AAP-46677-updated-terraform.py

changelogs/changelog.yaml

@@ -154,8 +154,8 @@ releases:
       - inventory/terraform_provider - Remove custom `read_config_data()` method (https://github.com/ansible-collections/cloud.terraform/pull/181).
       - inventory/terraform_state - Remove custom `read_config_data()` method (https://github.com/ansible-collections/cloud.terraform/pull/181).
       - inventory/terraform_state - Support for custom Terraform providers (https://github.com/ansible-collections/cloud.terraform/pull/146).
-      release_summary: This release includes bug fixes and new feature for the ``terraform_state``
-        inventory plugin.
+      release_summary: This release includes bug fixes and new feature for the ``terraform_state`` inventory plugin and ``terraform`` module plugin.
+
     fragments:
     - 161-bump-ansible-lint-version.yml
     - 20240527-roles-add-description.yml

changelogs/fragments/20250620-modules-terraform-update-workspace-logic.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - modules/terraform - Updated Workspace Logic for TFC/TFE and CLI (https://github.com/ansible-collections/cloud.terraform/pull/194)

plugins/modules/terraform.py

@@ -49,7 +49,11 @@
     version_added: 1.0.0
   workspace:
     description:
-      - The terraform workspace to work with.
+    - If specified, this workspace will be used for all operations, provided it matches the workspace defined in the Terraform Cloud configuration.
+    - If the specified workspace does not match the one in the Terraform Cloud configuration, an error will be raised.
+    - If not specified, the module will attempt to determine the workspace from the Terraform Cloud configuration.
+    - If a workspace is set in the playbook but not defined in the Terraform Cloud configuration, an error will be raised.
+    - If no workspace is specified in both the playbook and the Terraform Cloud configuration, the module will default to using the Terraform CLI mode.
     type: str
     default: default
     version_added: 1.0.0
@@ -240,6 +244,18 @@
           unit_number: 3
     force_init: true
 
+- name: Using workspace from playbook for Terraform Cloud/Enterprise
+  cloud.terraform.terraform:
+    project_path: '{{ project_dir }}'
+    state: present
+    workspace: 'my_workspace' # workspace must match and exist in Terraform cloud configuration.
+
+- name: Auto-detect workspace from Terraform cloud configuration for Terraform Cloud/Enterprise
+  cloud.terraform.terraform:
+    project_path: '{{ project_dir }}'
+    state: present
+    # workspace parameter omitted - will be auto-detected from .tf files
+
 ### Example directory structure for plugin_paths example
 # $ tree /path/to/plugins_dir_1
 # /path/to/plugins_dir_1/
@@ -288,8 +304,9 @@
 
 import dataclasses
 import os
+import re
 import tempfile
-from typing import List
+from typing import List, Optional, Tuple
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.six import integer_types
@@ -312,6 +329,134 @@
 )
 
