Fix make setup to work with open tofu

Makefile

@@ -7,7 +7,7 @@ ENVIRONMENT := production
 REGION := sfo3
 ROOT_DIR := $(shell pwd)
 # TODO: automatically determine
-TERRAFORM := $(ROOT_DIR)/out/terraform.linux-x86_64
+TERRAFORM := $(ROOT_DIR)/out/tofu.linux-x86_64
 SOPS := $(ROOT_DIR)/out/sops.linux-x86_64
 KEYS := \
 	6B61ECD76088748C70590D55E90A401336C8AAA9 \
@@ -15,13 +15,13 @@ KEYS := \
 	3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
 	F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
 
+EXTRA_ARGS :=
+
 .DEFAULT_GOAL :=
 .PHONY: default
 default: \
 	toolchain \
 	tools \
-	$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
-	$(CACHE_DIR)/website/.well-known/openpgpkey \
 	apply
 
 .PHONY:
@@ -76,6 +76,13 @@ infra/backend/.terraform: \
 	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
 		env -C infra/backend $(TERRAFORM) init -upgrade \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/backend $(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'
 
 infra/main/.terraform: | \
 	$(TERRAFORM) \
@@ -85,6 +92,13 @@ infra/main/.terraform: | \
 		env -C infra/main $(TERRAFORM) init -upgrade \
 		-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/main $(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'
 
 infra/backend/$(ENVIRONMENT).tfstate: \
 	$(TERRAFORM) \
@@ -96,7 +110,7 @@ infra/backend/$(ENVIRONMENT).tfstate: \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		-state ../../$@ \
+		-state $@ \
 		'
 
 config/$(ENVIRONMENT).tfbackend: | \
@@ -107,9 +121,17 @@ config/$(ENVIRONMENT).tfbackend: | \
 	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
 		env -C infra/backend \
 		$(TERRAFORM) \
-		output -state ../../$< \
+		output -state $(ENVIRONMENT).tfstate \
 		> $@ \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'
 
 .PHONY:
 apply: \
@@ -126,7 +148,7 @@ apply: \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		'
+		$(EXTRA_ARGS) '
 	$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
 	$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
 	$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)

config/make.env

@@ -22,7 +22,7 @@ SOPS_REF=b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1
 BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2
 BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 TOFU_REPO=https://github.com/opentofu/opentofu
-TOFU_REF=f9d8b3ca2c0926f66757241baf81af523be73726
+TOFU_REF=5d05dba18b6e276a6262a4722fe90c13350c5428
 KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops
 KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170
 KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize

infra/main/provider.tf

@@ -8,6 +8,7 @@ terraform {
   backend "s3" {
     skip_requesting_account_id  = true
     skip_credentials_validation = true
+    skip_region_validation      = true
     skip_get_ec2_platforms      = true
     skip_metadata_api_check     = true
   }

src/toolchain

@@ -1 +1 @@
-Subproject commit 23fc267a9dfdda30ba4287f8234879961722bafb
+Subproject commit a2315fdbc8cd0e4a654d1aa4623a53d5292b3574