Migrate to OpenTofu and GHA

.github/workflows/deploy.yml

@@ -0,0 +1,60 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+
+jobs:
+  apply:
+    environment: Production
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+
+      - name: OpenTofu apply
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu apply tfplan

.github/workflows/pr.yml

@@ -0,0 +1,76 @@
+name: Run plan for PR
+
+on:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+  pull-requests: write # required for writing the PR comment
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+
+      - name: Get plan output for PR comment
+        id: plan
+        run: tofu show -no-color tfplan
+
+      - name: Update Pull Request
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `<details><summary>Show OpenTofu Plan</summary>
+
+            \`\`\`\n
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+
+            </details>
+
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })

app.tf

@@ -4,8 +4,7 @@ locals {
 }
 
 module "bluegreen" {
-  source  = "app.terraform.io/enwikipedia-acc/bluegreen/openstack"
-  version = "0.2.0"
+  source  = "github.com/enwikipedia-acc/terraform-openstack-bluegreen?ref=0.2.0"
 
   blue_dns_name       = "${local.blue_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
   green_dns_name      = "${local.green_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
@@ -15,7 +14,7 @@ module "bluegreen" {
 
 module "application-blue" {
   source = "github.com/enwikipedia-acc/terraform-openstack-waca-application"
-  # version = "0.0.0"
+
   count = module.bluegreen.blue_count
 
   dns_name        = module.bluegreen.blue_dns_name
@@ -34,7 +33,7 @@ module "application-blue" {
 
 module "application-green" {
   source = "github.com/enwikipedia-acc/terraform-openstack-waca-application"
-  # version = "0.0.0"
+
   count = module.bluegreen.green_count
 
   dns_name        = module.bluegreen.green_dns_name

main.tf

@@ -11,15 +11,12 @@ terraform {
     }
   }
 
-  cloud {
-    organization = "enwikipedia-acc"
-
-    workspaces {
-      name = "application"
-    }
+  backend "s3" {
+    key    = "workload/application.tfstate"
+    region = "us-east-1"
   }
 
-  required_version = "~> 1.5.0"
+  required_version = "~> 1.8.0"
 }
 
 provider "openstack" {