terraform-provider: add image datasource (#2642)

* terraform-provider: init Signed-off-by: Moritz Sanft <[email protected]> * terraform-provider: add basic docgen Signed-off-by: Moritz Sanft <[email protected]> * terraform-provider: fix build steps Signed-off-by: Moritz Sanft <[email protected]> * terraform-provider: extend build process and docgen Signed-off-by: Moritz Sanft <[email protected]> * dev-docs: document provider usage Signed-off-by: Moritz Sanft <[email protected]> * bazel: upload aspect lib mirror Signed-off-by: Moritz Sanft <[email protected]> * terraform-provider: don't try to create lockfiles Signed-off-by: Moritz Sanft <[email protected]> * bazel: fix shellcheck issues * bazel: separate paths to check * terraform-provider: clean up old files * terraform-provider: update provider resource * terraform-provider: add image data source * dev-docs: remove unnecessary init * bazel: adhere to Terraform naming expectations * terraform-provider: fix expected data type * terraform-provider: generate docs * terraform-provider: improve errors * terraform-provider: add acceptance tests for data source * terraform-provider: fix dependencies * bazel: quote var reference * terraform-provider: make region optional * terraform-provider: bind imagefetcher to data source * bazel: tidy * terraform-provider: remove unused parameter * terraform-provider: remove unused parameter * terraform-provider: extend acceptance tests * terraform-provider: allow tests to be ran without Bazel * dev-docs: document testing * terraform-provider: set binary path accordingly * dev-docs: document docgen process for the provider * bazel: run acceptance test in writable environment * bazel: try to write to `$TMPDIR` * terraform-provider: style nits * terraform-provider: leave TODO * bazel: tidy * terraform-provider: regenerate docs * terraform-provider: fix comment --------- Signed-off-by: Moritz Sanft <[email protected]>
edgelesssys · Nov 27, 2023 · 34bf3ad · 34bf3ad
1 parent 42f0aa8
commit 34bf3ad
Show file tree

Hide file tree

Showing 26 changed files with 1,411 additions and 313 deletions.
diff --git a/bazel/ci/BUILD.bazel b/bazel/ci/BUILD.bazel
@@ -193,6 +193,7 @@ alias(
         "@io_bazel_rules_go//go/platform:linux_amd64": "@com_github_hashicorp_terraform_linux_amd64//:terraform",
         "@io_bazel_rules_go//go/platform:linux_arm64": "@com_github_hashicorp_terraform_linux_arm64//:terraform",
     }),
+    visibility = ["//visibility:public"],
 )
 
 sh_template(

diff --git a/bazel/ci/terraform.sh.in b/bazel/ci/terraform.sh.in
@@ -84,6 +84,26 @@ check() {
     done
   done
 
+  echo "The following Terraform modules are excluded and won't be locked:"
+  for exclude in "${excludeLockDirs[@]}"; do
+    for i in "${!terraformLockModules[@]}"; do
+      if [[ ${terraformLockModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+        echo "  ${terraformLockModules[i]}"
+        unset 'terraformLockModules[i]'
+      fi
+    done
+  done
+
+  echo "The following Terraform modules are excluded and won't be checked:"
+  for exclude in "${excludeCheckDirs[@]}"; do
+    for i in "${!terraformCheckModules[@]}"; do
+      if [[ ${terraformCheckModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+        echo "  ${terraformCheckModules[i]}"
+        unset 'terraformCheckModules[i]'
+      fi
+    done
+  done
+
   case ${mode} in
   "check")
     echo "Checking validity and format of the following Terraform modules:"

diff --git a/bazel/ci/terraform_docgen.sh.in b/bazel/ci/terraform_docgen.sh.in
@@ -27,6 +27,11 @@ PATH="$(dirname "${terraform}"):$PATH"
 export PATH
 echo Using terraform at "$(command -v terraform)"
 
