OpenTofu

• Awesome OpenTofu list

Usage

tofu apply -auto-approve

Debug:

OS_DEBUG=1 TF_LOG=DEBUG  apply

updating provider versions

find . -name versions.tf -exec sed -i 's/1.22.3/1.22.7/' {} \;

Import

• Docs: Import

Import a resource when a provider upgrade would force a resource recreation:

tf state show module.ricote.libvirt_pool.default  # note the `id`
tf state rm module.ricote.libvirt_pool.default
tofu import module.ricote.libvirt_pool.default 09f0dc94-5984-4330-b1fe-f150050643d1

Add provider versions to each submodule

git grep -l gitlabhq/gitlab | xargs -n 1 sed -i '/"gitlabhq\/gitlab"/a \      version = "16.3.0"'

Initialize all

find . -type d -name .terraform -exec tofu -chdir={}/.. init -upgrade \

or

for i in infrastructure infrastructure/* global environments/*/* kubernetes kubernetes/* ;\
  do echo $i; tofu init -upgrade $i; done

Remove all .terraform dirs

find . -type f -name .terraform.lock.hcl -exec rm {} \; && find . -type d -name .terraform -exec rm -rf {} \;

Tofu state

tf state list
tf state show 'google_compute_instance.legacy_vm["ofts105-3"]'

Style

• Style
• Syntax
• Style best practices
• jonbrouse/terraform-style-guide

Linting

• pre-commit-opentofu
• terraform validate isn't able to catch invalid resources like aws instance type, but tflint is i.e.

tflint

• Github
• User guide
• Opentofu discussions: Tools, dependencies, and other things: tflint
• WIP: tofulint fork
  • Not usable atm

Debug mode:

TFLINT_LOG=debug tflint

Issues:

• .tofu files are not parsed
• No OpenTofu support planned
• When used in pre-commit, there's no indication about the file location Output directory tflint is executed from
• Tflint searched for config files in the current directory, then for a global one (~/.tflint.hcl), but not in the root of the git repo i.e. When there is no global config file, the default config is used for tflint when executed in a subdir i.e., or even when used as tflint --recursive --module.

Vim integration

• vim-terraform plugin
• Official hashicorp/terraform-ls
  • OpenTofu support
    • What is the future plans for an OpenTofu Language Server ?
    • Support OpenTofu in the VS Code Language Server
    • OpenTofu fork
• terraform-lsp

Additional tools

• awesome-opentofu: Tools
• Opentofu discussions: Tools, dependencies, and other things
• terragrunt
• tfsec brew install tfsec
• tfupdate:

  Update version constraints in your Terraform configurations

Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

• GitHub
• Docs
  • Config options
• Megalinter integration

Usage:

terrascan scan -i terraform .

Issues:

• Missing support for Terraform import blocks

checkov

• GitHub
• Docs
  • Configuration using a config file
  • Suppressing/skipping checks
• Megalinter checkov integration

Install:

pipx install checkov

Scan directory:

checkov --directory .

terraform-docs

• GitHub
• .tofu files are beeing ignored
  • Adding first-class support for .tofu files
• Opentofu discussions: Tools, dependencies, and other things: terraform-docs
• OpenTofu support
• pre-commit hook

Usage:

terraform-docs markdown table .

Gitblab CI & terraform

• terraform.gitlab-ci.yml)