initial terraform support

[henrjk]

Fixes #1

Please read docs/deploy.adoc.

This is an experimental version meant to get started and enable concrete feedback on some of the choices made, such as:

• Use terraform despite license. OpenTofu could be better, but might be a separate task.
• Minimal setup with a fixed version of terraform. Perhaps one should support tfenv.
• No support for testing. This is expected to be better done in a separate task.
• Utilize TF_PLUGIN_CACHE_DIR in .ods/cache/deps/terraform to support caching of provider versions.
• Derive environment variables from kubernetes secret `terraform-var-{{target-environment}}. Currently it appears that tekton has no mechanism to allow for injecting arbitrary env variables unless I overlooked something. One can opt out in case this is not needed.
• The kubernetes backend requires permissions to list secrets. I am not sure why this is needed. In the e2e tests an admin role is used but inpractice one should instead have a secret reader role perhaps associated with ods-pipeline.
• Support for an umbrella repo is modeled after ods-pipeline-helm. However for each sub repo a separate terraform init/plan/apply happens, so it would not be fused together. At the moment there is no test coverage for that.

In addition future work which would likely make sense is:

• Support S3 backends in addition to kubernetes backend.

[michaelsauter]

Should we remove this part?

Were you able to use those Terraform flags on the CLI and it just doesn't work from Go? Or did those flags also fail to work on the CLI?

[henrjk]

Yes you are right. Initially I thought this would work, but it did not and I found an issue that said this. So I believe it is not actually supported. But I have not cross checked to see whether I could do this directly from the cli. I will check into this.

[henrjk]

Here is what I see on the command line:

$KUBE_NAMESPACE=test-terraform TF_PLUGIN_CACHE=/tmp/foo TF_VAR_hello=foo terraform init -input=false -backend-config="type=kubernetes" -backend-config="secret_suffix=dev" -no-color

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/tfcoremock from the dependency lock file
- Using previously-installed hashicorp/tfcoremock v0.2.0


Warning: Missing backend configuration

-backend-config was used without a "backend" block in the
configuration.

If you intended to override the default local backend configuration,
no action is required, but you may add an explicit backend block to
your
configuration to clear this warning:

terraform {
  backend "local" {}
}

However, if you intended to override a defined backend, please verify
that
the backend configuration is present and valid.


Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

I will for now remove using the -backend-config related approach and instead stick with the template approach.