binary. How are your the deployment openTofu, now?

@ItsMeBrianD
Copy link

I'm currently using a nomad job, I have tried with the noted Environment variables that you had listed in step 6 of your blog post, but it didn't make a difference. I also have not done any specific configuration in my repository, is the yaml that you've specified using terragrunt required? If so, is terragrunt also required or can I update it to refer to opentofu directly?

This is a somewhat reduced version of the job file

job "atlantis" {
  group "atlantis" {
    network {
      port "ui" { to = 4141 }
    }
    task "atlantis" {
      driver = "docker"
      config {
        image = "ghcr.io/runatlantis/atlantis"
        entrypoint = ["atlantis"]
        args = [
          "server",
          "--atlantis-url=$${URL}",
          "--gh-user=$${USER}",
          "--gh-token=$${TOKEN}",
          "--gh-webhook-secret=$${SECRET}",
          "--repo-allowlist=$${REPO_ALLOWLIST}",
          "--tf-download=false"
        ]
        ports = ["ui"]
        volumes = [
          "local/tofu/tofu:/usr/bin/tf"
        ]
      }

      artifact {
        source = "https://github.com/opentofu/opentofu/releases/download/v1.8.1/tofu_1.8.1_linux_amd64.tar.gz"
        destination = "local/tofu"
      }

      template {
        destination = "secrets/.env"
        env = true
        data = <<EOF
{{ with secret "${secret-path}" }}
TOKEN="{{ .Data.data.gh_token }}"
USER="{{ .Data.data.gh_user }}"
SECRET="{{ .Data.data.hook_secret }}"
{{ end }}

URL="https://atlantis.${base-domain}"
REPO_ALLOWLIST="${repo}"

{{- range service "consul"}}
CONSUL_HTTP_ADDR="http://{{.Address}}:8500"
{{- end }}
        EOF
      }
    }
  }
}

@luismiguelsaez-steercrm

Worked for me

Installation with helm:

values.yaml

initConfig:
  enabled: true
  image: alpine:latest
  imagePullPolicy: IfNotPresent
  # sharedDir is set as env var INIT_SHARED_DIR
  sharedDir: /plugins
  workDir: /tmp
  sizeLimit: 250Mi
  # example of how the script can be configured to install tools/providers required by the atlantis pod
  script: |
    #!/bin/sh
    set -eoux pipefail

    # terragrunt
    TG_VERSION="0.55.10"
    TG_SHA256_SUM="1ad609399352348a41bb5ea96fdff5c7a18ac223742f60603a557a54fc8c6cff"
    TG_FILE="${INIT_SHARED_DIR}/terragrunt"
    wget https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
    echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
    chmod 755 "${TG_FILE}"
    terragrunt -v

    # OpenTofu
    TF_VERSION="1.6.2"
    TF_FILE="${INIT_SHARED_DIR}/tofu"
    wget https://github.com/opentofu/opentofu/releases/download/v${TF_VERSION}/tofu_${TF_VERSION}_linux_amd64.zip
    unzip tofu_${TF_VERSION}_linux_amd64.zip
    mv tofu ${INIT_SHARED_DIR}
    chmod 755 "${TF_FILE}"
    tofu -v
environment: 
  ATLANTIS_TF_DOWNLOAD: false
  TERRAGRUNT_TFPATH: /plugins/tofu
repoConfig: |
  ---
  repos:
  - id: /.*/
    apply_requirements: [approved, mergeable]
    allow_custom_workflows: true
    allowed_overrides: [workflow, apply_requirements, delete_source_branch_on_merge]

atlantis.yaml

version: 3
automerge: true
parallel_plan: true
parallel_apply: false
projects:
- name: terragrunt
  dir: .
  workspace: terragrunt
  delete_source_branch_on_merge: true
  autoplan:
    enabled: false
  apply_requirements: [mergeable, approved]
  workflow: terragrunt
workflows:
  terragrunt:
    plan:
      steps:
      - env:
          name: TF_IN_AUTOMATION
          value: 'true'
      - run: find . -name '.terragrunt-cache' | xargs rm -rf
      - run: terragrunt init -reconfigure
      - run:
          command: terragrunt plan -input=false -out=$PLANFILE
          output: strip_refreshing
    apply:  
      steps:      
        - run: terragrunt apply $PLANFILE

I hope it helps :)

Why is this an example on how to use OpenTF with Atlantis? Maybe I am missing something, but that is using terragrunt, which is compatible with OpenTF itself and doesn't make Atlantis compatible with it in any way.