+# Use hermetic Terraform binary.
+PATH="$(dirname "${terraform}"):$PATH"
+export PATH
+echo Using terraform at "$(command -v terraform)"
+
 # TODO(msanft): Pin TF version or use built provider to generate schema and feed in here.
 ${tfplugindocs} generate \
   --provider-dir ${TERRAFORM_PROVIDER_DIR} \

diff --git a/bazel/devbuild/prepare_developer_workspace.sh.in b/bazel/devbuild/prepare_developer_workspace.sh.in
@@ -70,7 +70,7 @@ TF_PROVIDER_DIR="${workdir}/terraform"
 mkdir -p "${TF_PROVIDER_DIR}"
 ln -sf "$(replace_prefix "${host_cache}" "${builder_cache}" "${terraform_provider}")" "${TF_PROVIDER_DIR}/terraform-provider-constellation"
 cp "$(replace_prefix "${host_cache}" "${builder_cache}" "${terraform_rc}")" "${TF_PROVIDER_DIR}/config.tfrc"
-sed -i "s|@@TERRAFORM_PROVIDER_PATH@@|${terraform_provider}|g" "${TF_PROVIDER_DIR}/config.tfrc"
+sed -i "s|@@TERRAFORM_PROVIDER_PATH@@|$(dirname "${terraform_provider}")|g" "${TF_PROVIDER_DIR}/config.tfrc"
 
 build_version=$("${cli}" version | grep ^Version: | awk '{print $2}')
 if [[ ! -f "${workdir}/constellation-conf.yaml" ]]; then

diff --git a/bazel/toolchains/go_module_deps.bzl b/bazel/toolchains/go_module_deps.bzl
@@ -215,14 +215,6 @@ def go_dependencies():
         sum = "h1:ZSTrOEhiM5J5RFxEaFvMZVEAM1KvT1YzbEOwB2EAGjA=",
         version = "v0.0.0-20180507223929-23540a00eaa3",
     )
-    go_repository(
-        name = "com_github_apparentlymart_go_textseg",
-        build_file_generation = "on",
-        build_file_proto_mode = "disable_global",
-        importpath = "github.com/apparentlymart/go-textseg",
-        sum = "h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0=",
-        version = "v1.0.0",
-    )
     go_repository(
         name = "com_github_apparentlymart_go_textseg_v12",
         build_file_generation = "on",
@@ -732,8 +724,8 @@ def go_dependencies():
         build_file_generation = "on",
         build_file_proto_mode = "disable_global",
         importpath = "github.com/bazelbuild/rules_go",
-        sum = "h1:aY2smc3JWyUKOjGYmOKVLX70fPK9ON0rtwQojuIeUHc=",
-        version = "v0.42.0",
+        sum = "h1:Q+vDhH4yzafZ0xHBT0JEVawb+1nDHUXhjvWTqSGCCyU=",
+        version = "v0.43.0",
     )
     go_repository(
         name = "com_github_beeker1121_goque",
@@ -2847,6 +2839,14 @@ def go_dependencies():
         sum = "h1:P7a7VP1GZbjc4rv921Xy5OckzhoiO3ig6SGxwelD2sI=",
         version = "v1.4.2",
     )
+    go_repository(
+        name = "com_github_hashicorp_terraform_plugin_framework_validators",
+        build_file_generation = "on",
+        build_file_proto_mode = "disable_global",
+        importpath = "github.com/hashicorp/terraform-plugin-framework-validators",
+        sum = "h1:HOjBuMbOEzl7snOdOoUfE2Jgeto6JOjLVQ39Ls2nksc=",
+        version = "v0.12.0",
+    )
     go_repository(
         name = "com_github_hashicorp_terraform_plugin_go",
         build_file_generation = "on",

diff --git a/dev-docs/workflows/terraform-provider.md b/dev-docs/workflows/terraform-provider.md
@@ -11,6 +11,14 @@ with the provider binary and some utility files in the current working directory
 bazel build //terraform-provider-constellation:tf_provider
 ```
 
+Documentation for the provider can be generated with:
+
+```bash
+bazel run //:generate
+# or
+bazel run //bazel/ci:terraform_docgen
+```
+
 ## Using the Terraform Provider
 
 The Terraform provider binary can be used with the normal Terraform CLI, by setting a [development override](https://developer.hashicorp.com/terraform/cli/config/config-file#development-overrides-for-provider-developers),
@@ -26,7 +34,16 @@ sed -i "s|@@TERRAFORM_PROVIDER_PATH@@|$(realpath bazel-bin/terraform-provider-co
 Afterwards, all Terraform commands that should use the local provider build should be prefixed with `TF_CLI_CONFIG_FILE=config.tfrc` like so:
 
