implement first pass at cached image data source (#3)

implements envbuilder_cached_image data source
2025-11-05 19:58:58 +00:00 · 2024-08-01 21:26:44 +01:00 · 2024-08-01 21:26:44 +01:00 · c9e7cb8178
commit c9e7cb8178
parent 1a49822fc9
10 changed files with 1698 additions and 147 deletions
--- a/internal/provider/cached_image_data_source.go
+++ b/internal/provider/cached_image_data_source.go
@ -7,6 +7,15 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"os"
+	"path/filepath"
+
+	kconfig "github.com/GoogleContainerTools/kaniko/pkg/config"
+	"github.com/coder/envbuilder"
+	"github.com/coder/envbuilder/constants"
+	eblog "github.com/coder/envbuilder/log"
+	eboptions "github.com/coder/envbuilder/options"
+	"github.com/go-git/go-billy/v5/osfs"

 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
@ -28,17 +37,36 @@ type CachedImageDataSource struct {

 // CachedImageDataSourceModel describes the data source data model.
 type CachedImageDataSourceModel struct {
+	// Required "inputs".
 	BuilderImage types.String `tfsdk:"builder_image"`
 	CacheRepo    types.String `tfsdk:"cache_repo"`
-	CacheTTLDays types.Number `tfsdk:"cache_ttl_days"`
-	Env          types.List   `tfsdk:"env"`
-	Exists       types.Bool   `tfsdk:"exists"`
-	ExtraEnv     types.Map    `tfsdk:"extra_env"`
-	GitPassword  types.String `tfsdk:"git_password"`
 	GitURL       types.String `tfsdk:"git_url"`
-	GitUsername  types.String `tfsdk:"git_username"`
-	ID           types.String `tfsdk:"id"`
-	Image        types.String `tfsdk:"image"`
+	// Optional "inputs".
+	BaseImageCacheDir    types.String `tfsdk:"base_image_cache_dir"`
+	BuildContextPath     types.String `tfsdk:"build_context_path"`
+	CacheTTLDays         types.Int64  `tfsdk:"cache_ttl_days"`
+	DevcontainerDir      types.String `tfsdk:"devcontainer_dir"`
+	DevcontainerJSONPath types.String `tfsdk:"devcontainer_json_path"`
+	DockerfilePath       types.String `tfsdk:"dockerfile_path"`
+	DockerConfigBase64   types.String `tfsdk:"docker_config_base64"`
+	ExitOnBuildFailure   types.Bool   `tfsdk:"exit_on_build_failure"`
+	ExtraEnv             types.Map    `tfsdk:"extra_env"`
+	FallbackImage        types.String `tfsdk:"fallback_image"`
+	GitCloneDepth        types.Int64  `tfsdk:"git_clone_depth"`
+	GitCloneSingleBranch types.Bool   `tfsdk:"git_clone_single_branch"`
+	GitHTTPProxyURL      types.String `tfsdk:"git_http_proxy_url"`
+	GitPassword          types.String `tfsdk:"git_password"`
+	GitSSHPrivateKeyPath types.String `tfsdk:"git_ssh_private_key_path"`
+	GitUsername          types.String `tfsdk:"git_username"`
+	IgnorePaths          types.List   `tfsdk:"ignore_paths"`
+	Insecure             types.Bool   `tfsdk:"insecure"`
+	SSLCertBase64        types.String `tfsdk:"ssl_cert_base64"`
+	Verbose              types.Bool   `tfsdk:"verbose"`
+	// Computed "outputs".
+	Env    types.List   `tfsdk:"env"`
+	Exists types.Bool   `tfsdk:"exists"`
+	ID     types.String `tfsdk:"id"`
+	Image  types.String `tfsdk:"image"`
 }

 func (d *CachedImageDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
@ -48,56 +76,127 @@ func (d *CachedImageDataSource) Metadata(ctx context.Context, req datasource.Met
 func (d *CachedImageDataSource) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) {
 	resp.Schema = schema.Schema{
 		// This description is used by the documentation generator and the language server.
-		MarkdownDescription: "The cached image data source can be used to retrieve a cached image produced by envbuilder.",
+		MarkdownDescription: "The cached image data source can be used to retrieve a cached image produced by envbuilder. Reading from this data source will clone the specified Git repository, read a Devcontainer specification or Dockerfile, and check for its presence in the provided cache repo.",