The issue that people is experiencing is while replacing terraform with tofu in the workflows, where it doesn't work during the apply commands.

Please, could you clarify?

@jmateusppay
Copy link

atlantis.yaml

Yes, you can adapter for your scenario, instead of doing a terragrunt init you can replace with opentofu init in the workflow.

the opentofu binary are available in container through the suggested installation configuration.

@obscurerichard
Copy link

I'm just an interested Atlantis user, but feat: Support project-level Terraform distribution selection #5167 looks like it could be a great way of resolving at least some of the OpenTofu concerns if I'm reading it right...

@obscurerichard
Copy link

If you are running Atlantis in a container in a recent version after #4341 was released , today you can use the OpenTofu built into the container pretty easily, as long as you are OK with the one version of OpenTofu built into the container.

I tested this vs. v0.31.0 (commit: 245044c) (build date: 2024-11-22T17:58:20.688Z) and it worked beautifully.

See https://binaryronin.io/posts/atlantis-tofu/ for the post that inspired this minimal, working project configuration for a repository-level atlantis.yml file:

---
version: 3
projects:
  - name: opentofu-test
    dir: terraform
    workflow: opentofu
workflows:
  opentofu:
    plan:
      steps:
      - run: tofu --version
      - run: rm -rf .terraform
      - run: tofu init -reconfigure
      - run: tofu plan
    apply:
      steps:
      - run: tofu --version
      - run: rm -rf .terraform
      - run: tofu init -reconfigure
      - run: tofu apply -auto-approve

I haven't tested it yet but a workflow specified in the server-level configuration files should work well too. I'm going to keep experimenting.

@obscurerichard
Copy link

obscurerichard commented Jan 8, 2025

I've been using OpenTofu for a couple weeks now with Atlantis and have refined the custom workflow to the point where it works really well, either as a repository-level configuration, or a server-level configuration.

I've tested the plan and apply paths pretty thoroughly, including planning a destroy with atlantis plan -p project -- -destroy. I have not yet thoroughly tested the import or state_rm workflows but they should work with the code shown.

workflows:
  opentofu:
    plan:
      steps:
        - env: &tf_in_automation
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - env: &escaped_args
            name: TF_CLI_ARGS_PARSED
            command: 'printf "%s" $COMMENT_ARGS | sed "s/,/ /g" | tr -d "\\"'
        - run: echo TF_CLI_ARGS_PARSED="$TF_CLI_ARGS_PARSED"
        - run: &tf_version
            command: tofu --version
        - run: &tf_rm
            command: rm -rf .terraform
            output: hide
        - run: &tf_init
            command: tofu init -reconfigure
            output: hide
        - run: tofu plan -out $PLANFILE $TF_CLI_ARGS_PARSED
    apply:
      steps:
        - env: *tf_in_automation
        - run: *tf_version
        - run: tofu apply $PLANFILE
    # Allow for imports as not supported for Terraform wrappers by default
    import:
      steps:
        - env: *tf_in_automation
        - env: *escaped_args
        - run: *tf_version
        - run: tofu import $TF_CLI_ARGS_PARSED
    # State removals are not supported for Terraform wrappers by default
    state_rm:
      steps:
        - env: *tf_in_automation
        - env: *escaped_args
        - run: *tf_version
        - run: tofu state rm $TF_CLI_ARGS_PARSED

(Note: edited per suggestion from @grimm26)

Extra thanks to @binaryronin for the blog that inspired this.

@grimm26
Copy link
Contributor

grimm26 commented Jan 8, 2025

@obscurerichard why do you wipe .terraform and then init -reconfigure on apply?

@obscurerichard
Copy link

obscurerichard commented Jan 8, 2025

Do I not need to do that? Thanks @grimm26 for the constructive feedback.

I started by following the example at https://binaryronin.io/posts/atlantis-tofu/ which worked and I just went with it from there. I didn't look too closely at that. Perhaps that part is not really necessary... good point. I'll try it without and edit the comment to reflect the more concise version.

I think this can also be skipped on the import...

Update: I removed the rm / init from both apply and import given the way the plan / apply / import cycles work for these.

@obscurerichard
Copy link

Since feat: Support project-level Terraform distribution selection #5167 has been merged I'm guessing that the next released version of Atlantis will have pretty comprehensive OpenTofu support!

This is exciting... 💪🏻 🥳 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs Documentation feature New functionality/enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.