From 729a0dbb9d7c24c514902335e76280352622ecae Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sat, 28 Dec 2024 18:28:55 +0000
Subject: [PATCH 1/9] Earl eval

---
 .github/workflows/test-early-eval.yaml        | 22 ++++++++++
 image/actions.sh                              | 13 +++++-
 image/entrypoints/test.sh                     |  5 +--
 .../test-plan/early-eval/tofu/main.tf         | 42 +++++++++++++++++++
 .../early-eval/tofu/terraform.tfvars          |  1 +
 5 files changed, 78 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/test-early-eval.yaml
 create mode 100644 tests/workflows/test-plan/early-eval/tofu/main.tf
 create mode 100644 tests/workflows/test-plan/early-eval/tofu/terraform.tfvars

diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
new file mode 100644
index 00000000..91209364
--- /dev/null
+++ b/.github/workflows/test-early-eval.yaml
@@ -0,0 +1,22 @@
+name: Test OpenTofu early eval
+
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  plan:
+    runs-on: ubuntu-24.04
+    name: Plan with early eval
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: terraform plan
+        uses: ./terraform-plan
+        with:
+          path: tests/workflows/test-plan/early-eval/tofu
diff --git a/image/actions.sh b/image/actions.sh
index 35624948..554e69f4 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -217,6 +217,12 @@ function set-init-args() {
         done
     fi
 
+    if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
+        debug "Preparing variables for early evaluation"
+        set-variable-args
+        INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
+    fi
+
     export INIT_ARGS
 }
 
@@ -360,6 +366,8 @@ function set-common-plan-args() {
 }
 
 function set-variable-args() {
+    VARIABLE_ARGS=""
+
     if [[ -n "$INPUT_VAR_FILE" ]]; then
         for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do
 
@@ -368,13 +376,13 @@ function set-variable-args() {
                 exit 1
             fi
 
-            PLAN_ARGS="$PLAN_ARGS -var-file=$(relative_to "$INPUT_PATH" "$file")"
+            VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$(relative_to "$INPUT_PATH" "$file")"
         done
     fi
 
     if [[ -n "$INPUT_VARIABLES" ]]; then
         echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars"
-        PLAN_ARGS="$PLAN_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars"
+        VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars"
     fi
 }
 
@@ -388,6 +396,7 @@ function set-plan-args() {
     fi
 
     set-variable-args
+    PLAN_ARGS="$PLAN_ARGS $VARIABLE_ARGS"
 
     export PLAN_ARGS
 }
diff --git a/image/entrypoints/test.sh b/image/entrypoints/test.sh
index 1a58a8e3..d21cc55a 100755
--- a/image/entrypoints/test.sh
+++ b/image/entrypoints/test.sh
@@ -30,11 +30,11 @@ function set-test-args() {
 
 function test() {
 
-    debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS '$PLAN_ARGS'  # don't expand PLAN_ARGS
+    debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS '$VARIABLE_ARGS'  # don't expand VARIABLE_ARGS
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $PLAN_ARGS) \
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS) \
         2>"$STEP_TMP_DIR/terraform_test.stderr" \
         | tee /dev/fd/3 \
             >"$STEP_TMP_DIR/terraform_test.stdout"
@@ -59,7 +59,6 @@ function test() {
 }
 
 set-test-args
-PLAN_ARGS=""
 set-variable-args
 
 test
diff --git a/tests/workflows/test-plan/early-eval/tofu/main.tf b/tests/workflows/test-plan/early-eval/tofu/main.tf
new file mode 100644
index 00000000..6d0105b4
--- /dev/null
+++ b/tests/workflows/test-plan/early-eval/tofu/main.tf
@@ -0,0 +1,42 @@
+terraform {
+  backend "s3" {
+    bucket = var.state_bucket
+    key    = "test-plan-early-eval"
+    region = "eu-west-2"
+  }
+}
+
+variable "state_bucket" {
+  type = string
+}
+
+variable "acm_certificate_version" {
+  type = string
+  default = "4.3.0"
+}
+
+variable "passphrase" {
+  type = string
+  sensitive = true
+}
+
+module "s3-bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = var.acm_certificate_version
+}
+
+terraform {
+  encryption {
+    key_provider "pbkdf2" "my_passphrase" {
+      passphrase = var.passphrase
+    }
+
+    method "aes_gcm" "my_method" {
+      keys = key_provider.pbkdf2.my_passphrase
+    }
+
+    state {
+      method = method.aes_gcm.my_method
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars
new file mode 100644
index 00000000..7f3ce5bc
--- /dev/null
+++ b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars
@@ -0,0 +1 @@
+state_bucket = "terraform-github-actions"
\ No newline at end of file

From 768d2dc6c100c3e0000bb1aa4d4383fa460e70e0 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sat, 28 Dec 2024 18:31:41 +0000
Subject: [PATCH 2/9] Earl eval

