terraform-provider-envbuilder/internal/provider/helpers.go
Sas Swart 82c856094e
feat: add build secrets option ()
* feat: add build secrets option

* make gen and fix tests
2025-01-16 11:39:38 +02:00

282 lines
9 KiB
Go

package provider
import (
"fmt"
"slices"
"strings"
eboptions "github.com/coder/envbuilder/options"
"github.com/coder/serpent"
"github.com/coder/terraform-provider-envbuilder/internal/tfutil"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/spf13/pflag"
)
const (
envbuilderOptionPrefix = "ENVBUILDER_"
)
// nonOverrideOptions are options that cannot be overridden by extra_env.
var nonOverrideOptions = map[string]bool{
"ENVBUILDER_CACHE_REPO": true,
"ENVBUILDER_GIT_URL": true,
}
// optionsFromDataModel converts a CachedImageResourceModel into a corresponding set of
// Envbuilder options. It returns the options and any diagnostics encountered.
func optionsFromDataModel(data CachedImageResourceModel) (eboptions.Options, diag.Diagnostics) {
var diags diag.Diagnostics
var opts eboptions.Options
// Required options. Cannot be overridden by extra_env.
opts.CacheRepo = data.CacheRepo.ValueString()
opts.GitURL = data.GitURL.ValueString()
// Other options can be overridden by extra_env, with a warning.
// Keep track of which options are set from the data model so we
// can check if they are being overridden.
providerOpts := make(map[string]bool)
if !data.BaseImageCacheDir.IsNull() {
providerOpts["ENVBUILDER_BASE_IMAGE_CACHE_DIR"] = true
opts.BaseImageCacheDir = data.BaseImageCacheDir.ValueString()
}
if !data.BuildContextPath.IsNull() {
providerOpts["ENVBUILDER_BUILD_CONTEXT_PATH"] = true
opts.BuildContextPath = data.BuildContextPath.ValueString()
}
if !data.BuildSecrets.IsNull() {
providerOpts["ENVBUILDER_BUILD_SECRETS"] = true
// Depending on use case, users might want to provide build secrets as a map or a list of strings.
// The string list option is supported by extra_env, so we support the map option here. Envbuilder
// expects a list of strings, so we convert the map to a list of strings here.
buildSecretMap := tfutil.TFMapToStringMap(data.BuildSecrets)
buildSecretSlice := make([]string, 0, len(buildSecretMap))
for k, v := range buildSecretMap {
buildSecretSlice = append(buildSecretSlice, fmt.Sprintf("%s=%s", k, v))
}
slices.Sort(buildSecretSlice)
opts.BuildSecrets = buildSecretSlice
}
if !data.CacheTTLDays.IsNull() {
providerOpts["ENVBUILDER_CACHE_TTL_DAYS"] = true
opts.CacheTTLDays = data.CacheTTLDays.ValueInt64()
}
if !data.DevcontainerDir.IsNull() {
providerOpts["ENVBUILDER_DEVCONTAINER_DIR"] = true
opts.DevcontainerDir = data.DevcontainerDir.ValueString()
}
if !data.DevcontainerJSONPath.IsNull() {
providerOpts["ENVBUILDER_DEVCONTAINER_JSON_PATH"] = true
opts.DevcontainerJSONPath = data.DevcontainerJSONPath.ValueString()
}
if !data.DockerfilePath.IsNull() {
providerOpts["ENVBUILDER_DOCKERFILE_PATH"] = true
opts.DockerfilePath = data.DockerfilePath.ValueString()
}
if !data.DockerConfigBase64.IsNull() {
providerOpts["ENVBUILDER_DOCKER_CONFIG_BASE64"] = true
opts.DockerConfigBase64 = data.DockerConfigBase64.ValueString()
}
if !data.ExitOnBuildFailure.IsNull() {
providerOpts["ENVBUILDER_EXIT_ON_BUILD_FAILURE"] = true
opts.ExitOnBuildFailure = data.ExitOnBuildFailure.ValueBool()
}
if !data.FallbackImage.IsNull() {
providerOpts["ENVBUILDER_FALLBACK_IMAGE"] = true
opts.FallbackImage = data.FallbackImage.ValueString()
}
if !data.GitCloneDepth.IsNull() {
providerOpts["ENVBUILDER_GIT_CLONE_DEPTH"] = true
opts.GitCloneDepth = data.GitCloneDepth.ValueInt64()
}
if !data.GitCloneSingleBranch.IsNull() {
providerOpts["ENVBUILDER_GIT_CLONE_SINGLE_BRANCH"] = true
opts.GitCloneSingleBranch = data.GitCloneSingleBranch.ValueBool()
}
if !data.GitHTTPProxyURL.IsNull() {
providerOpts["ENVBUILDER_GIT_HTTP_PROXY_URL"] = true
opts.GitHTTPProxyURL = data.GitHTTPProxyURL.ValueString()
}
if !data.GitSSHPrivateKeyPath.IsNull() {
providerOpts["ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH"] = true
opts.GitSSHPrivateKeyPath = data.GitSSHPrivateKeyPath.ValueString()
}
if !data.GitSSHPrivateKeyBase64.IsNull() {
providerOpts["ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64"] = true
opts.GitSSHPrivateKeyBase64 = data.GitSSHPrivateKeyBase64.ValueString()
}
if !data.GitUsername.IsNull() {
providerOpts["ENVBUILDER_GIT_USERNAME"] = true
opts.GitUsername = data.GitUsername.ValueString()
}
if !data.GitPassword.IsNull() {
providerOpts["ENVBUILDER_GIT_PASSWORD"] = true
opts.GitPassword = data.GitPassword.ValueString()
}
if !data.IgnorePaths.IsNull() {
