Use OpenTofu to have single .tfvars files for each environment, rather than nested modules

.github/dependabot.yml

@@ -27,29 +27,13 @@ updates:
     target-branch: dev
 
   - package-ecosystem: terraform
-    directory: '/terraform-iac/dev/app'
+    directories:
+      - '/terraform/app'
+      - '/terraform/setup'
     schedule:
       interval: daily
     target-branch: dev
 
-  - package-ecosystem: terraform
-    directory: '/terraform-iac/dev/setup'
-    schedule:
-      interval: daily
-    target-branch: dev
-
-#  - package-ecosystem: terraform
-#    directory: '/terraform-iac/modules/app'
-#    schedule:
-#      interval: daily
-#    target-branch: dev
-#
-#  - package-ecosystem: terraform
-#    directory: '/terraform-iac/modules/setup'
-#    schedule:
-#      interval: daily
-#    target-branch: dev
-
 # For each of these, requesting reviews from your team makes Dependabot PRs easier to find (https://github.com/pulls/review-requested)
 #   reviewers:
 #     - byu-oit/your-github-team

.github/workflows/ci-iac.yml

@@ -5,11 +5,11 @@ on:
     branches: [dev, stg, prd]
     types: [opened, reopened, synchronize, edited]
     paths:
-      - 'terraform-iac/**'
+      - 'terraform/**'
       - '.github/workflows/ci-iac.yml'
 
 env:
-  tf_version: "1.7.0" # must match value in terraform-iac/*/app/main.tf
+  tf_version: "1.8.0-alpha1" # must match value in terraform/app/main.tf
 
 jobs:
   env:
@@ -24,7 +24,6 @@ jobs:
             "env":[
               {
                 "environment_name":"dev",
-                "tf_working_dir":"./terraform-iac/dev/app",
                 "aws_account":"977306314792",
                 "aws_gha_role":"hw-fargate-api-dev-gha"
               }
@@ -39,7 +38,6 @@ jobs:
             "env":[
               {
                 "environment_name":"stg",
-                "tf_working_dir":"./terraform-iac/stg/app",
                 "aws_account":"977306314792",
                 "aws_gha_role":"hw-fargate-api-stg-gha"
               }
@@ -54,13 +52,11 @@ jobs:
             "env":[
               {
                 "environment_name":"prd",
-                "tf_working_dir":"./terraform-iac/prd/app",
                 "aws_account":"539738229445",
                 "aws_gha_role":"hw-fargate-api-prd-gha"
               },
               {
                 "environment_name":"cpy",
-                "tf_working_dir":"./terraform-iac/cpy/app",
                 "aws_account":"539738229445",
                 "aws_gha_role":"hw-fargate-api-cpy-gha"
               }
@@ -79,13 +75,13 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Terraform Setup
-        uses: hashicorp/setup-terraform@v3
+        uses: opentofu/setup-opentofu@v1
         with:
-          terraform_version: ${{ env.tf_version }}
+          tofu_version: ${{ env.tf_version }}
 
       - name: Terraform Format
-        working-directory: terraform-iac
-        run: terraform fmt -check -recursive
+        working-directory: terraform
+        run: tofu fmt -check -recursive
 
   plan:
     name: Terraform Plan / ${{ matrix.env.environment_name }}
@@ -111,31 +107,31 @@ jobs:
           aws-region: us-west-2
 
       - name: Terraform Setup
-        uses: hashicorp/setup-terraform@v3
+        uses: opentofu/setup-opentofu@v1
         with:
-          terraform_version: ${{ env.tf_version }}
+          tofu_version: ${{ env.tf_version }}
 
       - name: Terraform Init
-        working-directory: ${{ matrix.env.tf_working_dir }}
-        run: terraform init
+        working-directory: terraform/app
+        run: tofu init -var-file=${{ matrix.env.environment_name }}.tfvars
 