 
+def clean_tf_file(tf_content: str) -> str:
+    """
+    Removes all comments (inline '//' and '#', and block '/* ... */') and empty lines from Terraform file content.
+
+    Args:
+      tf_content (str): The raw content of a Terraform file.
+
+    Returns:
+      str: The cleaned Terraform file content with comments and empty lines removed.
+    """
+
+    def remove_multiline_comments(s: str) -> str:
+        """
+        Removes all multiline comments (/* ... */) from the given string.
+
+        Args:
+          s (str): The input string potentially containing multiline comments.
+
+        Returns:
+          str: The input string with all multiline comments removed.
+        """
+        pattern = re.compile(r"/\*.*?\*/", re.DOTALL)
+        return re.sub(pattern, "", s)
+
+    def remove_inline_comments(line: str) -> str:
+        """
+        Removes inline comments from a given line of text, preserving quoted strings.
+
+        This function scans the input line and removes any content following a '#' or '//' comment marker,
+        unless the marker appears within a quoted string (single or double quotes). Quoted strings are
+        preserved as-is, including any comment markers inside them.
+
+        Args:
+          line (str): The input line from which to remove inline comments.
+
+        Returns:
+          str: The line with inline comments removed, preserving quoted strings.
+        """
+        quote_open: Optional[str] = None  # None when no quote is open
+        result = ""
+        i = 0
+        length = len(line)
+        while i < length:
+            char = line[i]
+            if char in ('"', "'"):
+                if quote_open is None:
+                    quote_open = char  # opening quote
+                elif quote_open == char:
+                    quote_open = None  # closing quote
+                result += char
+            elif quote_open is None:
+                if i + 1 < length and line[i] == "/" and line[i + 1] == "/":
+                    break  # Start of '//' comment
+                elif line[i] == "#":
+                    break  # Start of '#' comment
+                else:
+                    result += char
+            else:
+                result += char
+            i += 1
+        return result.rstrip()
+
+    no_multiline = remove_multiline_comments(tf_content)
+
+    cleaned_lines = []
+    for line in no_multiline.splitlines():
+        stripped = remove_inline_comments(line)
+        if stripped.strip():
+            cleaned_lines.append(stripped)
+
+    return "\n".join(cleaned_lines)
+
+
+def extract_workspace_from_terraform_config(project_path: str) -> Tuple[Optional[str], str]:
+    """
+    Extract workspace configuration from Terraform files.
+
+    Returns:
+        Tuple of (workspace_name, terraform_offering)
+        - workspace_name: The workspace name found in cloud configuration, or None
+        - terraform_offering: "cloud" if cloud block found, "cli" otherwise
+    """
+    cloud_block_pattern = re.compile(r"cloud\s*{([^}]+)}", re.DOTALL | re.IGNORECASE)
+    workspaces_block_pattern = re.compile(r"workspaces\s*{([^}]+)}", re.DOTALL | re.IGNORECASE)
+    name_attr_pattern = re.compile(r'name\s*=\s*"([^"]+)"', re.IGNORECASE)
+
+    exclude_files = {"vars.tf", "var.tf", "provider.tf", "variables.tf", "outputs.tf"}
+
+    try:
+        if not os.path.exists(project_path):
+            return None, "cli"
+
+        for filename in os.listdir(project_path):
+            if filename.endswith(".tf") and filename not in exclude_files:
+                filepath = os.path.join(project_path, filename)
+                try:
+                    with open(filepath, "r", encoding="utf-8") as f:
+                        content = f.read()
+                    content = clean_tf_file(content)
+                    # Find the cloud {} block
+                    cloud_match = re.search(cloud_block_pattern, content)
+                    if cloud_match:
+                        cloud_content = cloud_match.group()
+
+                        # Find the workspaces {} block within the cloud block
+                        workspaces_match = re.search(workspaces_block_pattern, cloud_content)
+                        if workspaces_match:
+                            workspaces_content = workspaces_match.group()
+
+                            # Find the name attribute within the workspaces block
+                            name_match = re.search(name_attr_pattern, workspaces_content)
+                            if name_match:
+                                workspace_name = name_match.group(1)
+                                return workspace_name, "cloud"
+
+                        # If cloud block exists but no workspace name found, it's still cloud
+                        return None, "cloud"
+
+                except (IOError, UnicodeDecodeError):
+                    # Skip files that can't be read, continue with others
+                    continue
+
+    except OSError:
+        pass
+
+    return None, "cli"
+
+
 def is_attribute_sensitive_in_providers_schema(
     schemas: TerraformProviderSchemaCollection, resource: TerraformModuleResource, attribute: str
 ) -> bool:
@@ -493,6 +638,43 @@
     else:
         terraform_binary = module.get_bin_path("terraform", required=True)
 
+    cloud_workspace, terraform_offering = extract_workspace_from_terraform_config(project_path)
+
+    if terraform_offering == "cloud":
+        if cloud_workspace is None and workspace == "default":
+            module.fail_json(
+                msg=(
+                    "Terraform cloud configuration found, but no workspace defined. "
+                    "Please ensure the workspace is defined in your Terraform cloud configuration."
+                )
+            )
+        if cloud_workspace:
+            if workspace != "default" and workspace != cloud_workspace:
+                module.fail_json(
+                    msg=(
+                        f"Workspace configuration conflict: The playbook specifies workspace "
+                        f"'{workspace}', but the Terraform cloud configuration "
+                        f"specifies '{cloud_workspace}'. Please ensure they match or remove "
+                        f"the workspace parameter from the playbook to use the cloud configuration."
+                    )
+                )
+            final_workspace = cloud_workspace
+            module.log(f"Using workspace '{final_workspace}' from Terraform cloud configuration")
+        elif workspace != "default":
+            final_workspace = workspace
+            module.log(f"Using explicitly provided workspace '{final_workspace}' for Terraform cloud")
+        else:
+            final_workspace = "default"
+            module.log("Using default workspace for Terraform cloud configuration")
+    else:
+        final_workspace = workspace
+        if workspace == "default":
+            module.log("Using default workspace for Terraform CLI")
+        else:
+            module.log(f"Using explicitly provided workspace '{final_workspace}' for Terraform CLI")
+
+    workspace = final_workspace
+
     terraform = TerraformCommands(module.run_command, project_path, terraform_binary, computed_check_mode)
 
