refactor: switch to opentofu

ci/image/gcp/Dockerfile

@@ -18,11 +18,12 @@ RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BI
   && echo $YQ_SHASUM /usr/bin/yq | sha256sum --check \
   && chmod +x /usr/bin/yq
 
-ENV TERRAFORM_VERSION=1.4.5
-RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
-    && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
-    && mv terraform /usr/local/bin/ \
-    && rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip
+ENV OPENTOFU_VERSION=1.8.2
+RUN curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \
+  && chmod +x install-opentofu.sh \
+  && ./install-opentofu.sh --install-method standalone --opentofu-version $OPENTOFU_VERSION \
+  && rm -f install-opentofu.sh
+
 
 ARG KUBECTL_VERSION=v1.24.12
 ARG KUBECTL_SHASUM=25875551d4242339bcc8cef0c18f0a0f631ea621f6fab1190a5aaab466634e7c

ci/tasks/check-and-upgrade-k8s.sh

@@ -5,8 +5,8 @@ set -eu
 source pipeline-tasks/ci/tasks/helpers.sh
 pushd pipeline-tasks/ci/k8s-upgrade
 
-terraform init && terraform apply -auto-approve
-LATEST_VERSION="$(terraform output -json | jq -r .latest_version.value)"
+tofu init && tofu apply -auto-approve
+LATEST_VERSION="$(tofu output -json | jq -r .latest_version.value)"
 
 if [[ $LATEST_VERSION == "" ]]; then
   echo "Failed to get latest version"

ci/tasks/gcp/postgresql.sh

@@ -18,8 +18,8 @@ write_users
 bin/prep-inception.sh
 cleanup_inception_key
 
-bastion_name="$(cd inception && terraform output bastion_name | jq -r)"
-bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)"
+bastion_name="$(cd inception && tofu output bastion_name | jq -r)"
+bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)"
 export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json  | jq -r '.client_id')"
 export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh"
 

ci/tasks/gcp/smoketest.sh

@@ -20,8 +20,8 @@ cleanup_inception_key
 
 bin/prep-platform.sh
 
-bastion_name="$(cd inception && terraform output bastion_name | jq -r)"
-bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)"
+bastion_name="$(cd inception && tofu output bastion_name | jq -r)"
+bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)"
 export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json  | jq -r '.client_id')"
 export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh"
 

ci/tasks/gcp/teardown-postgresql.sh

@@ -16,8 +16,8 @@ write_users
 
 bin/prep-inception.sh
 
-bastion_name="$(cd inception && terraform output bastion_name | jq -r)"
-bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)"
+bastion_name="$(cd inception && tofu output bastion_name | jq -r)"
+bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)"
 export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json  | jq -r '.client_id')"
 export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh"
 

ci/tasks/gcp/teardown.sh

@@ -17,8 +17,8 @@ write_users
 bin/prep-inception.sh
 bin/prep-platform.sh
 
-bastion_name="$(cd inception && terraform output bastion_name | jq -r)"
-bastion_zone="$(cd inception && terraform output bastion_zone | jq -r)"
+bastion_name="$(cd inception && tofu output bastion_name | jq -r)"
+bastion_zone="$(cd inception && tofu output bastion_zone | jq -r)"
 export BASTION_USER="sa_$(cat ${CI_ROOT}/gcloud-creds.json  | jq -r '.client_id')"
 export ADDITIONAL_SSH_OPTS="-o StrictHostKeyChecking=no -i ${CI_ROOT}/login.ssh"
 

ci/tasks/helpers.sh

@@ -44,7 +44,7 @@ terraform {
 }
 EOF
 
-  terraform init
+  tofu init
   popd
 }
 
@@ -56,7 +56,7 @@ function write_users() {
 
 function cleanup_inception_key() {
   pushd bootstrap
-  inception_email=$(terraform output inception_sa | jq -r)
+  inception_email=$(tofu output inception_sa | jq -r)
   popd
   key_id="$(cat ./inception-sa-creds.json | jq -r '.private_key_id')"
   gcloud iam service-accounts keys delete "${key_id}" --iam-account="${inception_email}" --quiet

