Skip to main content

OpenTofu

This guide covers how to use OpenTofu in pipelines.

caution

OpenTofu's state locking features can help ensure multiple pipeline executions can't write to the state at once.

Alternatively, you can set GITNESS_CI_PARALLEL_WORKERS to 1, so your Harness Open Source instance will only execute one pipeline at a time.

Plan and apply example

This pipeline supports a common workflow where Push and Pull Request triggers have been enabled.

The init step always runs.

The plan step always runs.

The apply step uses conditions to ensure it only runs on manual or push events for the main branch.

kind: pipeline
spec:
  stages:
    - type: ci
      spec:
        envs:
          TF_CLI_ARGS: -no-color
        steps:
          - name: init
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              script: |
                tofu init
          - name: plan
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              script: |
                tofu plan
          - name: apply
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              script: |
                tofu apply -auto-approve
            when: 
              build.source == "main"
              and
              build.event matches "manual|push"

Note that TF_CLI_ARGS is set as stage environment variable.

Authentication

The plan and apply steps will likely need to authenticate with providers and the backend defined in your configuration.

Add any sensitive values as secrets and reference them in required steps.

For example, these steps set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY step environment variables, which are required by the AWS provider and the s3 backend.

          - name: plan
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              envs:
                AWS_ACCESS_KEY_ID: ${{ secrets.get("AWS_ACCESS_KEY_ID") }}
                AWS_SECRET_ACCESS_KEY: ${{ secrets.get("AWS_SECRET_ACCESS_KEY") }}
              script: |
                tofu plan
          - name: apply
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              envs:
                AWS_ACCESS_KEY_ID: ${{ secrets.get("AWS_ACCESS_KEY_ID") }}
                AWS_SECRET_ACCESS_KEY: ${{ secrets.get("AWS_SECRET_ACCESS_KEY") }}
              script: |
                tofu apply -auto-approve

Check formatting

Optionally add an initial step to run fmt.

If your configuration does not follow OpenTofu's style conventions, the step will fail.

          - name: fmt
            type: run
            spec:
              container: ghcr.io/opentofu/opentofu:1.6
              script: |
                tofu fmt -check -diff