Upgrading from previous releases

From 0.x or 1.x to 2.0

The upgrade only affects terraform usage. In the older version there were two extensions - terraform and terraformSourceSets. This has now been consolidated into one just called terraform. The source sets are available as terraform.sourceSets.

If you previously had

terraform {
  executable version : '1.10.3'
}

terraformSourceSets {
  main {
    variables {
      var 'myVar', '123'
    }
  }
}

change it to look like the following:

terraform {
  toolchains {
    standard { (1)
      executableByVersion('1.10.3')
    }
  }

  sourceSets {  (2)
    main {
      variables {
        var 'myVar', '123'
      }
    }
  }
}

1	Name of the default toolchain. If you did not supply a vversion before and just relied on the default terraform version, you do not even have to add the `toochains` block.
2	Simply move your `terraformSourceSets` block inside the `terraform` block and rename it to `sourceSets`.

Remote state variable

If you injected remote state before using

terraformSourceSets {
  main {
    remote {
        remoteStateVar = true
    }
  }
}

change it to

terraform {
  sourceSets {
    main {
      variables {
        remoteStateMap {
          injectVar = true
        }
      }
    }
  }
}

AWS secrets

It is possible to pass AWS authentication with without assumed roles. For Terraform & OpenTofu the latter approach is not recommended, it is better to configure providers or terraform_remote_state` data sources to assume roles. However, if you did the latter before, it can still be done

Without assumed roles

If you used the org.ysb33r.terraform.aws plugin, remove it completely. Replace the aws extension.

terraformSourceSets {
  main {
    aws {
    }
  }
}

with secrets.

import org.ysb33r.gradle.iac.base.secrets.AwsSecrets

terraform {
  secrets {
    awsAcct1(AwsSecrets) { (1)
      useAccessKeyId('1234567890')
      useSecretAccessKey('abcdefghijklmn')
    }
  }
  sourceSets {
    main {
        fromSecretsProvider(opentofu.secrets.awsAcct1) (2)
    }
  }

  backends {  (3)
    s3(S3Backend) {
      fromSecretsProvider(opentofu.secrets.awsAcct1) (4)
    }
  }
}

1	You can also set a profile to use instead of supplying credentials. Credentials can be read from providers.
2	Place the correct environment variables at the time the tool executes.
3	If you are using the S3 backend for remote state, you can pass the same credentials to the backend.

See AWS Secrets for more details.

With assumed roles

If you used the org.ysb33r.terraform.aws plugin, replace it with org.ysb33r.iac.aws.assumerole.

You’ll probably have something like the following for an assumed-role setup.

terraformSourceSets {
    main {
        aws {
            useAwsCredentialsFromEnvironmentForAssumeRole {
                roleArn = 'arn:.......'
                region = 'us-east-1'
                sessionName = 'my-session-name'
                durationSeconds = 240
            }
        }
    }
}

You can replace it with

import org.ysb33r.gradle.iac.aws.secrets.AwsAssumeRoleSecrets

terraform {
  secrets {
    awsAcct1(AwsAssumeRoleSecrets) {
      useAccessKeyId('1234567890')  (1)
      useSecretAccessKey('abcdefghijklmn')

      useRoleArn('arn:.......')
      useRegion('us-east-1')
      durationSeconds = 240
    }
  }
  sourceSets {
    main {
        fromSecretsProvider(opentofu.secrets.awsAcct1) (2)
    }
  }

  backends {  (3)
    s3(S3Backend) {
      fromSecretsProvider(opentofu.secrets.awsAcct1) (4)
    }
  }
}

1	Credentials can be read from providers.
2	Place the correct environment variables at the time the tool executes.
3	If you are using the S3 backend for remote state, you can pass the same credentials to the backend.

Non-source set variables

If you had any of these

terraform {
    variables {
      var 'foo', 'bar' (1)
    }
}

tfPlan {
    terraform {
        variables {
            var 'foo', 'bar' (2)

            global.ignore = true (3)
            sourceSet.ignore == true (4)
        }
    }
}

1	A legacy global terraform variable.
2	A legacy way to have a task-specific terraform variable.
3	The legacy way to ignore any global terraform variables.
4	The legacy way to ignore any source set-specific terraform variables.

If you want to use a set of variables that apply to all of your sets, you can change your code to

terraform {
  sourceSets.all {
    variables {
      var 'foo', 'bar'
  }
}

Task-specific variables

Task-specific variables are no longer supported. They were always an edge-case, rarely used and does not really make sense within a source set as all the tasks associated with a specific source set, should have exactly the same set of variables.

Ignore settings

These are no longer supported. By default, there are no global variables. If you need global variables, then you can explicitly use the .all method. You cannot ignore source set variables within a task or a group of tasks.

The Terraform Cloud plugin

The org.ysb33r.terraform.remotestate.terraformcloud has been dropped. If you need to configure the legacy Terraform Cloud backend, see Legacy Terraform Cloud Backend.

The Gitlab Plugin

The org.ysb33r.terraform.gitlab has been dropped. If you used that do manage Gitlab tokens, please see Gitlab Secrets which provides a better way of managing secrets.