 		Attributes: map[string]schema.Attribute{
+			// Required "inputs".
 			"builder_image": schema.StringAttribute{
-				MarkdownDescription: "The builder image URL to use if the cache does not exist.",
+				MarkdownDescription: "The envbuilder image to use if the cached version is not found.",
+				Required:            true,
+			},
+			"cache_repo": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The name of the container registry to fetch the cache image from.",
 				Required:            true,
 			},
 			"git_url": schema.StringAttribute{
-				MarkdownDescription: "The URL of a Git repository containing a Devcontainer or Docker image to clone.",
+				MarkdownDescription: "(Envbuilder option) The URL of a Git repository containing a Devcontainer or Docker image to clone.",
 				Required:            true,
 			},
-			"git_username": schema.StringAttribute{
-				MarkdownDescription: "The username to use for Git authentication. This is optional.",
+			// Optional "inputs".
+			"base_image_cache_dir": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The path to a directory where the base image can be found. This should be a read-only directory solely mounted for the purpose of caching the base image.",
 				Optional:            true,
 			},
-			"git_password": schema.StringAttribute{
-				MarkdownDescription: "The password to use for Git authentication. This is optional.",
-				Sensitive:           true,
+			"build_context_path": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) Can be specified when a DockerfilePath is specified outside the base WorkspaceFolder. This path MUST be relative to the WorkspaceFolder path into which the repo is cloned.",
 				Optional:            true,
 			},
-			"cache_repo": schema.StringAttribute{
-				MarkdownDescription: "The name of the container registry to fetch the cache image from.",
-				Required:            true,
+			"cache_ttl_days": schema.Int64Attribute{
+				MarkdownDescription: "(Envbuilder option) The number of days to use cached layers before expiring them. Defaults to 7 days.",
+				Optional:            true,
 			},
-			"cache_ttl_days": schema.NumberAttribute{
-				MarkdownDescription: "The number of days to use cached layers before expiring them. Defaults to 7 days.",
+			"devcontainer_dir": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The path to the folder containing the devcontainer.json file that will be used to build the workspace and can either be an absolute path or a path relative to the workspace folder. If not provided, defaults to `.devcontainer`.",
+				Optional:            true,
+			},
+			"devcontainer_json_path": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The path to a devcontainer.json file that is either an absolute path or a path relative to DevcontainerDir. This can be used in cases where one wants to substitute an edited devcontainer.json file for the one that exists in the repo.",
+				Optional:            true,
+			},
+			"dockerfile_path": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The relative path to the Dockerfile that will be used to build the workspace. This is an alternative to using a devcontainer that some might find simpler.",
+				Optional:            true,
+			},
+			"docker_config_base64": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The base64 encoded Docker config file that will be used to pull images from private container registries.",
+				Optional:            true,
+			},
+			"exit_on_build_failure": schema.BoolAttribute{
+				MarkdownDescription: "(Envbuilder option) Terminates upon a build failure. This is handy when preferring the FALLBACK_IMAGE in cases where no devcontainer.json or image is provided. However, it ensures that the container stops if the build process encounters an error.",
 				Optional:            true,
 			},
 			// TODO(mafredri): Map vs List? Support both?
 			"extra_env": schema.MapAttribute{
-				MarkdownDescription: "Extra environment variables to set for the container. This may include evbuilder options.",