       - name: Terraform Plan
-        working-directory: ${{ matrix.env.tf_working_dir }}
-        run: terraform plan -var 'image_tag=ci_test' -input=false -out plan -lock=false
+        working-directory: terraform/app
+        run: tofu plan -var-file=${{ matrix.env.environment_name }}.tfvars -var 'image_tag=ci_test' -input=false -out plan -lock=false
 
       - name: Comment Terraform Plan
         uses: byu-oit/github-action-tf-plan-comment@v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          working-directory: ${{ matrix.env.tf_working_dir }}
+          working-directory: terraform/app
           terraform-plan-file: plan
 
       - name: Analyze Terraform Plan
         uses: byu-oit/github-action-tf-plan-analyzer@v2
         if: github.repository_owner == 'byu-oit'
         # If you're at BYU, but outside the byu-oit GitHub org, you may be able to obtain credentials by contacting [email protected]
         with:
-          working-directory: ${{ matrix.env.tf_working_dir }}
+          working-directory: terraform/app
           terraform-plan-file: plan
           divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }}
           divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }}

.github/workflows/deploy.yml

@@ -10,7 +10,7 @@ on:
       - '.gitignore'
 env:
   node_version: "18.x"
-  tf_version: "1.7.0" # must match value in terraform-iac/*/app/main.tf
+  tf_version: "1.8.0-alpha1" # must match value in terraform/app/main.tf
   FORCE_COLOR: 3
 concurrency: ${{ github.ref }}
 jobs:
@@ -27,7 +27,6 @@ jobs:
               {
                 "environment_name":"dev",
                 "ecr_repo_name":"hw-fargate-api-dev",
-                "tf_working_dir":"./terraform-iac/dev/app",
                 "aws_account":"977306314792",
                 "aws_gha_role":"hw-fargate-api-dev-gha",
                 "rfc_key_name":"standard_change_sandbox_client_key",
@@ -46,7 +45,6 @@ jobs:
               {
                 "environment_name":"stg",
                 "ecr_repo_name":"hw-fargate-api-stg",
-                "tf_working_dir":"./terraform-iac/stg/app",
                 "aws_account":"977306314792",
                 "aws_gha_role":"hw-fargate-api-stg-gha",
                 "rfc_key_name":"standard_change_sandbox_client_key",
@@ -69,7 +67,6 @@ jobs:
               {
                 "environment_name":"prd",
                 "ecr_repo_name":"hw-fargate-api-prd",
-                "tf_working_dir":"./terraform-iac/prd/app",
                 "aws_account":"539738229445",
                 "aws_gha_role":"hw-fargate-api-prd-gha",
                 "rfc_key_name":"standard_change_sandbox_client_key",
@@ -79,7 +76,6 @@ jobs:
               {
                 "environment_name":"cpy",
                 "ecr_repo_name":"hw-fargate-api-cpy",
-                "tf_working_dir":"./terraform-iac/cpy/app",
                 "aws_account":"539738229445",
                 "aws_gha_role":"hw-fargate-api-cpy-gha",
                 "rfc_key_name":"standard_change_sandbox_client_key",
@@ -175,20 +171,20 @@ jobs:
           dockerfile: src/Dockerfile
 
   format:
-    name: Terraform Format
+    name: Tofu Format
     timeout-minutes: 3
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Terraform Setup
-        uses: hashicorp/setup-terraform@v3
+      - name: Tofu Setup
+        uses: opentofu/setup-opentofu@v1
         with:
-          terraform_version: ${{ env.tf_version }}
+          tofu_version: ${{ env.tf_version }}
 
-      - name: Terraform Format
-        working-directory: terraform-iac
-        run: terraform fmt -check -recursive
+      - name: Tofu Format
+        working-directory: terraform
+        run: tofu fmt -check -recursive
 
   build_and_deploy:
     name: Build and Deploy / ${{ matrix.env.environment_name }}
@@ -240,25 +236,25 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Terraform Setup
-        uses: hashicorp/setup-terraform@v3
+        uses: opentofu/setup-opentofu@v1
         with:
-          terraform_version: ${{ env.tf_version }}
-          terraform_wrapper: false
+          tofu_version: ${{ env.tf_version }}
+          tofu_wrapper: false
 