     checked_version = terraform.version()
@@ -525,11 +707,14 @@
             module.warn(e.message)
             workspace_ctx = TerraformWorkspaceContext(current="default", all=[])
 
-        if workspace_ctx.current != workspace:
-            if workspace not in workspace_ctx.all:
-                terraform.workspace(WorkspaceCommand.NEW, workspace)
-            else:
-                terraform.workspace(WorkspaceCommand.SELECT, workspace)
+        if terraform_offering == "cloud":
+            module.log("Terraform Cloud detected - workspace management handled by cloud configuration")
+        else:
+            if workspace_ctx.current != workspace:
+                if workspace not in workspace_ctx.all:
+                    terraform.workspace(WorkspaceCommand.NEW, workspace)
+                else:
+                    terraform.workspace(WorkspaceCommand.SELECT, workspace)
 
         variables_args = []
         if complex_vars:
@@ -607,7 +792,7 @@
                 needs_application=plan_file_needs_application,
             )
         except TerraformError as e:
-            if not computed_check_mode:
+            if not computed_check_mode and terraform_offering != "cloud":
                 if workspace_ctx.current != workspace:
                     terraform.workspace(WorkspaceCommand.SELECT, workspace_ctx.current)
             raise e
@@ -631,11 +816,11 @@
             workspace=workspace,
         )
 
-        # Restore the Terraform workspace found when running the module
-        if workspace_ctx.current != workspace:
-            terraform.workspace(WorkspaceCommand.SELECT, workspace_ctx.current)
-        if computed_state == "absent" and workspace != "default" and purge_workspace is True:
-            terraform.workspace(WorkspaceCommand.DELETE, workspace)
+        if terraform_offering != "cloud":
+            if workspace_ctx.current != workspace:
+                terraform.workspace(WorkspaceCommand.SELECT, workspace_ctx.current)
+            if computed_state == "absent" and workspace != "default" and purge_workspace is True:
+                terraform.workspace(WorkspaceCommand.DELETE, workspace)
 
         diff = dict(
             before=dataclasses.asdict(initial_state) if initial_state is not None else {},

tests/integration/targets/inventory_terraform_state_aws/templates/main.child.tf.j2

@@ -24,7 +24,7 @@ variable "child_group_id" {
 
 resource "aws_instance" "test_tiny" {
   ami           = var.child_ami_id
-  instance_type = "t3.micro"
+  instance_type = "t2.micro"
   subnet_id = var.child_subnet_id
   vpc_security_group_ids = [var.child_group_id]
 

tests/integration/targets/test_tfc/aliases

@@ -0,0 +1,2 @@
+disabled # Require a HCP configuration account
+cloud/aws

tests/integration/targets/test_tfc/files/main.tf.j2

@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.16"
+    }
+  }
+  required_version = ">= 1.10.0"
+  cloud {
+    organization = "{{ tfc_organization }}"
+    hostname     = "app.terraform.io"
+    token = "{{ hcp_token }}"
+    workspaces {
+      name = "{{ tfc_workspace }}"
+    }
+  }
+}
+
+provider "aws" {
+  region     = "{{ aws_region }}"
+  {% if aws_access_key and aws_secret_key %}
+  access_key = "{{ aws_access_key }}"
+  secret_key = "{{ aws_secret_key }}"
+  {% else %}
+  # Uses environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+  {% endif %}
+}
+
+resource "aws_instance" "app_server_tf" {
+  ami           = "{{ ami_id }}"
+  instance_type = "t2.micro"
+
+  tags = {
+    Name = "Instance_Cloud_TF"
+  }
+}
+
+output "my_output" {
+  value = aws_instance.app_server_tf
+}