+				MarkdownDescription: "Extra environment variables to set for the container. This may include envbuilder options.",
 				ElementType:         types.StringType,
 				Optional:            true,
 			},
-			"id": schema.StringAttribute{
-				MarkdownDescription: "Cached image identifier",
+			"fallback_image": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) Specifies an alternative image to use when neither an image is declared in the devcontainer.json file nor a Dockerfile is present. If there's a build failure (from a faulty Dockerfile) or a misconfiguration, this image will be the substitute. Set ExitOnBuildFailure to true to halt the container if the build faces an issue.",
+				Optional:            true,
+			},
+			"git_clone_depth": schema.Int64Attribute{
+				MarkdownDescription: "(Envbuilder option) The depth to use when cloning the Git repository.",
+				Optional:            true,
+			},
+			"git_clone_single_branch": schema.BoolAttribute{
+				MarkdownDescription: "(Envbuilder option) Clone only a single branch of the Git repository.",
+				Optional:            true,
+			},
+			"git_http_proxy_url": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The URL for the HTTP proxy. This is optional.",
+				Optional:            true,
+			},
+			"git_password": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The password to use for Git authentication. This is optional.",
+				Sensitive:           true,
+				Optional:            true,
+			},
+			"git_ssh_private_key_path": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) Path to an SSH private key to be used for Git authentication.",
+				Optional:            true,
+			},
+			"git_username": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The username to use for Git authentication. This is optional.",
+				Optional:            true,
+			},
+
+			"ignore_paths": schema.ListAttribute{
+				MarkdownDescription: "(Envbuilder option) The comma separated list of paths to ignore when building the workspace.",
+				ElementType:         types.StringType,
+				Optional:            true,
+			},
+
+			"insecure": schema.BoolAttribute{
+				MarkdownDescription: "(Envbuilder option) Bypass TLS verification when cloning and pulling from container registries.",
+				Optional:            true,
+			},
+			"ssl_cert_base64": schema.StringAttribute{
+				MarkdownDescription: "(Envbuilder option) The content of an SSL cert file. This is useful for self-signed certificates.",
+				Optional:            true,
+			},
+			"verbose": schema.BoolAttribute{
+				MarkdownDescription: "(Envbuilder option) Enable verbose output.",
+				Optional:            true,
+			},
+
+			// Computed "outputs".
+			// TODO(mafredri): Map vs List? Support both?
+			"env": schema.ListAttribute{
+				MarkdownDescription: "Computed envbuilder configuration to be set for the container.",
+				ElementType:         types.StringType,
 				Computed:            true,
 			},
 			"exists": schema.BoolAttribute{
 				MarkdownDescription: "Whether the cached image was exists or not for the given config.",
 				Computed:            true,
 			},
-			"image": schema.StringAttribute{
-				MarkdownDescription: "Outputs the cached image URL if it exists, otherwise the builder image URL is output instead.",
+			"id": schema.StringAttribute{
+				MarkdownDescription: "Cached image identifier. This will generally be the image's SHA256 digest.",
 				Computed:            true,
 			},
-			// TODO(mafredri): Map vs List? Support both?
-			"env": schema.ListAttribute{
-				MarkdownDescription: "Computed envbuilder configuration to be set for the container.",
-				ElementType:         types.StringType,
+			"image": schema.StringAttribute{
+				MarkdownDescription: "Outputs the cached image repo@digest if it exists, and builder image otherwise.",
 				Computed:            true,
 			},
 		},
@ -142,10 +241,96 @@ func (d *CachedImageDataSource) Read(ctx context.Context, req datasource.ReadReq
 	//     return
 	// }

