Add support for early evalution in OpenTofu

dflook · dflook · commit 390bc71bc7de · 2025-03-29T12:15:49.000Z
Pass variables to the init and workspace select commands
diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
@@ -0,0 +1,28 @@
+name: Test OpenTofu early eval
+
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  plan:
+    runs-on: ubuntu-24.04
+    name: Plan with early eval
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: terraform plan
+        uses: ./tofu-plan
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        with:
+          path: tests/workflows/test-plan/early-eval/tofu
+          add_github_comment: false
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
diff --git a/image/actions.sh b/image/actions.sh
@@ -218,6 +218,14 @@ function set-init-args() {
         done
     fi
 
+    if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
+        debug_log "Preparing variables for early evaluation"
+        set-variable-args
+        INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
+    else
+        VARIABLE_ARGS=""
+    fi
+
     export INIT_ARGS
 }
 
@@ -302,9 +310,12 @@ function init-backend-default-workspace() {
 function select-workspace() {
     local WORKSPACE_EXIT
 
-    debug_log "$TOOL_COMMAND_NAME" workspace select "$INPUT_WORKSPACE"
+    # shellcheck disable=SC2086
+    debug_log "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE"
+
     set +e
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    # shellcheck disable=SC2086
+    (cd "$INPUT_PATH" && "$TOOL_COMMAND_NAME" workspace select $VARIABLE_ARGS "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e
 
diff --git a/image/entrypoints/test.sh b/image/entrypoints/test.sh
@@ -34,7 +34,8 @@ function set-test-args() {
 
 function test() {
 
-    debug_log $TOOL_COMMAND_NAME test -no-color "$TEST_ARGS" "$VARIABLE_ARGS"
+    # shellcheck disable=SC2086
+    debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS
 
     set +e
     # shellcheck disable=SC2086
diff --git a/tests/workflows/test-plan/early-eval/tofu/main.tf b/tests/workflows/test-plan/early-eval/tofu/main.tf
@@ -0,0 +1,48 @@
+terraform {
+  backend "s3" {
+    bucket = var.state_bucket
+    key    = "test-plan-early-eval"
+    region = "eu-west-2"
+  }
+}
+
+provider "aws" {
+  region = "eu-west-2"
+}
+
+variable "state_bucket" {
+  type = string
+}
+
+variable "acm_certificate_version" {
+  type = string
+  default = "4.3.0"
+}
+
+variable "passphrase" {
+  type = string
+  sensitive = true
+}
+
+module "s3-bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = var.acm_certificate_version
+}
+
+terraform {
+  encryption {
+    key_provider "pbkdf2" "my_passphrase" {
+      passphrase = var.passphrase
+    }
+
+    method "aes_gcm" "my_method" {
+      keys = key_provider.pbkdf2.my_passphrase
+    }
+
+    state {
+      method = method.aes_gcm.my_method
+    }
+  }
+
+  required_version = "1.8.8"
+}
diff --git a/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars
@@ -0,0 +1 @@
+state_bucket = "terraform-github-actions"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+state_bucket = "terraform-github-actions"`