Does tfaction support terraform required_version specific pinning?

[dllegru]

Question

Does tfaction support specific terraform version pinning?

I'm evaluating tfaction, trying to run a terraform-plan.
I've terraform providers with locking version with required_version as:

terraform {
  required_version = "1.3.7"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "4.51.0"
    }
  }
}

Also I'm using .terraform-version

When running the setup step at suzuki-shunsuke/tfaction/[email protected] it is failing with the following error:

Initializing the backend...
╷
│ Error: Unsupported Terraform Core version
│ 
│   on providers.tf line 6, in terraform:
│    6:   required_version = "1.3.7"
│ 
│ This configuration does not support Terraform version 1.4.6. To proceed,
│ either choose another supported Terraform version or update this version
│ constraint. Version constraints are normally set for good reason, so
│ updating the constraint may lead to other errors or unexpected behavior.

Which leads me to think that tfaction does not support the terraform version pinning in my configuration.

The question I have then is does tfaction support specific terraform version pinning, or either I'm missing some part of config for it.

Background of the question

I want tfaction to run in the specific terraform pinned version I've declared on my providers section.

Example Code

GitHub Actions

name: terraform plan test

on: [push]

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  TFACTION_IS_APPLY: "false"
permissions:
  id-token: write
  contents: read
  pull-requests: write
jobs:
  setup:
    runs-on: ubuntu-latest
    outputs:
      terraform_targets: ${{ steps.list-targets.outputs.terraform_targets }}
    steps:
      - uses: actions/checkout@v3
      - uses: aquaproj/[email protected]
        with:
          aqua_version: v2.8.0
      - uses: suzuki-shunsuke/tfaction/[email protected]
        id: list-targets

  terraform-plan:
    name: "terraform-plan (${{matrix.target.target}})"
    runs-on: ${{matrix.target.runs_on}}
    needs: setup
    # if services is empty, the build job is skipped
    if: "join(fromJSON(needs.setup.outputs.terraform_targets), '') != ''"
    strategy:
      fail-fast: false
      matrix:
        target: ${{fromJSON(needs.setup.outputs.terraform_targets)}}
    env:
      TFACTION_TARGET: ${{matrix.target.target}}
      TFACTION_JOB_TYPE: terraform
    steps:
      - uses: actions/checkout@v3

      # We recommend using GitHub App Token instead of personal access token,
      # but in this getting started let's use personal access token.
      # - name: Generate token
      #   id: generate_token
      #   uses: tibdex/github-app-token@v1
      #   with:
      #     app_id: ${{ secrets.APP_ID }}
      #     private_key: ${{ secrets.APP_PRIVATE_KEY }}

      - uses: aquaproj/[email protected]
        with:
          aqua_version: v2.8.0

      - uses: suzuki-shunsuke/tfaction/[email protected]
        with:
          secrets: ${{ toJSON(secrets) }}

      - uses: suzuki-shunsuke/tfaction/[email protected]
        id: setup
        with:
          github_app_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
          # ssh_key: ${{ secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY }} # This isn't needed if you don't use SSH key to checkout private Terraform Modules

      - uses: suzuki-shunsuke/tfaction/[email protected]
        with:
          github_app_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

      - uses: suzuki-shunsuke/tfaction/[email protected]
        with:
          github_app_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

  # This job is used for branch protection rule
  # Add this job to `Status checks that are required`
  status-check:
    runs-on: ubuntu-latest
    needs: [terraform-plan, setup]
    if: failure()
    steps:
      - run: exit 1

tfaction-root.yaml

---
target_groups:
  - working_directory: domains/infrastructure
    target: domains/infrastructure
    gcs_bucket_name_tfmigrate_history: "tfaction-tf-plan-files"
    gcs_bucket_name_plan_file: "tfaction-tf-plan-files"
    terraform_plan_config:
      gcp_service_account: [email protected]
      gcp_workload_identity_provider: "projects/redacted/locations/global/workloadIdentityPools/github-actions/providers/github-actions"

tfaction.yaml

{}

Reference

[suzuki-shunsuke]

You can pin Terraform version using aqua.

https://github.com/suzuki-shunsuke/tfaction-example/blob/e8688924120f65c48839850a980feb241ac80dd8/aws/terraform-ci/aqua.yaml#L6

Then you can update Terraform by Renovate.

e.g. suzuki-shunsuke/tfaction-example#1727

--

If you'd like to pin Terraform by .terraform-version, you can use tfenv.
You can install tfenv using aqua.

e.g.

- name: tfutils/[email protected]

But as I said you can install Terraform by aqua without tfenv.
So I usually don't use tfenv.

--

I think required_version isn't mandatory, but if you pin Terraform by required_version, Renovate supports updating required_version.

https://docs.renovatebot.com/modules/manager/terraform/

So you can update Terraform (.terraform-version or aqua.yaml) and required_version together at the same pull request.

[dllegru]

Thanks for your help @suzuki-shunsuke , managed to make it work flawlessly now. I really like your suite, thanks for the good work 🙏