-	// TODO(mafredri): Implement the actual data source read logic.
-	data.ID = types.StringValue("cached-image-id")
-	data.Exists = types.BoolValue(false)
-	data.Image = data.BuilderImage
+	tmpDir, err := os.MkdirTemp(os.TempDir(), "envbuilder-provider-cached-image-data-source")
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to create temp directory: %s", err.Error()))
+		return
+	}
+	defer func() {
+		if err := os.RemoveAll(tmpDir); err != nil {
+			tflog.Error(ctx, "failed to clean up tmpDir", map[string]any{"tmpDir": tmpDir, "err": err.Error()})
+		}
+	}()
+	oldKanikoDir := kconfig.KanikoDir
+	tmpKanikoDir := filepath.Join(tmpDir, constants.MagicDir)
+	// Normally you would set the KANIKO_DIR environment variable, but we are importing kaniko directly.
+	kconfig.KanikoDir = tmpKanikoDir
+	tflog.Info(ctx, "set kaniko dir to "+tmpKanikoDir)
+	defer func() {
+		kconfig.KanikoDir = oldKanikoDir
+		tflog.Info(ctx, "restored kaniko dir to "+oldKanikoDir)
+	}()
+	if err := os.MkdirAll(tmpKanikoDir, 0o755); err != nil {
+		tflog.Error(ctx, "failed to create kaniko dir: "+err.Error())
+	}
+
+	// TODO: check if this is a "plan" or "apply", and only run envbuilder on "apply".
+	// This may require changing this to be a resource instead of a data source.
+	opts := eboptions.Options{
+		// These options are always required
+		CacheRepo:       data.CacheRepo.ValueString(),
+		Filesystem:      osfs.New("/"),
+		ForceSafe:       false, // This should never be set to true, as this may be running outside of a container!
+		GetCachedImage:  true,  // always!
+		Logger:          tfLogFunc(ctx),
+		Verbose:         data.Verbose.ValueBool(),
+		WorkspaceFolder: tmpDir,
+
+		// Options related to compiling the devcontainer
+		BuildContextPath:     data.BuildContextPath.ValueString(),
+		DevcontainerDir:      data.DevcontainerDir.ValueString(),
+		DevcontainerJSONPath: data.DevcontainerJSONPath.ValueString(),
+		DockerfilePath:       data.DockerfilePath.ValueString(),
+		DockerConfigBase64:   data.DockerConfigBase64.ValueString(),
+		FallbackImage:        data.FallbackImage.ValueString(),
+
+		// These options are required for cloning the Git repo
+		CacheTTLDays:         data.CacheTTLDays.ValueInt64(),
+		GitURL:               data.GitURL.ValueString(),
+		GitCloneDepth:        data.GitCloneDepth.ValueInt64(),
+		GitCloneSingleBranch: data.GitCloneSingleBranch.ValueBool(),
+		GitUsername:          data.GitUsername.ValueString(),
+		GitPassword:          data.GitPassword.ValueString(),
+		GitSSHPrivateKeyPath: data.GitSSHPrivateKeyPath.ValueString(),
+		GitHTTPProxyURL:      data.GitHTTPProxyURL.ValueString(),
+		SSLCertBase64:        data.SSLCertBase64.ValueString(),
+
+		// Other options
+		BaseImageCacheDir:  data.BaseImageCacheDir.ValueString(),
+		ExitOnBuildFailure: data.ExitOnBuildFailure.ValueBool(),   // may wish to do this instead of fallback image?
+		Insecure:           data.Insecure.ValueBool(),             // might have internal CAs?
+		IgnorePaths:        tfListToStringSlice(data.IgnorePaths), // may need to be specified?
+		// The below options are not relevant and are set to their zero value explicitly.
+		CoderAgentSubsystem: nil,
+		CoderAgentToken:     "",
+		CoderAgentURL:       "",
+		ExportEnvFile:       "",
+		InitArgs:            "",
+		InitCommand:         "",
+		InitScript:          "",
+		LayerCacheDir:       "",
+		PostStartScriptPath: "",
+		PushImage:           false,
+		SetupScript:         "",
+		SkipRebuild:         false,
+	}
+
+	image, err := envbuilder.RunCacheProbe(ctx, opts)
+	data.Exists = types.BoolValue(err == nil)
+	if err != nil {
+		resp.Diagnostics.AddWarning("Cached image not found", err.Error())
+		// TODO: Get the repo digest of the envbuilder image and use that as the ID
+		data.Image = data.BuilderImage
+	} else {
+		digest, err := image.Digest()
+		if err != nil {
+			resp.Diagnostics.AddError("Failed to get cached image digest", err.Error())
+			return
+		}
+		tflog.Info(ctx, fmt.Sprintf("found image: %s@%s", opts.CacheRepo, digest))
+		data.ID = types.StringValue(digest.String())
+		data.Image = types.StringValue(fmt.Sprintf("%s@%s", opts.CacheRepo, digest))
+	}

