From c27d516a7bc903e2113505d1dd5eb8a6d4f9f5d7 Mon Sep 17 00:00:00 2001 From: Kartik Shah Date: Thu, 19 Sep 2024 13:34:01 +0530 Subject: [PATCH 1/4] refactor: switch to opentofu --- ci/image/gcp/Dockerfile | 11 ++++++----- ci/tasks/check-and-upgrade-k8s.sh | 4 ++-- ci/tasks/gcp/postgresql.sh | 4 ++-- ci/tasks/gcp/smoketest.sh | 4 ++-- ci/tasks/gcp/teardown-postgresql.sh | 4 ++-- ci/tasks/gcp/teardown.sh | 4 ++-- ci/tasks/helpers.sh | 4 ++-- examples/gcp/README.md | 2 +- examples/gcp/bin/prep-inception.sh | 12 ++++++------ examples/gcp/bin/prep-platform.sh | 10 +++++----- examples/gcp/bin/prep-postgresql.sh | 10 +++++----- examples/gcp/bin/prep-smoketest.sh | 14 +++++++------- 12 files changed, 42 insertions(+), 41 deletions(-) diff --git a/ci/image/gcp/Dockerfile b/ci/image/gcp/Dockerfile index 5f430252..f5b48729 100644 --- a/ci/image/gcp/Dockerfile +++ b/ci/image/gcp/Dockerfile @@ -18,11 +18,12 @@ RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BI && echo $YQ_SHASUM /usr/bin/yq | sha256sum --check \ && chmod +x /usr/bin/yq -ENV TERRAFORM_VERSION=1.4.5 -RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \ - && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip \ - && mv terraform /usr/local/bin/ \ - && rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip +ENV OPENTOFU_VERSION=v1.8.1 +RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \ + && chmod +x install-opentofu.sh \ + && ./install-opentofu.sh --install-method deb \ + && rm -f install-opentofu.sh + ARG KUBECTL_VERSION=v1.24.12 ARG KUBECTL_SHASUM=25875551d4242339bcc8cef0c18f0a0f631ea621f6fab1190a5aaab466634e7c diff --git a/ci/tasks/check-and-upgrade-k8s.sh b/ci/tasks/check-and-upgrade-k8s.sh index c9716b3e..97cd947c 100755 --- a/ci/tasks/check-and-upgrade-k8s.sh +++ b/ci/tasks/check-and-upgrade-k8s.sh @@ -5,8 +5,8 @@ set -eu source pipeline-tasks/ci/tasks/helpers.sh pushd pipeline-tasks/ci/k8s-upgrade -terraform init && terraform apply -auto-approve -LATEST_VERSION="$(terraform output -json | jq -r .latest_version.value)" +tofu init && tofu apply -auto-approve +LATEST_VERSION="$(tofu output -json | jq -r .latest_version.value)" if [[ $LATEST_VERSION == "" ]]; then echo "Failed to get latest version" diff --git a/ci/tasks/gcp/postgresql.sh b/ci/tasks/gcp/postgresql.sh index 9563d71a..546dde39 100755 --- a/ci/tasks/gcp/postgresql.sh +++ b/ci/tasks/gcp/postgresql.sh @@ -18,8 +18,8 @@ write_users bin/prep-inception.sh cleanup_inception_key -bastion_name="$(cd inception && terraform output bastion_name | jq -r)" -bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)" +bastion_name="$(cd inception && tofu output bastion_name | jq -r)" +bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)" export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json | jq -r '.client_id')" export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh" diff --git a/ci/tasks/gcp/smoketest.sh b/ci/tasks/gcp/smoketest.sh index ccedcf9c..813832e2 100755 --- a/ci/tasks/gcp/smoketest.sh +++ b/ci/tasks/gcp/smoketest.sh @@ -20,8 +20,8 @@ cleanup_inception_key bin/prep-platform.sh -bastion_name="$(cd inception && terraform output bastion_name | jq -r)" -bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)" +bastion_name="$(cd inception && tofu output bastion_name | jq -r)" +bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)" export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json | jq -r '.client_id')" export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh" diff --git a/ci/tasks/gcp/teardown-postgresql.sh b/ci/tasks/gcp/teardown-postgresql.sh index 3fa52348..6a5230e6 100755 --- a/ci/tasks/gcp/teardown-postgresql.sh +++ b/ci/tasks/gcp/teardown-postgresql.sh @@ -16,8 +16,8 @@ write_users bin/prep-inception.sh -bastion_name="$(cd inception && terraform output bastion_name | jq -r)" -bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)" +bastion_name="$(cd inception && tofu output bastion_name | jq -r)" +bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)" export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json | jq -r '.client_id')" export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh" diff --git a/ci/tasks/gcp/teardown.sh b/ci/tasks/gcp/teardown.sh index 3e115c05..9e87018d 100755 --- a/ci/tasks/gcp/teardown.sh +++ b/ci/tasks/gcp/teardown.sh @@ -17,8 +17,8 @@ write_users bin/prep-inception.sh bin/prep-platform.sh -bastion_name="$(cd inception && terraform output bastion_name | jq -r)" -bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)" +bastion_name="$(cd inception && tofu output bastion_name | jq -r)" +bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)" export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json | jq -r '.client_id')" export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh" diff --git a/ci/tasks/helpers.sh b/ci/tasks/helpers.sh index bcd251c0..13ce7338 100644 --- a/ci/tasks/helpers.sh +++ b/ci/tasks/helpers.sh @@ -44,7 +44,7 @@ terraform { } EOF - terraform init + tofu init popd } @@ -56,7 +56,7 @@ function write_users() { function cleanup_inception_key() { pushd bootstrap - inception_email=$(terraform output inception_sa | jq -r) + inception_email=$(tofu output inception_sa | jq -r) popd key_id="$(cat ./inception-sa-creds.json | jq -r '.private_key_id')" gcloud iam service-accounts keys delete "${key_id}" --iam-account="${inception_email}" --quiet diff --git a/examples/gcp/README.md b/examples/gcp/README.md index 347fcbe5..2b290165 100644 --- a/examples/gcp/README.md +++ b/examples/gcp/README.md @@ -40,7 +40,7 @@ EOF $ make bootstrap ``` -Executing `make bootstrap` will execute `terraform apply` in the `bootstrap` folder and also import the relevant resources into the `inception` phase - which will subsequently own the lifecycle of those resources. +Executing `make bootstrap` will execute `tofu apply` in the `bootstrap` folder and also import the relevant resources into the `inception` phase - which will subsequently own the lifecycle of those resources. ## Inception phase diff --git a/examples/gcp/bin/prep-inception.sh b/examples/gcp/bin/prep-inception.sh index ca822236..283ecad8 100755 --- a/examples/gcp/bin/prep-inception.sh +++ b/examples/gcp/bin/prep-inception.sh @@ -4,11 +4,11 @@ set -eu pushd bootstrap -terraform output > ../inception/terraform.tfvars +tofu output > ../inception/terraform.tfvars -inception_email=$(terraform output inception_sa | jq -r) -tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r) -name_prefix=$(terraform output name_prefix | jq -r) +inception_email=$(tofu output inception_sa | jq -r) +tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r) +name_prefix=$(tofu output name_prefix | jq -r) popd @@ -33,8 +33,8 @@ sleep 5 terraform init -terraform state show module.inception.google_project_iam_custom_role.inception_destroy || \ - terraform apply \ +tofu state show module.inception.google_project_iam_custom_role.inception_destroy || \ + tofu apply \ -target module.inception.google_project_iam_custom_role.inception_make \ -target module.inception.google_project_iam_custom_role.inception_destroy \ -target module.inception.google_project_iam_member.inception_make \ diff --git a/examples/gcp/bin/prep-platform.sh b/examples/gcp/bin/prep-platform.sh index 61e132f9..3694e507 100755 --- a/examples/gcp/bin/prep-platform.sh +++ b/examples/gcp/bin/prep-platform.sh @@ -7,15 +7,15 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}" pushd bootstrap -tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r) -name_prefix=$(terraform output name_prefix | jq -r) -gcp_project=$(terraform output gcp_project | jq -r) +tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r) +name_prefix=$(tofu output name_prefix | jq -r) +gcp_project=$(tofu output gcp_project | jq -r) popd pushd inception -cluster_sa=$(terraform output cluster_sa | jq -r) +cluster_sa=$(tofu output cluster_sa | jq -r) popd @@ -37,5 +37,5 @@ node_service_account = "${cluster_sa}" destroyable_cluster = true EOF -terraform init +tofu init popd diff --git a/examples/gcp/bin/prep-postgresql.sh b/examples/gcp/bin/prep-postgresql.sh index 44ec6e5a..2a141431 100755 --- a/examples/gcp/bin/prep-postgresql.sh +++ b/examples/gcp/bin/prep-postgresql.sh @@ -7,16 +7,16 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}" pushd bootstrap -tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r) -name_prefix=$(terraform output name_prefix | jq -r) -gcp_project=$(terraform output gcp_project | jq -r) +tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r) +name_prefix=$(tofu output name_prefix | jq -r) +gcp_project=$(tofu output gcp_project | jq -r) popd pushd inception -bastion_name="$(terraform output bastion_name | jq -r)" -bastion_zone="$(terraform output bastion_zone | jq -r)" +bastion_name="$(tofu output bastion_name | jq -r)" +bastion_zone="$(tofu output bastion_zone | jq -r)" popd diff --git a/examples/gcp/bin/prep-smoketest.sh b/examples/gcp/bin/prep-smoketest.sh index b2999d7a..9f36985b 100755 --- a/examples/gcp/bin/prep-smoketest.sh +++ b/examples/gcp/bin/prep-smoketest.sh @@ -7,23 +7,23 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}" pushd bootstrap -tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r) -name_prefix=$(terraform