examples/gcp/README.md

@@ -40,7 +40,7 @@ EOF
 $ make bootstrap
 ```
 
-Executing `make bootstrap` will execute `terraform apply` in the `bootstrap` folder and also import the relevant resources into the `inception` phase - which will subsequently own the lifecycle of those resources.
+Executing `make bootstrap` will execute `tofu apply` in the `bootstrap` folder and also import the relevant resources into the `inception` phase - which will subsequently own the lifecycle of those resources.
 
 ## Inception phase
 

examples/gcp/bin/prep-inception.sh

@@ -4,11 +4,11 @@ set -eu
 
 pushd bootstrap
 
-terraform output > ../inception/terraform.tfvars
+tofu output > ../inception/terraform.tfvars
 
-inception_email=$(terraform output inception_sa | jq -r)
-tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r)
-name_prefix=$(terraform output name_prefix | jq -r)
+inception_email=$(tofu output inception_sa | jq -r)
+tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r)
+name_prefix=$(tofu output name_prefix | jq -r)
 
 popd
 
@@ -33,8 +33,8 @@ sleep 5
 
 terraform init
 
-terraform state show module.inception.google_project_iam_custom_role.inception_destroy || \
-  terraform apply \
+tofu state show module.inception.google_project_iam_custom_role.inception_destroy || \
+  tofu apply \
     -target module.inception.google_project_iam_custom_role.inception_make \
     -target module.inception.google_project_iam_custom_role.inception_destroy \
     -target module.inception.google_project_iam_member.inception_make \

examples/gcp/bin/prep-platform.sh

@@ -7,15 +7,15 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}"
 
 pushd bootstrap
 
-tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r)
-name_prefix=$(terraform output name_prefix | jq -r)
-gcp_project=$(terraform output gcp_project | jq -r)
+tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r)
+name_prefix=$(tofu output name_prefix | jq -r)
+gcp_project=$(tofu output gcp_project | jq -r)
 
 popd
 
 pushd inception
 
-cluster_sa=$(terraform output cluster_sa | jq -r)
+cluster_sa=$(tofu output cluster_sa | jq -r)
 
 popd
 
@@ -37,5 +37,5 @@ node_service_account = "${cluster_sa}"
 destroyable_cluster = true
 EOF
 
-terraform init
+tofu init
 popd

examples/gcp/bin/prep-postgresql.sh

@@ -7,16 +7,16 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}"
 
 pushd bootstrap
 
-tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r)
-name_prefix=$(terraform output name_prefix | jq -r)
-gcp_project=$(terraform output gcp_project | jq -r)
+tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r)
+name_prefix=$(tofu output name_prefix | jq -r)
+gcp_project=$(tofu output gcp_project | jq -r)
 
 popd
 
 pushd inception
 
-bastion_name="$(terraform output bastion_name | jq -r)"
-bastion_zone="$(terraform output bastion_zone | jq -r)"
+bastion_name="$(tofu output bastion_name | jq -r)"
+bastion_zone="$(tofu output bastion_zone | jq -r)"
 
 popd
 

examples/gcp/bin/prep-smoketest.sh

@@ -7,23 +7,23 @@ REPO_ROOT_DIR="${REPO_ROOT##*/}"
 
 pushd bootstrap
 
-tf_state_bucket_name=$(terraform output tf_state_bucket_name | jq -r)
-name_prefix=$(terraform output name_prefix | jq -r)
+tf_state_bucket_name=$(tofu output tf_state_bucket_name | jq -r)
+name_prefix=$(tofu output name_prefix | jq -r)
 
 popd
 
 pushd inception
 
-cluster_sa=$(terraform output cluster_sa | jq -r)
-bastion_name="$(terraform output bastion_name | jq -r)"
-bastion_zone="$(terraform output bastion_zone | jq -r)"
+cluster_sa=$(tofu output cluster_sa | jq -r)
+bastion_name="$(tofu output bastion_name | jq -r)"
+bastion_zone="$(tofu output bastion_zone | jq -r)"
 
 popd
 
 pushd platform
 
-cluster_endpoint=$(terraform output cluster_endpoint | jq -r)
-cluster_ca_cert="$(terraform output -json cluster_ca_cert | jq -r)"
+cluster_endpoint=$(tofu output cluster_endpoint | jq -r)
+cluster_ca_cert="$(tofu output -json cluster_ca_cert | jq -r)"
 
 popd
 

modules/inception/gcp/bastion-startup.tmpl

@@ -10,7 +10,12 @@ curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /
 
 # Keep make and terraform the first items installed as they are needed
 # for testflight to complete
-apt-get update && apt-get install -y terraform make jq tree wget redis postgresql vault
+apt-get update && apt-get install -y make jq tree wget redis postgresql vault unzip gnupg
+
+curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh \
+  && chmod +x install-opentofu.sh \
+  && ./install-opentofu.sh --install-method standalone --opentofu-version ${opentofu_version} \
+  && rm -f install-opentofu.sh
 
 cat <<EOF > /etc/profile.d/aliases.sh
 alias tf="terraform"

modules/inception/gcp/bastion.tf

@@ -1,13 +1,14 @@
 locals {
-  tag             = "${local.name_prefix}-bastion"
-  bria_version    = "0.1.106"
-  bitcoin_version = "25.2"
-  cepler_version  = "0.7.15"
-  lnd_version     = "0.18.0-beta"
-  kubectl_version = "1.30.4"
-  k9s_version     = "0.32.5"
-  bos_version     = "18.2.0"
-  kratos_version  = "0.11.1"
+  tag              = "${local.name_prefix}-bastion"
+  bria_version     = "0.1.106"
+  bitcoin_version  = "25.2"
+  cepler_version   = "0.7.15"
+  lnd_version      = "0.18.0-beta"
+  kubectl_version  = "1.30.4"
+  k9s_version      = "0.32.5"
+  bos_version      = "18.2.0"
+  kratos_version   = "0.11.1"
+  opentofu_version = "1.8.2"
 }
 data "google_compute_image" "bastion" {
   family      = local.bastion_image_family
@@ -56,6 +57,7 @@ resource "google_compute_instance" "bastion" {
     lnd_version : local.lnd_version
     bos_version : local.bos_version
     kratos_version : local.kratos_version
+    opentofu_version : local.opentofu_version
   })
 
   depends_on = [