chore: mark sensitive, add tests, add diag check

internal/provider/cached_image_resource.go

@@ -190,6 +190,7 @@ func (r *CachedImageResource) Schema(ctx context.Context, req resource.SchemaReq
 			"git_ssh_private_key_base64": schema.StringAttribute{
 				MarkdownDescription: "(Envbuilder option) Base64 encoded SSH private key to be used for Git authentication.",
 				Optional:            true,
+				Sensitive:           true,
 			},
 			"git_username": schema.StringAttribute{
 				MarkdownDescription: "(Envbuilder option) The username to use for Git authentication. This is optional.",

internal/provider/helpers.go

@@ -156,6 +156,11 @@ func optionsFromDataModel(data CachedImageResourceModel) (eboptions.Options, dia
 	}
 	diags = append(diags, overrideOptionsFromExtraEnv(&opts, extraEnv, providerOpts)...)
 
+	if opts.GitSSHPrivateKeyPath != "" && opts.GitSSHPrivateKeyBase64 != "" {
+		diags.AddError("Cannot set more than one git ssh private key options",
+			"Both ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH and ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64 have been set.")
+	}
+
 	return opts, diags
 }
 

internal/provider/provider_internal_test.go

@@ -211,6 +211,59 @@ func Test_optionsFromDataModel(t *testing.T) {
 			},
 			expectNumErrorDiags: 2,
 		},
+		{
+			name: "errors when git ssh private key path and base64 are set",
+			data: CachedImageResourceModel{
+				BuilderImage:           basetypes.NewStringValue("envbuilder:latest"),
+				CacheRepo:              basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:                 basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				GitSSHPrivateKeyPath:   basetypes.NewStringValue("/tmp/id_rsa"),
+				GitSSHPrivateKeyBase64: basetypes.NewStringValue("cHJpdmF0ZUtleQo="),
+			},
+			expectOpts: eboptions.Options{
+				CacheRepo:              "localhost:5000/cache",
+				GitURL:                 "git@git.local/devcontainer.git",
+				RemoteRepoBuildMode:    true,
+				GitSSHPrivateKeyPath:   "/tmp/id_rsa",
+				GitSSHPrivateKeyBase64: "cHJpdmF0ZUtleQo=",
+			},
+			expectNumErrorDiags: 1,
+		},
+		{
+			name: "extra_env override errors when git ssh private key path and base64 are set",
+			data: CachedImageResourceModel{
+				BuilderImage:           basetypes.NewStringValue("envbuilder:latest"),
+				CacheRepo:              basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:                 basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				GitSSHPrivateKeyBase64: basetypes.NewStringValue("cHJpdmF0ZUtleQo="),
+				ExtraEnv: extraEnvMap(t,
+					"ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH", "/tmp/id_rsa",
+				),
+			},
+			expectOpts: eboptions.Options{
+				CacheRepo:              "localhost:5000/cache",
+				GitURL:                 "git@git.local/devcontainer.git",
+				RemoteRepoBuildMode:    true,
+				GitSSHPrivateKeyPath:   "/tmp/id_rsa",
+				GitSSHPrivateKeyBase64: "cHJpdmF0ZUtleQo=",
+			},
+			expectNumErrorDiags: 1,
+		},
+		{
+			name: "required only with base64 ssh key",
+			data: CachedImageResourceModel{
+				BuilderImage:           basetypes.NewStringValue("envbuilder:latest"),
+				CacheRepo:              basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:                 basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				GitSSHPrivateKeyBase64: basetypes.NewStringValue("cHJpdmF0ZUtleQo="),
+			},
+			expectOpts: eboptions.Options{
+				CacheRepo:              "localhost:5000/cache",
+				GitURL:                 "git@git.local/devcontainer.git",
+				RemoteRepoBuildMode:    true,
+				GitSSHPrivateKeyBase64: "cHJpdmF0ZUtleQo=",
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()