Skip to content

Spec: phpboyscout/cicd v0.7.2 — tofu-validate module cache

  • Repository: gitlab.com/phpboyscout/cicd
  • Released as: v0.7.2 (patch — additive cache: entry on one existing component; behaviour-preserving).
  • Driver: phpboyscout/infra's bootstrap-stack tofu-validate has been recurringly flaky because the bootstrap module's automation-iam submodule references two upstream terraform-aws-modules/iam GitHub-OIDC modules. These modules have count = 0 under ci_provider = "gitlab", so they're never applied — but tofu init still downloads every module source referenced by the config, and the homelab runner reaches registry.opentofu.org flakily (IPv6 network unreachable / Client.Timeout). Companion to v0.6, which solved the same problem for providers.

Decisions

D1 — Cache .terraform/modules/ recursively

The tofu-validate component now declares a second cache entry beside the existing provider plugin cache:

cache:
  - key: tofu-plugin-cache
    paths: [.tofu-plugin-cache/]
  - key: tofu-module-cache
    paths: ["**/.terraform/modules/"]

**/.terraform/modules/ covers every stack the consumer validates (e.g. infra's bootstrap/ and src/). The key is static so every branch / MR / tag pipeline restores the same warm cache — modules are deterministic (sources pinned), there's no cross-branch contamination risk. First-run after a cache eviction still downloads, but in practice the cache persists indefinitely under GitLab's default retention.

D2 — Validate only (not plan / apply)

Scoped to tofu-validate because validate is the job that exhibits the flake: it walks every consumer-declared path (including paths the CI never plans, like infra's bootstrap). tofu-plan and tofu-apply operate on a single working_directory chosen by the consumer, where the relevant modules are already resolved and locked. A module cache there is reasonable but unrelated to this driver; deferred unless we see the same flake there.

D3 — Lock-file alignment unchanged

OpenTofu's .terraform.lock.hcl records provider hashes, not module hashes. Module re-resolution is keyed off the source string in modules.json; restoring the cache and re-running init is safe even when a module version is bumped — tofu detects the source mismatch and re-downloads that module only. The cache can never make a stale module silently win.

Consumers

All current consumers of tofu-validate (phpboyscout/infra, phpboyscout/terraform-aws-bootstrap, phpboyscout/terraform-aws-security-baseline) get the benefit automatically once they pin to @v0.7.2.