 	// Compute the env attribute from the config map.
 	// TODO(mafredri): Convert any other relevant attributes given via schema.
@ -167,6 +352,28 @@ func (d *CachedImageDataSource) Read(ctx context.Context, req datasource.ReadReq
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }

+// tfLogFunc is an adapter to envbuilder/log.Func.
+func tfLogFunc(ctx context.Context) eblog.Func {
+	return func(level eblog.Level, format string, args ...any) {
+		var logFn func(context.Context, string, ...map[string]interface{})
+		switch level {
+		case eblog.LevelTrace:
+			logFn = tflog.Trace
+		case eblog.LevelDebug:
+			logFn = tflog.Debug
+		case eblog.LevelWarn:
+			logFn = tflog.Warn
+		case eblog.LevelError:
+			logFn = tflog.Error
+		default:
+			logFn = tflog.Info
+		}
+		logFn(ctx, fmt.Sprintf(format, args...))
+	}
+}
+
+// NOTE: the String() method of Terraform values will evalue to `<null>` if unknown.
+// Check IsUnknown() first before calling String().
 type stringable interface {
 	IsUnknown() bool
 	String() string
@ -180,3 +387,17 @@ func appendKnownEnvToList(list types.List, key string, value stringable) types.L
 	list, _ = types.ListValue(types.StringType, append(list.Elements(), elem))
 	return list
 }
+
+func tfListToStringSlice(l types.List) []string {
+	var ss []string
+	for _, el := range l.Elements() {
+		if sv, ok := el.(stringable); !ok {
+			panic(fmt.Sprintf("developer error: element %+v must be stringable", el))
+		} else if sv.IsUnknown() {
+			ss = append(ss, "")
+		} else {
+			ss = append(ss, sv.String())
+		}
+	}
+	return ss
+}
--- a/internal/provider/cached_image_data_source_test.go
+++ b/internal/provider/cached_image_data_source_test.go
@ -4,45 +4,118 @@
 package provider

 import (
+	"context"
+	"fmt"
+	"strings"
 	"testing"
+	"time"

 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 )