output name_prefix | jq -r) +tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r) +name_prefix=$(tofu output name_prefix | jq -r) popd pushd inception -cluster_sa=$(terraform output cluster_sa | jq -r) -bastion_name="$(terraform output bastion_name | jq -r)" -bastion_zone="$(terraform output bastion_zone | jq -r)" +cluster_sa=$(tofu output cluster_sa | jq -r) +bastion_name="$(tofu output bastion_name | jq -r)" +bastion_zone="$(tofu output bastion_zone | jq -r)" popd pushd platform -cluster_endpoint=$(terraform output cluster_endpoint | jq -r) -cluster_ca_cert="$(terraform output -json cluster_ca_cert | jq -r)" +cluster_endpoint=$(tofu output cluster_endpoint | jq -r) +cluster_ca_cert="$(tofu output -json cluster_ca_cert | jq -r)" popd From b14ac3f9fe900a745f85c48d4c0ef4eec5d8027c Mon Sep 17 00:00:00 2001 From: Kartik Shah Date: Thu, 19 Sep 2024 13:36:14 +0530 Subject: [PATCH 2/4] chore: remove unused env var --- ci/image/gcp/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/image/gcp/Dockerfile b/ci/image/gcp/Dockerfile index f5b48729..50e99341 100644 --- a/ci/image/gcp/Dockerfile +++ b/ci/image/gcp/Dockerfile @@ -18,7 +18,6 @@ RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BI && echo $YQ_SHASUM /usr/bin/yq | sha256sum --check \ && chmod +x /usr/bin/yq -ENV OPENTOFU_VERSION=v1.8.1 RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \ && chmod +x install-opentofu.sh \ && ./install-opentofu.sh --install-method deb \ From 7b3892f85933c399444c068aadac504297c8eb94 Mon Sep 17 00:00:00 2001 From: Kartik Shah Date: Thu, 19 Sep 2024 13:58:23 +0530 Subject: [PATCH 3/4] chore: pin tofu version --- ci/image/gcp/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/image/gcp/Dockerfile b/ci/image/gcp/Dockerfile index 50e99341..02451c31 100644 --- a/ci/image/gcp/Dockerfile +++ b/ci/image/gcp/Dockerfile @@ -18,9 +18,10 @@ RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BI && echo $YQ_SHASUM /usr/bin/yq | sha256sum --check \ && chmod +x /usr/bin/yq +ENV OPENTOFU_VERSION=1.8.2 RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \ && chmod +x install-opentofu.sh \ - && ./install-opentofu.sh --install-method deb \ + && ./install-opentofu.sh --install-method standalone --opentofu-version $OPENTOFU_VERSION \ && rm -f install-opentofu.sh From f90c9a85f64e1e7e5d124b5768016cb40217dc81 Mon Sep 17 00:00:00 2001 From: Kartik Shah Date: Thu, 19 Sep 2024 14:03:06 +0530 Subject: [PATCH 4/4] refactor: replace tf with tofu in bastion --- modules/inception/gcp/bastion-startup.tmpl | 7 ++++++- modules/inception/gcp/bastion.tf | 20 +++++++++++--------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/modules/inception/gcp/bastion-startup.tmpl b/modules/inception/gcp/bastion-startup.tmpl index 7dc76b9c..48e93710 100644 --- a/modules/inception/gcp/bastion-startup.tmpl +++ b/modules/inception/gcp/bastion-startup.tmpl @@ -10,7 +10,12 @@ curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring / # Keep make and terraform the first items installed as they are needed # for testflight to complete -apt-get update && apt-get install -y terraform make jq tree wget redis postgresql vault +apt-get update && apt-get install -y make jq tree wget redis postgresql vault unzip gnupg + +curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \ + && chmod +x install-opentofu.sh \ + && ./install-opentofu.sh --install-method standalone --opentofu-version ${opentofu_version} \ + && rm -f install-opentofu.sh cat < /etc/profile.d/aliases.sh alias tf="terraform" diff --git a/modules/inception/gcp/bastion.tf b/modules/inception/gcp/bastion.tf index 4a5e8669..359457d2 100644 --- a/modules/inception/gcp/bastion.tf +++ b/modules/inception/gcp/bastion.tf @@ -1,13 +1,14 @@ locals { - tag = "${local.name_prefix}-bastion" - bria_version = "0.1.106" - bitcoin_version = "25.2" - cepler_version = "0.7.15" - lnd_version = "0.18.0-beta" - kubectl_version = "1.30.4" - k9s_version = "0.32.5" - bos_version = "18.2.0" - kratos_version = "0.11.1" + tag = "${local.name_prefix}-bastion" + bria_version = "0.1.106" + bitcoin_version = "25.2" + cepler_version = "0.7.15" + lnd_version = "0.18.0-beta" + kubectl_version = "1.30.4" + k9s_version = "0.32.5" + bos_version = "18.2.0" + kratos_version = "0.11.1" + opentofu_version = "1.8.2" } data "google_compute_image" "bastion" { family = local.bastion_image_family @@ -56,6 +57,7 @@ resource "google_compute_instance" "bastion" { lnd_version : local.lnd_version bos_version : local.bos_version kratos_version : local.kratos_version + opentofu_version : local.opentofu_version }) depends_on = [