providerOpts["ENVBUILDER_IGNORE_PATHS"] = true
opts.IgnorePaths = tfutil.TFListToStringSlice(data.IgnorePaths)
}
if !data.Insecure.IsNull() {
providerOpts["ENVBUILDER_INSECURE"] = true
opts.Insecure = data.Insecure.ValueBool()
}
if data.RemoteRepoBuildMode.IsNull() {
opts.RemoteRepoBuildMode = true
} else {
providerOpts["ENVBUILDER_REMOTE_REPO_BUILD_MODE"] = true
opts.RemoteRepoBuildMode = data.RemoteRepoBuildMode.ValueBool()
}
if !data.SSLCertBase64.IsNull() {
providerOpts["ENVBUILDER_SSL_CERT_BASE64"] = true
opts.SSLCertBase64 = data.SSLCertBase64.ValueString()
}
if !data.Verbose.IsNull() {
providerOpts["ENVBUILDER_VERBOSE"] = true
opts.Verbose = data.Verbose.ValueBool()
}
if !data.WorkspaceFolder.IsNull() {
providerOpts["ENVBUILDER_WORKSPACE_FOLDER"] = true
opts.WorkspaceFolder = data.WorkspaceFolder.ValueString()
}
// convert extraEnv to a map for ease of use.
extraEnv := make(map[string]string)
for k, v := range data.ExtraEnv.Elements() {
extraEnv[k] = tfutil.TFValueToString(v)
}
diags = append(diags, overrideOptionsFromExtraEnv(&opts, extraEnv, providerOpts)...)
if opts.GitSSHPrivateKeyPath != "" && opts.GitSSHPrivateKeyBase64 != "" {
diags.AddError("Cannot set more than one git ssh private key option",
"Both ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH and ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64 have been set.")
}
return opts, diags
}
// overrideOptionsFromExtraEnv overrides the options in opts with values from extraEnv.
// It returns any diagnostics encountered.
// It will not override certain options, such as ENVBUILDER_CACHE_REPO and ENVBUILDER_GIT_URL.
func overrideOptionsFromExtraEnv(opts *eboptions.Options, extraEnv map[string]string, providerOpts map[string]bool) diag.Diagnostics {
var diags diag.Diagnostics
// Make a map of the options for easy lookup.
optsMap := make(map[string]pflag.Value)
for _, opt := range opts.CLI() {
optsMap[opt.Env] = opt.Value
}
for key, val := range extraEnv {
opt, found := optsMap[key]
if !found {
// ignore unknown keys
continue
}
if nonOverrideOptions[key] {
diags.AddAttributeWarning(path.Root("extra_env"),
"Cannot override required environment variable",
fmt.Sprintf("The key %q in extra_env cannot be overridden.", key),
)
continue
}
// Check if the option was set on the provider data model and generate a warning if so.
if providerOpts[key] {
diags.AddAttributeWarning(path.Root("extra_env"),
"Overriding provider environment variable",
fmt.Sprintf("The key %q in extra_env overrides an option set on the provider.", key),
)
}
// XXX: workaround for serpent behaviour where calling Set() on a
// string slice will append instead of replace: set to empty first.
if _, ok := optsMap[key].(*serpent.StringArray); ok {
_ = optsMap[key].Set("")
}
if err := opt.Set(val); err != nil {
diags.AddAttributeError(path.Root("extra_env"),
"Invalid value for environment variable",
fmt.Sprintf("The key %q in extra_env has an invalid value: %s", key, err),
)
}
}
return diags
}
// computeEnvFromOptions computes the environment variables to set based on the
// options in opts and the extra environment variables in extraEnv.
// It returns the computed environment variables as a map.
// It will not set certain options, such as ENVBUILDER_CACHE_REPO and ENVBUILDER_GIT_URL.
// It will also not handle legacy Envbuilder options (i.e. those not prefixed with ENVBUILDER_).
func computeEnvFromOptions(opts eboptions.Options, extraEnv map[string]string) map[string]string {
for _, opt := range opts.CLI() {
if opt.Env == "" {
continue
}
}
computed := make(map[string]string)
for _, opt := range opts.CLI() {
if opt.Env == "" {
continue
}
// TODO: remove this check once support for legacy options is removed.
// Only set the environment variables from opts that are not legacy options.
// Legacy options are those that are not prefixed with ENVBUILDER_.
// While we can detect when a legacy option is set, overriding it becomes
// problematic. Erring on the side of caution, we will not override legacy options.
if !strings.HasPrefix(opt.Env, envbuilderOptionPrefix) {
continue
}
var val string
if sa, ok := opt.Value.(*serpent.StringArray); ok {
val = strings.Join(sa.GetSlice(), ",")
} else {
val = opt.Value.String()
}
switch val {
case "", "false", "0":
// Skip zero values.
continue
}
computed[opt.Env] = val
}
// Merge in extraEnv, which may override values from opts.
// Skip any keys that are envbuilder options.
for key, val := range extraEnv {
if strings.HasPrefix(key, envbuilderOptionPrefix) {
continue
}
computed[key] = val
}
return computed
}