       - name: Terraform Init
-        working-directory: ${{ matrix.env.tf_working_dir }}
-        run: terraform init
+        working-directory: terraform/app
+        run: tofu init -var-file=${{ matrix.env.environment_name }}.tfvars
 
       - name: Terraform Plan
-        working-directory: ${{ matrix.env.tf_working_dir }}
-        run: terraform plan -var 'image_tag=${{ steps.date.outputs.timestamp }}' -input=false -out=plan
+        working-directory: terraform/app
+        run: tofu plan -var-file=${{ matrix.env.environment_name }}.tfvars -var 'image_tag=${{ steps.date.outputs.timestamp }}' -input=false -out=plan
 
       - name: Analyze Terraform Plan
         uses: byu-oit/github-action-tf-plan-analyzer@v2
         if: github.repository_owner == 'byu-oit'
         # If you're at BYU, but outside the byu-oit GitHub org, you may be able to obtain credentials by contacting [email protected]
         with:
-          working-directory: ${{ matrix.env.tf_working_dir }}
+          working-directory: terraform/app
           terraform-plan-file: plan
           divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }}
           divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }}
@@ -272,17 +268,17 @@ jobs:
           template-id: ${{ matrix.env.rfc_template_id }}
 
       - name: Terraform Apply
-        working-directory: ${{ matrix.env.tf_working_dir }}
-        run: terraform apply plan
+        working-directory: terraform/app
+        run: tofu apply plan
 
       - name: Get Terraform Outputs
         id: terraform-outputs
-        working-directory: ${{ matrix.env.tf_working_dir }}
+        working-directory: terraform/app
         run: |
-          echo "codedeploy_app_name=$(terraform output -raw codedeploy_app_name)" >> $GITHUB_OUTPUT
-          echo "codedeploy_deployment_group_name=$(terraform output -raw codedeploy_deployment_group_name)" >> $GITHUB_OUTPUT
-          echo "codedeploy_appspec_json_file=$(terraform output -raw codedeploy_appspec_json_file)" >> $GITHUB_OUTPUT
-          echo "url=$(terraform output -raw url)" >> $GITHUB_OUTPUT
+          echo "codedeploy_app_name=$(tofu output -raw codedeploy_app_name)" >> $GITHUB_OUTPUT
+          echo "codedeploy_deployment_group_name=$(tofu output -raw codedeploy_deployment_group_name)" >> $GITHUB_OUTPUT
+          echo "codedeploy_appspec_json_file=$(tofu output -raw codedeploy_appspec_json_file)" >> $GITHUB_OUTPUT
+          echo "url=$(tofu output -raw url)" >> $GITHUB_OUTPUT
 
       - name: CodeDeploy
         id: deploy

README.md

@@ -44,9 +44,9 @@ git commit -am "Update template with repo specific details"
 ### Deploy the "one time setup" resources
 
 ```sh
-cd terraform-iac/dev/setup/
-terraform init
-terraform apply
+cd terraform/setup/
+terraform init -backend-config=dev.s3.tfbackend
+terraform apply -var-file=dev.tfvars
 ```
 
 In the AWS Console, see if you can find the resources from `setup.tf` (ECR, SSM Param, IAM Role).
@@ -72,7 +72,6 @@ If you look at [`.github/workflows/deploy.yml`](.github/workflows/deploy.yml), y
 Anytime after the `Terraform Apply` step succeeds:
 ```sh
 cd ../app/
-terraform init
 terraform output
 ```
 

docker-compose.yml

@@ -7,7 +7,7 @@ services:
     volumes:
       - ~/.aws:/home/node/.aws # Use AWS credentials from host
     environment:
-      # Environment variables and secrets from primary_container_definition in terraform-iac/modules/app/main.tf
+      # Environment variables and secrets from primary_container_definition in terraform/app/main.tf
       DYNAMO_TABLE_NAME: hw-fargate-api-dev
       BUCKET_NAME: hw-fargate-api-dev
       SOME_SECRET: something