OpenTofu Service

This topic demonstrates the basic procedures for creating and executing an OpenTofu plan service in Itential Automation Gateway (IAG).

Prerequisites

Before you begin, ensure you have:

A Git repository containing the OpenTofu plan
Familiarity with the iagctl create repository command

Create an OpenTofu service

Use the iagctl create service opentofu-plan command to create an OpenTofu plan service.

Note

For more information on create commands, see iagctl create.

The following example creates an OpenTofu plan service in IAG called simple-tofu that uses a previously configured repository called gateway-resources. Specify the source repository in your create command using the --repository command.

iagctl create service opentofu-plan simple-tofu --repository gateway-resources --working-dir opentofuplans

The gateway-resources directory has the following structure:

├── README.md
├── ansibleplaybooks
├── pythonscripts
├── opentofuplans
│   └── main.tf

Notice that the OpenTofu plan exists in a directory called opentofuplans, which is specified in the create command using the --working-dir flag.

Verify the OpenTofu plan service

You can view details about the OpenTofu plan service you created by running the describe command. For more information, see iagctl describe.

iagctl describe simple-tofu

Output:

Name:        simple-tofu
Repo Name:   gateway-resources
Working Dir: opentofuplans
Vars:        
Var Files:   
Decorator:   
Description: 
Tags:

Execute an OpenTofu plan

You can execute an OpenTofu plan service in IAG using the run command to execute either apply or destroy.

Apply command

When you execute the apply command, IAG runs tofu init and tofu apply against the plan along with any additional configuration flags that you set as a part of the service.

In the gateway-resources directory example, the main.tf file in OpenTofu reveals a simple plan that creates a file on your machine.

variable "content" {
  type = string
}

variable "location" {
  type=string
}

resource "local_file" "foo" {
  content  = var.content
  filename = var.location
  file_permission = "0644"
}

The plan requires two variables: content and location. You can supply these values using the --set flag.

Note

You can restrict the inputs that a Python script accepts using decorators. For more information, see Using decorators.

You can also specify where to save the initial state file using the --state-out flag.

You can verify that a file has been created at the location specified using the location variable.

iagctl run opentofu-plan apply hello-world --set content=hello --set location=/tmp/iagctlTest.txt --state-out @tofu.tfstate

Output:

Start Time:   2024-01-01T12:00:00Z
End Time:     2024-01-01T12:00:01Z
Elapsed Time: 1.372672s
Return Code: 0
Stdout:        
Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/local...
- Installing hashicorp/local v2.5.1...
- Installed hashicorp/local v2.5.1 (signed, key ID 0C0AF313E5FD9F80)

Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/

OpenTofu has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

OpenTofu has been successfully initialized!

You may now begin working with OpenTofu. Try running "tofu plan" to see
any changes that are required for your infrastructure. All OpenTofu commands
should now work.

If you ever set or change modules or backend configuration for OpenTofu,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

OpenTofu will perform the following actions:

  # local_file.foo will be created
  + resource "local_file" "foo" {
      + content              = "hello"
      + content_base64sha256 = (known after apply)
      + content_base64sha512 = (known after apply)
      + content_md5          = (known after apply)
      + content_sha1         = (known after apply)
      + content_sha256       = (known after apply)
      + content_sha512       = (known after apply)
      + directory_permission = "0777"
      + file_permission      = "0644"
      + filename             = "/tmp/iagctlTest.txt"
      + id                   = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.
local_file.foo: Creating...
local_file.foo: Creation complete after 0s [id=c3499c2729730a7f807efb8676a92dcb6f8a3f8f]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Stderr:     
State File: {"check_results":null,"lineage":"f48d5e76-b162-ccd2-6670-e1cbc62cfaa6","outputs":{},"resources":[{"instances":[{"attributes":{"content":"example","content_base64":null,"content_base64sha256":"UNhY4JhezH9gQYqvDMWrWH9CwlcKiECVqejMrND2VFw=","content_base64sha512":"O7Eu2jwpjbXeJVl/VNkk8uF+eKJq2JU+2CGO5oLwu76QIeLzAJ0VLJEb8fJexoOpAnFBZnZ6+9jlvQ+wEk7Lig==","content_md5":"1a79a4d60de6718e8e5b326e338ae533","content_sha1":"c3499c2729730a7f807efb8676a92dcb6f8a3f8f","content_sha256":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","content_sha512":"3bb12eda3c298db5de25597f54d924f2e17e78a26ad8953ed8218ee682f0bbbe9021e2f3009d152c911bf1f25ec683a902714166767afbd8e5bd0fb0124ecb8a","directory_permission":"0777","file_permission":"0644","filename":"/tmp/gatewayTest.txt","id":"c3499c2729730a7f807efb8676a92dcb6f8a3f8f","sensitive_content":null,"source":null},"schema_version":0,"sensitive_attributes":[]}],"mode":"managed","name":"foo","provider":"provider[\"registry.opentofu.org/hashicorp/local\"]","type":"local_file"}],"serial":1,"terraform_version":"1.6.2","version":4}

Destroy Command

When you execute the run opentofu-plan destroy command, IAG runs tofu init and tofu destroy against the plan along with any additional configuration flags that you set as a part of the service.

To delete the file that was created in the previous apply command, use the following syntax:

iagctl run service opentofu-plan destroy simple-tofu --set content=hello --set location=/tmp/iagctlTest.txt --state @tofu.tfstate

Note

You are now passing in a state file that IAG reads from and writes to when executing the plan using the --state flag.

You can also use the following syntax to pass in the state file:

iagctl run service opentofu-plan destroy simple-tofu --set content=hello --set location=/tmp/toreroTest.txt --state '{"check_results":null,"lineage":"f48d5e76-b162-ccd2-6670-e1cbc62cfaa6","outputs":{},"resources":[{"instances":[{"attributes":{"content":"example","content_base64":null,"content_base64sha256":"UNhY4JhezH9gQYqvDMWrWH9CwlcKiECVqejMrND2VFw=","content_base64sha512":"O7Eu2jwpjbXeJVl/VNkk8uF+eKJq2JU+2CGO5oLwu76QIeLzAJ0VLJEb8fJexoOpAnFBZnZ6+9jlvQ+wEk7Lig==","content_md5":"1a79a4d60de6718e8e5b326e338ae533","content_sha1":"c3499c2729730a7f807efb8676a92dcb6f8a3f8f","content_sha256":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","content_sha512":"3bb12eda3c298db5de25597f54d924f2e17e78a26ad8953ed8218ee682f0bbbe9021e2f3009d152c911bf1f25ec683a902714166767afbd8e5bd0fb0124ecb8a","directory_permission":"0777","file_permission":"0644","filename":"/tmp/gatewayTest.txt","id":"c3499c2729730a7f807efb8676a92dcb6f8a3f8f","sensitive_content":null,"source":null},"schema_version":0,"sensitive_attributes":[]}],"mode":"managed","name":"foo","provider":"provider[\"registry.opentofu.org/hashicorp/local\"]","type":"local_file"}],"serial":1,"terraform_version":"1.6.2","version":4}'

Learn more

For more information on the following related operations, see the Command Reference.

iagctl create service opentofu-plan
iagctl run service opentofu-plan
iagctl get services
iagctl describe service
iagctl delete service