terraform-provider: init provider scaffolding

WORKSPACE.bazel

@@ -83,6 +83,11 @@ nixpkgs_package(
     repository = "@nixpkgs",
 )
 
+nixpkgs_package(
+    name = "terraform-plugin-docs",
+    repository = "@nixpkgs",
+)
+
 nixpkgs_package(
     name = "systemd",
     repository = "@nixpkgs",
@@ -216,6 +221,19 @@ load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
 
 rules_pkg_dependencies()
 
+# Aspect Bazel Lib
+load("//bazel/toolchains:aspect_bazel_lib.bzl", "aspect_bazel_lib")
+
+aspect_bazel_lib()
+
+load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies", "aspect_bazel_lib_register_toolchains", "register_coreutils_toolchains", "register_yq_toolchains")
+
+aspect_bazel_lib_dependencies()
+
+aspect_bazel_lib_register_toolchains()
+
+register_coreutils_toolchains()
+
 # OCI rules
 load("//bazel/toolchains:oci_deps.bzl", "oci_deps")
 
@@ -232,7 +250,6 @@ oci_register_toolchains(
     crane_version = LATEST_CRANE_VERSION,
 )
 
-load("@aspect_bazel_lib//lib:repositories.bzl", "register_yq_toolchains")
 load("//bazel/toolchains:container_images.bzl", "containter_image_deps")
 
 containter_image_deps()

bazel/ci/BUILD.bazel

@@ -439,6 +439,20 @@ sh_template(
     template = "cli_docgen.sh.in",
 )
 
+sh_template(
+    name = "terraform_docgen",
+    data = [
+        ":com_github_hashicorp_terraform",
+        "//terraform-provider-constellation:tf_provider",
+        "@terraform-plugin-docs//:bin/tfplugindocs",
+    ],
+    substitutions = {
+        "@@TERRAFORM@@": "$(rootpath :com_github_hashicorp_terraform)",
+        "@@TFPLUGINDOCS@@": "$(rootpath @terraform-plugin-docs//:bin/tfplugindocs)",
+    },
+    template = "terraform_docgen.sh.in",
+)
+
 alias(
     name = "com_github_katexochen_ghh",
     actual = select({
@@ -537,6 +551,7 @@ multirun(
         ":go_generate",
         ":proto_generate",
         ":cli_docgen",
+        ":terraform_docgen",
     ],
     jobs = 0,  # execute concurrently
     visibility = ["//visibility:public"],

bazel/ci/terraform.sh.in

@@ -24,62 +24,96 @@ readarray -t <<< "$(
     sort -ud
 )"
 terraformPaths=("${MAPFILE[@]}")
-terraformModules=()
+terraformFormatModules=()
+terraformLockModules=()
+terraformCheckModules=()
 pathPrefix="${terraformPaths[0]}"
 for ((i = 1; i < ${#terraformPaths[@]}; i++)); do
   path="${terraformPaths[i]}"
   if [[ ${path} == "${pathPrefix}"* ]]; then
     continue
   fi
-  terraformModules+=("${pathPrefix}")
+  terraformFormatModules+=("${pathPrefix}")
+  terraformLockModules+=("${pathPrefix}")
+  terraformCheckModules+=("${pathPrefix}")
   pathPrefix="${path}"
 done
 
 excludeDirs=(
   "build"
 )
 
+excludeLockDirs=(
+  "build"
+  "terraform-provider-constellation"
+)
+
+excludeCheckDirs=(
+  "build"
+  "terraform-provider-constellation"
+)
+
 check() {
-  echo "The following Terraform modules are excluded and won't be tidied:"
+  echo "The following Terraform modules are excluded and won't be formatted:"
   for exclude in "${excludeDirs[@]}"; do
-    for i in "${!terraformModules[@]}"; do
-      if [[ ${terraformModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
-        echo "  ${terraformModules[i]}"
-        unset 'terraformModules[i]'
+    for i in "${!terraformFormatModules[@]}"; do
+      if [[ ${terraformFormatModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+        echo "  ${terraformFormatModules[i]}"
+        unset 'terraformFormatModules[i]'
+      fi
+    done
+  done
+
+  echo "The following Terraform modules are excluded and their lockfiles won't be updated:"
+  for exclude in "${excludeLockDirs[@]}"; do
+    for i in "${!terraformLockModules[@]}"; do
+      if [[ ${terraformLockModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+        echo "  ${terraformLockModules[i]}"
+        unset 'terraformLockModules[i]'
+      fi
+    done
+  done
+
+  echo "The following Terraform modules are excluded and won't be checked:"
+  for exclude in "${excludeCheckDirs[@]}"; do
+    for i in "${!terraformCheckModules[@]}"; do
+      if [[ ${terraformCheckModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+        echo "  ${terraformCheckModules[i]}"
+        unset 'terraformCheckModules[i]'
       fi
     done
   done
 
