feat: add build secrets option

2025-09-08 09:47:15 +00:00 · 2025-01-16 08:21:08 +00:00 · 2025-01-16 08:21:08 +00:00 · d69f78b321
commit d69f78b321
parent dabb7f31aa
3 changed files with 46 additions and 13 deletions
--- a/internal/provider/cached_image_resource.go
+++ b/internal/provider/cached_image_resource.go
@ -51,6 +51,7 @@ type CachedImageResourceModel struct {
 	// Optional "inputs".
 	BaseImageCacheDir      types.String `tfsdk:"base_image_cache_dir"`
 	BuildContextPath       types.String `tfsdk:"build_context_path"`
+	BuildSecrets           types.Map    `tfsdk:"build_secrets"`
 	CacheTTLDays           types.Int64  `tfsdk:"cache_ttl_days"`
 	DevcontainerDir        types.String `tfsdk:"devcontainer_dir"`
 	DevcontainerJSONPath   types.String `tfsdk:"devcontainer_json_path"`
--- a/internal/provider/helpers.go
+++ b/internal/provider/helpers.go
@ -47,6 +47,21 @@ func optionsFromDataModel(data CachedImageResourceModel) (eboptions.Options, dia
 		opts.BuildContextPath = data.BuildContextPath.ValueString()
 	}

+	if !data.BuildSecrets.IsNull() {
+		providerOpts["ENVBUILDER_BUILD_SECRETS"] = true
+
+		// Depending on use case, users might want to provide build secrets as a map or a list of strings.
+		// The string list option is supported by extra_env, so we support the map option here. Envbuilder
+		// expects a list of strings, so we convert the map to a list of strings here.
+		buildSecretMap := tfutil.TFMapToStringMap(data.BuildSecrets)
+		buildSecretSlice := make([]string, 0, len(buildSecretMap))
+		for k, v := range buildSecretMap {
+			buildSecretSlice = append(buildSecretSlice, fmt.Sprintf("%s=%s", k, v))
+		}
+
+		opts.BuildSecrets = buildSecretSlice
+	}
+
 	if !data.CacheTTLDays.IsNull() {
 		providerOpts["ENVBUILDER_CACHE_TTL_DAYS"] = true
 		opts.CacheTTLDays = data.CacheTTLDays.ValueInt64()
--- a/internal/provider/provider_internal_test.go
+++ b/internal/provider/provider_internal_test.go
@ -35,11 +35,15 @@ func Test_optionsFromDataModel(t *testing.T) {
 		{
 			name: "all options without extra_env",
 			data: CachedImageResourceModel{
-				BuilderImage:         basetypes.NewStringValue("envbuilder:latest"),
-				CacheRepo:            basetypes.NewStringValue("localhost:5000/cache"),
-				GitURL:               basetypes.NewStringValue("git@git.local/devcontainer.git"),
-				BaseImageCacheDir:    basetypes.NewStringValue("/tmp/cache"),
-				BuildContextPath:     basetypes.NewStringValue("."),
+				BuilderImage:      basetypes.NewStringValue("envbuilder:latest"),
+				CacheRepo:         basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:            basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				BaseImageCacheDir: basetypes.NewStringValue("/tmp/cache"),
+				BuildContextPath:  basetypes.NewStringValue("."),
+				BuildSecrets: basetypes.NewMapValueMust(basetypes.StringType{}, map[string]attr.Value{
+					"FOO": basetypes.NewStringValue("bar"),
+					"BAZ": basetypes.NewStringValue("qux"),
+				}),
 				CacheTTLDays:         basetypes.NewInt64Value(7),
 				DevcontainerDir:      basetypes.NewStringValue(".devcontainer"),
 				DevcontainerJSONPath: basetypes.NewStringValue(".devcontainer/devcontainer.json"),
@ -66,6 +70,7 @@ func Test_optionsFromDataModel(t *testing.T) {
 				GitURL:               "git@git.local/devcontainer.git",
 				BaseImageCacheDir:    "/tmp/cache",
 				BuildContextPath:     ".",
+				BuildSecrets:         []string{"FOO=bar", "BAZ=qux"},
 				CacheTTLDays:         7,
 				DevcontainerDir:      ".devcontainer",
 				DevcontainerJSONPath: ".devcontainer/devcontainer.json",
@ -91,15 +96,20 @@ func Test_optionsFromDataModel(t *testing.T) {
 			name: "extra env override",
 			data: CachedImageResourceModel{
 				BuilderImage: basetypes.NewStringValue("envbuilder:latest"),
-				CacheRepo:    basetypes.NewStringValue("localhost:5000/cache"),
