Update environment variables for OpenTofu state management and enhance documentation on encryption requirements (#190)

brettcurtis · web-flow · commit e3c59e43f245 · 2025-08-31T08:27:03.000-04:00
diff --git a/.github/workflows/plan-and-apply.yml b/.github/workflows/plan-and-apply.yml
@@ -51,8 +51,8 @@ permissions:
 env:
   # Early variable evaluation required for backend and provider configuration
 
-  TF_VAR_kms_encryption_key: ${{ inputs.opentofu_kms_encryption_key }}
   TF_VAR_state_bucket: ${{ inputs.opentofu_state_bucket }}
+  TF_VAR_state_kms_encryption_key: ${{ inputs.opentofu_kms_encryption_key }}
   TF_VAR_state_prefix: ${{ github.event.repository.name }}
 
   # If you use private modules you'll need this env variable to use
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ Rather than copying and pasting from one workflow to another, you can make workf
 - [Dependencies cache](https://docs.github.com/en/actions/advanced-guides/caching-dependencies-to-speed-up-workflows)
 - [Job summaries](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary)
 - [OpenID connect in Google Cloud Platform](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform)
+- [OpenTofu state and plan encryption](https://opentofu.org/docs/language/state/encryption)
 
 ### Workflows
 
@@ -36,3 +37,25 @@ You can check the [.github/workflows](.github/workflows/) directory for example
 - [module-test.yml](.github/workflows/module-test.yml)
 
 These set up the system for the testing process by providing all the necessary initial code, thus creating good examples to base your configuration on.
+
+Since we use early variable evaluation for backend and provider configuration, consumers must ensure that the following variables are set in each respective `variables.tofu` file:
+
+```hcl
+# These three state_* variables are required for early variable evaluation for backend and provider configuration.
+# They are defined in the GitHub Actions called workflows and should NOT be set in the OpenTofu configuration.
+
+variable "state_bucket" {
+  description = "The name of the GCS bucket to store state files"
+  type        = string
+}
+
+variable "state_kms_encryption_key" {
+  description = "The KMS encryption key for state and plan files"
+  type        = string
+}
+
+variable "state_prefix" {
+  description = "The prefix for state files in the GCS bucket"
+  type        = string
+}
+```