---
 .github/workflows/test-early-eval.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
index 91209364..9668e9b5 100644
--- a/.github/workflows/test-early-eval.yaml
+++ b/.github/workflows/test-early-eval.yaml
@@ -20,3 +20,5 @@ jobs:
         uses: ./terraform-plan
         with:
           path: tests/workflows/test-plan/early-eval/tofu
+          variables: |
+            passphrase = "tofu"

From 71a857a24627a50f20cb995dafe04bc56345a82b Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sat, 28 Dec 2024 19:38:50 +0000
Subject: [PATCH 3/9] Earl eval

---
 .github/workflows/test-early-eval.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
index 9668e9b5..25757402 100644
--- a/.github/workflows/test-early-eval.yaml
+++ b/.github/workflows/test-early-eval.yaml
@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
 
       - name: terraform plan
-        uses: ./terraform-plan
+        uses: ./tofu-plan
         with:
           path: tests/workflows/test-plan/early-eval/tofu
           variables: |

From 94a69174af173c23c44d4834cbfa3afca55fdc09 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sat, 28 Dec 2024 19:50:09 +0000
Subject: [PATCH 4/9] longer passphrase

---
 .github/workflows/test-early-eval.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
index 25757402..054c9ea4 100644
--- a/.github/workflows/test-early-eval.yaml
+++ b/.github/workflows/test-early-eval.yaml
@@ -21,4 +21,4 @@ jobs:
         with:
           path: tests/workflows/test-plan/early-eval/tofu
           variables: |
-            passphrase = "tofu"
+            passphrase = "tofuqwertyuiopasdfgh"

From bc0ecb40c014988185618a33ea60291c3b8d02d4 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sat, 28 Dec 2024 23:41:51 +0000
Subject: [PATCH 5/9] credentials

---
 .github/workflows/test-early-eval.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
index 054c9ea4..8d02a8ad 100644
--- a/.github/workflows/test-early-eval.yaml
+++ b/.github/workflows/test-early-eval.yaml
@@ -18,6 +18,9 @@ jobs:
 
       - name: terraform plan
         uses: ./tofu-plan
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         with:
           path: tests/workflows/test-plan/early-eval/tofu
           variables: |

From a271ae94045f5513db497d9b09a438e2cb3596dd Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sun, 29 Dec 2024 10:59:24 +0000
Subject: [PATCH 6/9] pass variables to workspace select

---
 image/actions.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/image/actions.sh b/image/actions.sh
index 554e69f4..c5ca421d 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -305,9 +305,9 @@ function init-backend-default-workspace() {
 function select-workspace() {
     local WORKSPACE_EXIT
 
-    debug_log $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE"
+    debug_log $TOOL_COMMAND_NAME workspace select '$VARIABLE_ARGS' "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
     set +e
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e
 

From 9ab57d3e8b02350dd6fe45691d3e3d84fe2a604e Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sun, 29 Dec 2024 17:07:25 +0000
Subject: [PATCH 7/9] pass variables to workspace select

---
 image/actions.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/image/actions.sh b/image/actions.sh
index c5ca421d..2ba276c7 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -217,9 +217,10 @@ function set-init-args() {
         done
     fi
 
+    set-variable-args
+
     if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
         debug "Preparing variables for early evaluation"
-        set-variable-args
         INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
     fi
 
@@ -305,9 +306,9 @@ function init-backend-default-workspace() {
 function select-workspace() {
     local WORKSPACE_EXIT
 
-    debug_log $TOOL_COMMAND_NAME workspace select '$VARIABLE_ARGS' "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
+    debug_log $TOOL_COMMAND_NAME '$VARIABLE_ARGS' workspace select "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
     set +e
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME "$VARIABLE_ARGS" workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e
 

From 8a6e1e4f063d2b11d59e51391a8ecd0222f353e2 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sun, 29 Dec 2024 17:36:32 +0000
Subject: [PATCH 8/9] pass variables to workspace select

---
 image/actions.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/image/actions.sh b/image/actions.sh
index 2ba276c7..5b7b06e2 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -217,11 +217,12 @@ function set-init-args() {
         done
     fi
 
-    set-variable-args
-
     if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
         debug "Preparing variables for early evaluation"
+        set-variable-args
         INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
+    else
+        VARIABLE_ARGS=""
     fi
 
     export INIT_ARGS

From fe211edc31cf604452611d5c8099c98ac5274f7f Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Sun, 29 Dec 2024 19:06:33 +0000
Subject: [PATCH 9/9] pass variables to workspace select

---
 image/actions.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/image/actions.sh b/image/actions.sh
index 5b7b06e2..c4e3ee10 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -307,9 +307,9 @@ function init-backend-default-workspace() {
 function select-workspace() {
     local WORKSPACE_EXIT
 
-    debug_log $TOOL_COMMAND_NAME '$VARIABLE_ARGS' workspace select "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
+    debug_log $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
     set +e
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME "$VARIABLE_ARGS" workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e