 ```bash
-TF_CLI_CONFIG_FILE=config.tfrc terraform init
 TF_CLI_CONFIG_FILE=config.tfrc terraform apply
 ...
 ```
+
+## Testing the Terraform Provider
+
+Terraform acceptance tests can be run hermetically through Bazel (recommended):
+
+```bash
+bazel test //terraform-provider-constellation/internal/provider:provider_acc_test
+```
+
+The tests can also be run through Go, but the `TF_ACC` environment variable needs to be set to `1`, and the host's Terraform binary is used, which may produce inaccurate test results.
diff --git a/terraform-provider-constellation/BUILD.bazel b/terraform-provider-constellation/BUILD.bazel
@@ -4,6 +4,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
 # keep
 go_binary(
     name = "tf_provider",
+    out = "terraform-provider-constellation",  # for complying with Terraform provider naming convention
     embed = [":terraform-provider-constellation_lib"],
     pure = "on",
     visibility = ["//visibility:public"],

diff --git a/terraform-provider-constellation/docs/data-sources/example.md b/terraform-provider-constellation/docs/data-sources/example.md
diff --git a/terraform-provider-constellation/docs/data-sources/image.md b/terraform-provider-constellation/docs/data-sources/image.md
@@ -0,0 +1,46 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "constellation_image Data Source - constellation"
+subcategory: ""
+description: |-
+  Data source to retrieve the Constellation OS image reference for a given CSP and Attestation Variant.
+---
+
+# constellation_image (Data Source)
+
+Data source to retrieve the Constellation OS image reference for a given CSP and Attestation Variant.
+
+## Example Usage
+
+```terraform
+data "constellation_image" "example" {
+  image_version       = "v2.13.0"
+  attestation_variant = "aws-sev-snp"
+  csp                 = "aws"
+  region              = "eu-west-1"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `attestation_variant` (String) Attestation variant the image should work with. Can be one of:
+  * `aws-sev-snp`
+  * `aws-nitro-tpm`
+  * `azure-sev-snp`
+  * `gcp-sev-es`
+- `csp` (String) CSP (Cloud Service Provider) to use. (e.g. `azure`)
+See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports.
+- `image_version` (String) Version of the Constellation OS image to use. (e.g. `v2.13.0`)
+
+### Optional
+
+- `region` (String) Region to retrieve the image for. Only required for AWS.
+The Constellation OS image must be [replicated to the region](https://docs.edgeless.systems/constellation/workflows/config),and the region must [support AMD SEV-SNP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html), if it is used for Attestation.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `reference` (String) CSP-specific reference to the image.
diff --git a/terraform-provider-constellation/docs/index.md b/terraform-provider-constellation/docs/index.md
@@ -3,12 +3,12 @@
 page_title: "constellation Provider"
 subcategory: ""
 description: |-
-  
+  The Constellation provider manages Constellation clusters.
 ---
 
 # constellation Provider
 
-
+The Constellation provider manages Constellation clusters.
 
 ## Example Usage
 
@@ -21,14 +21,8 @@ terraform {
   }
 }
 
-provider "constellation" {
-  example_value = "test"
-}
+provider "constellation" {}
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
-
-### Optional
-
-- `example_value` (String) Example provider attribute
diff --git a/terraform-provider-constellation/examples/data-sources/constellation_image/data-source.tf b/terraform-provider-constellation/examples/data-sources/constellation_image/data-source.tf
@@ -0,0 +1,6 @@
+data "constellation_image" "example" {
+  image_version       = "v2.13.0"
+  attestation_variant = "aws-sev-snp"
+  csp                 = "aws"
+  region              = "eu-west-1"
+}
diff --git a/terraform-provider-constellation/examples/data-sources/scaffolding_example/data-source.tf b/terraform-provider-constellation/examples/data-sources/scaffolding_example/data-source.tf
diff --git a/terraform-provider-constellation/examples/provider/provider.tf b/terraform-provider-constellation/examples/provider/provider.tf
@@ -6,6 +6,4 @@ terraform {
   }
 }
 
-provider "constellation" {
-  example_value = "test"
-}
+provider "constellation" {}