-func TestAccExampleDataSource(t *testing.T) {
-	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { testAccPreCheck(t) },
-		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
-		Steps: []resource.TestStep{
-			// Read testing
-			{
-				Config: testAccCachedImageDataSourceConfig,
-				Check: resource.ComposeAggregateTestCheckFunc(
-					// Input
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "extra_env.ENVBUILDER_VERBOSE", "true"),
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "git_url", "https://github.com/coder/envbuilder-starter-devcontainer"),
-					resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_username"),
-					resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_password"),
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "cache_repo", "localhost:5000/local/test-cache"),
-					resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "cache_ttl_days"),
-					// Computed
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "id", "cached-image-id"),
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "exists", "false"),
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "image", "ghcr.io/coder/envbuilder:latest"),
-					resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "env.0", "ENVBUILDER_VERBOSE=\"true\""),
-				),
+// TODO: change this to only test for a non-existent image.
+// Move the heavy lifting to integration.
+func TestAccCachedImageDataSource(t *testing.T) {
+	t.Run("Found", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+		t.Cleanup(cancel)
+		files := map[string]string{
+			"devcontainer.json": `{"build": { "dockerfile": "Dockerfile" }}`,
+			"Dockerfile": `FROM localhost:5000/test-ubuntu:latest
+	RUN apt-get update && apt-get install -y cowsay`,
+		}
+		deps := setup(t, files)
+		seedCache(ctx, t, deps)
+		tfCfg := fmt.Sprintf(`data "envbuilder_cached_image" "test" {
+	builder_image = %q
+	devcontainer_dir = %q
+	git_url = %q
+	extra_env = {
+	"FOO" : "bar"
+	}
+	cache_repo = %q
+}`, deps.BuilderImage, deps.RepoDir, deps.RepoDir, deps.CacheRepo)
+		resource.Test(t, resource.TestCase{
+			PreCheck:                 func() { testAccPreCheck(t) },
+			ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: tfCfg,
+					Check: resource.ComposeAggregateTestCheckFunc(
+						// Inputs should still be present.
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "cache_repo", deps.CacheRepo),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "extra_env.FOO", "bar"),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "git_url", deps.RepoDir),
+						// Should be empty
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_username"),
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_password"),
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "cache_ttl_days"),
+						// Computed
+						resource.TestCheckResourceAttrWith("data.envbuilder_cached_image.test", "id", func(value string) error {
+							// value is enclosed in quotes
+							value = strings.Trim(value, `"`)
+							if !strings.HasPrefix(value, "sha256:") {
+								return fmt.Errorf("expected image %q to have prefix %q", value, deps.CacheRepo)
+							}
+							return nil
+						}),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "exists", "true"),
+						resource.TestCheckResourceAttrSet("data.envbuilder_cached_image.test", "image"),
+						resource.TestCheckResourceAttrWith("data.envbuilder_cached_image.test", "image", func(value string) error {
+							// value is enclosed in quotes
+							value = strings.Trim(value, `"`)
+							if !strings.HasPrefix(value, deps.CacheRepo) {
+								return fmt.Errorf("expected image %q to have prefix %q", value, deps.CacheRepo)
+							}
+							return nil
+						}),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "env.0", "FOO=\"bar\""),
+					),
+				},
 			},
-		},
+		})
+	})
+
+	t.Run("NotFound", func(t *testing.T) {
+		files := map[string]string{
+			"devcontainer.json": `{"build": { "dockerfile": "Dockerfile" }}`,
+			"Dockerfile": `FROM localhost:5000/test-ubuntu:latest
+	RUN apt-get update && apt-get install -y cowsay`,
+		}
+		deps := setup(t, files)
+		// We do not seed the cache.
+		tfCfg := fmt.Sprintf(`data "envbuilder_cached_image" "test" {
+	builder_image = %q
+	devcontainer_dir = %q
+	git_url = %q
+	extra_env = {
+	"FOO" : "bar"
+	}
+	cache_repo = %q
+}`, deps.BuilderImage, deps.RepoDir, deps.RepoDir, deps.CacheRepo)
+		resource.Test(t, resource.TestCase{
+			PreCheck:                 func() { testAccPreCheck(t) },
+			ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: tfCfg,
+					Check: resource.ComposeAggregateTestCheckFunc(
+						// Inputs should still be present.
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "cache_repo", deps.CacheRepo),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "extra_env.FOO", "bar"),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "git_url", deps.RepoDir),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "exists", "false"),
+						resource.TestCheckResourceAttr("data.envbuilder_cached_image.test", "image", deps.BuilderImage),
+						// Should be empty
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_username"),
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "git_password"),
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "cache_ttl_days"),
+						// Computed values should be empty.
+						resource.TestCheckNoResourceAttr("data.envbuilder_cached_image.test", "id"),
+						resource.TestCheckResourceAttrSet("data.envbuilder_cached_image.test", "env.0"),
+					),
+				},
+			},
+		})
 	})
 }
-
-const testAccCachedImageDataSourceConfig = `
-data "envbuilder_cached_image" "test" {
-  builder_image = "ghcr.io/coder/envbuilder:latest"
-  git_url       = "https://github.com/coder/envbuilder-starter-devcontainer"
-  cache_repo    = "localhost:5000/local/test-cache"
-  extra_env = {
-    "ENVBUILDER_VERBOSE" : "true"
-  }
-}
-`
--- a/internal/provider/provider_test.go
+++ b/internal/provider/provider_test.go
@ -4,10 +4,27 @@
 package provider

 import (
+	"bufio"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
 	"testing"

 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
 	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
+	"github.com/mafredri/terraform-provider-envbuilder/testutil/registrytest"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/client"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	testContainerLabel = "terraform-provider-envbuilder-test"
 )