-				GitURL:       basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				BuildSecrets: basetypes.NewMapValueMust(basetypes.StringType{}, map[string]attr.Value{
+					"FOO": basetypes.NewStringValue("bar"),
+				}),
+				CacheRepo: basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:    basetypes.NewStringValue("git@git.local/devcontainer.git"),
 				ExtraEnv: extraEnvMap(t,
 					"CODER_AGENT_TOKEN", "token",
 					"CODER_AGENT_URL", "http://coder",
 					"FOO", "bar",
+					"ENVBUILDER_BUILD_SECRETS", "FOO=bar,BAZ=qux",
 				),
 			},
 			expectOpts: eboptions.Options{
+				BuildSecrets:        []string{"FOO=bar", "BAZ=qux"},
 				CacheRepo:           "localhost:5000/cache",
 				GitURL:              "git@git.local/devcontainer.git",
 				RemoteRepoBuildMode: true,
@ -110,11 +120,14 @@ func Test_optionsFromDataModel(t *testing.T) {
 		{
 			name: "extra_env override warnings",
 			data: CachedImageResourceModel{
-				BuilderImage:         basetypes.NewStringValue("envbuilder:latest"),
-				CacheRepo:            basetypes.NewStringValue("localhost:5000/cache"),
-				GitURL:               basetypes.NewStringValue("git@git.local/devcontainer.git"),
-				BaseImageCacheDir:    basetypes.NewStringValue("/tmp/cache"),
-				BuildContextPath:     basetypes.NewStringValue("."),
+				BuilderImage:      basetypes.NewStringValue("envbuilder:latest"),
+				CacheRepo:         basetypes.NewStringValue("localhost:5000/cache"),
+				GitURL:            basetypes.NewStringValue("git@git.local/devcontainer.git"),
+				BaseImageCacheDir: basetypes.NewStringValue("/tmp/cache"),
+				BuildContextPath:  basetypes.NewStringValue("."),
+				BuildSecrets: basetypes.NewMapValueMust(basetypes.StringType{}, map[string]attr.Value{
+					"FOO": basetypes.NewStringValue("bar"),
+				}),
 				CacheTTLDays:         basetypes.NewInt64Value(7),
 				DevcontainerDir:      basetypes.NewStringValue(".devcontainer"),
 				DevcontainerJSONPath: basetypes.NewStringValue(".devcontainer/devcontainer.json"),
@ -136,6 +149,7 @@ func Test_optionsFromDataModel(t *testing.T) {
 				Verbose:              basetypes.NewBoolValue(true),
 				WorkspaceFolder:      basetypes.NewStringValue("workspace"),
 				ExtraEnv: extraEnvMap(t,
+					"ENVBUILDER_BUILD_SECRETS", "FOO=bar,BAZ=qux",
 					"ENVBUILDER_CACHE_REPO", "override",
 					"ENVBUILDER_GIT_URL", "override",
 					"ENVBUILDER_BASE_IMAGE_CACHE_DIR", "override",
@ -169,6 +183,7 @@ func Test_optionsFromDataModel(t *testing.T) {
 				// overridden
 				BaseImageCacheDir:    "override",
 				BuildContextPath:     "override",
+				BuildSecrets:         []string{"FOO=bar", "BAZ=qux"},
 				CacheTTLDays:         8,
 				DevcontainerDir:      "override",
 				DevcontainerJSONPath: "override",
@ -189,7 +204,7 @@ func Test_optionsFromDataModel(t *testing.T) {
 				Verbose:              false,
 				WorkspaceFolder:      "override",
 			},
-			expectNumWarningDiags: 23,
+			expectNumWarningDiags: 24,
 		},
 		{
 			name: "extra_env override errors",
@ -295,6 +310,7 @@ func Test_computeEnvFromOptions(t *testing.T) {
 				BaseImageCacheDir:    "string",
 				BinaryPath:           "string",
 				BuildContextPath:     "string",
+				BuildSecrets:         []string{"FOO=bar", "BAZ=qux"},
 				CacheRepo:            "string",
 				CacheTTLDays:         1,
 				CoderAgentSubsystem:  []string{"one", "two"},
@ -339,6 +355,7 @@ func Test_computeEnvFromOptions(t *testing.T) {
 				"ENVBUILDER_BASE_IMAGE_CACHE_DIR":     "string",
 				"ENVBUILDER_BINARY_PATH":              "string",
 				"ENVBUILDER_BUILD_CONTEXT_PATH":       "string",
+				"ENVBUILDER_BUILD_SECRETS":            "FOO=bar,BAZ=qux",
 				"ENVBUILDER_CACHE_REPO":               "string",
 				"ENVBUILDER_CACHE_TTL_DAYS":           "1",
 				"ENVBUILDER_DEVCONTAINER_DIR":         "string",