 // testAccProtoV6ProviderFactories are used to instantiate a provider during
@ -23,3 +40,128 @@ func testAccPreCheck(t *testing.T) {
 	// about the appropriate environment variables being set are common to see in a pre-check
 	// function.
 }
+
+type testDependencies struct {
+	BuilderImage string
+	RepoDir      string
+	CacheRepo    string
+}
+
+func setup(t testing.TB, files map[string]string) testDependencies {
+	t.Helper()
+
+	envbuilderImage := getEnvOrDefault("ENVBUILDER_IMAGE", "ghcr.io/coder/envbuilder-preview")
+	envbuilderVersion := getEnvOrDefault("ENVBUILDER_VERSION", "latest")
+	envbuilderImageRef := envbuilderImage + ":" + envbuilderVersion
+
+	// TODO: envbuilder creates /.envbuilder/bin/envbuilder owned by root:root which we are unable to clean up.
+	// This causes tests to fail.
+	repoDir := t.TempDir()
+	regDir := t.TempDir()
+	reg := registrytest.New(t, regDir)
+	writeFiles(t, files, repoDir)
+	return testDependencies{
+		BuilderImage: envbuilderImageRef,
+		CacheRepo:    reg + "/test",
+		RepoDir:      repoDir,
+	}
+}
+
+func seedCache(ctx context.Context, t testing.TB, deps testDependencies) {
+	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	require.NoError(t, err, "init docker client")
+	t.Cleanup(func() { _ = cli.Close() })
+	ensureImage(ctx, t, cli, deps.BuilderImage)
+	// Run envbuilder using this dir as a local layer cache
+	ctr, err := cli.ContainerCreate(ctx, &container.Config{
+		Image: deps.BuilderImage,
+		Env: []string{
+			"ENVBUILDER_CACHE_REPO=" + deps.CacheRepo,
+			"ENVBUILDER_DEVCONTAINER_DIR=" + deps.RepoDir,
+			"ENVBUILDER_EXIT_ON_BUILD_FAILURE=true",
+			"ENVBUILDER_INIT_SCRIPT=exit",
+			// FIXME: Enabling this options causes envbuilder to add its binary to the image under the path
+			// /.envbuilder/bin/envbuilder. This file will have ownership root:root and permissions 0o755.
+			// Because of this, t.Cleanup() will be unable to delete the temp dir, causing the test to fail.
+			// "ENVBUILDER_PUSH_IMAGE=true",
+		},
+		Labels: map[string]string{
+			testContainerLabel: "true",
+		}}, &container.HostConfig{
+		NetworkMode: container.NetworkMode("host"),
+		Binds:       []string{deps.RepoDir + ":" + deps.RepoDir},
+	}, nil, nil, "")
+	require.NoError(t, err, "failed to run envbuilder to seed cache")
+	t.Cleanup(func() {
+		_ = cli.ContainerRemove(ctx, ctr.ID, container.RemoveOptions{
+			RemoveVolumes: true,
+			Force:         true,
+		})
+	})
+	err = cli.ContainerStart(ctx, ctr.ID, container.StartOptions{})
+	require.NoError(t, err)
+
+	rawLogs, err := cli.ContainerLogs(ctx, ctr.ID, container.LogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Follow:     true,
+		Timestamps: false,
+	})
+	require.NoError(t, err)
+	defer rawLogs.Close()
+	scanner := bufio.NewScanner(rawLogs)
+SCANLOGS:
+	for {
+		select {
+		case <-ctx.Done():
+			require.Fail(t, "envbuilder did not finish running in time")
+		default:
+			if !scanner.Scan() {
+				require.Fail(t, "envbuilder did not run successfully")
+			}
+			log := scanner.Text()
+			t.Logf("envbuilder: %s", log)
+			if strings.Contains(log, "=== Running the init command") {
+				break SCANLOGS
+			}
+		}
+	}
+
+}
+
+func getEnvOrDefault(env, defVal string) string {
+	if val := os.Getenv(env); val != "" {
+		return val
+	}
+	return defVal
+}
+
+func writeFiles(t testing.TB, files map[string]string, destPath string) {
+	for relPath, content := range files {
+		absPath := filepath.Join(destPath, relPath)
+		d := filepath.Dir(absPath)
+		bs := []byte(content)
+		require.NoError(t, os.MkdirAll(d, 0o755))
+		require.NoError(t, os.WriteFile(absPath, bs, 0o644))
+		t.Logf("wrote %d bytes to %s", len(bs), absPath)
+	}
+}
+
+func ensureImage(ctx context.Context, t testing.TB, cli *client.Client, ref string) {
+	t.Helper()
+
+	t.Logf("ensuring image %q", ref)
+	images, err := cli.ImageList(ctx, image.ListOptions{})
+	require.NoError(t, err, "list images")
+	for _, img := range images {
+		if slices.Contains(img.RepoTags, ref) {
+			t.Logf("image %q found locally, not pulling", ref)
+			return
+		}
+	}
+	t.Logf("image %s not found locally, attempting to pull", ref)
+	resp, err := cli.ImagePull(ctx, ref, image.PullOptions{})
+	require.NoError(t, err)
+	_, err = io.ReadAll(resp)
+	require.NoError(t, err)
+}