   case ${mode} in
   "check")
     echo "Checking validity and format of the following Terraform modules:"
-    for script in "${terraformModules[@]}"; do
+    for script in "${terraformCheckModules[@]}"; do
       echo "  ${script}"
     done
     echo "This may take a minute..."
-    for module in "${terraformModules[@]}"; do
+    for module in "${terraformCheckModules[@]}"; do
       ${terraform} -chdir="${module}" init > /dev/null
-      ${terraform} -chdir="${module}" fmt -check -recursive > /dev/null
+      ${terraform} -chdir="${module}" fmt -recursive > /dev/null
       ${terraform} -chdir="${module}" validate > /dev/null
       rm -rf "${module}/.terraform"
     done
     ;;
 
   "format")
     echo "Formatting the following Terraform modules:"
-    for module in "${terraformModules[@]}"; do
+    for module in "${terraformFormatModules[@]}"; do
       echo "  ${module}"
       ${terraform} -chdir="${module}" fmt -recursive > /dev/null
     done
     ;;
 
   "generate")
-    echo "Formatting and generating lock files for the following Terraform modules:"
-    for script in "${terraformModules[@]}"; do
+    echo "Generating lock files for the following Terraform modules:"
+    for script in "${terraformLockModules[@]}"; do
       echo "  ${script}"
     done
     echo "This may take 5-10 min..."
-    for module in "${terraformModules[@]}"; do
+    for module in "${terraformLockModules[@]}"; do
       ${terraform} -chdir="${module}" init > /dev/null
       ${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
       ${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null

bazel/ci/terraform_docgen.sh.in

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+terraform=$(realpath @@TERRAFORM@@)
+stat "${terraform}" >> /dev/null
+tfplugindocs=$(realpath @@TFPLUGINDOCS@@)
+stat "${tfplugindocs}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######
+
+TERRAFORM_PROVIDER_DIR="terraform-provider-constellation"
+
+# Use hermetic Terraform binary.
+PATH="$(dirname "${terraform}"):$PATH"
+export PATH
+echo Using terraform at "$(command -v terraform)"
+
+# TODO(msanft): Pin TF version or use built provider to generate schema and feed in here.
+${tfplugindocs} generate \
+  --provider-dir ${TERRAFORM_PROVIDER_DIR} \
+  --provider-name constellation \
+  --rendered-provider-name Constellation

bazel/devbuild/BUILD.bazel

@@ -9,6 +9,8 @@ sh_template(
         "//bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64",
         "//cli:cli_edition_host",
         "//debugd/cmd/cdbg:cdbg_host",
+        "//terraform-provider-constellation:terraform_rc",
+        "//terraform-provider-constellation:tf_provider",
         "//upgrade-agent/cmd:upgrade_agent_linux_amd64",
         "@yq_toolchains//:resolved_toolchain",
     ],
@@ -18,6 +20,8 @@ sh_template(
         "@@CLI@@": "$(rootpath //cli:cli_edition_host)",
         "@@CONTAINER_SUMS@@": "$(rootpath //bazel/release:container_sums)",
         "@@EDITION@@": "$(rootpath :devbuild_cli_edition)",
+        "@@TERRAFORM_PROVIDER@@": "$(rootpath //terraform-provider-constellation:tf_provider)",
+        "@@TERRAFORM_RC@@": "$(rootpath //terraform-provider-constellation:terraform_rc)",
         "@@UPGRADE_AGENT@@": "$(rootpath //upgrade-agent/cmd:upgrade_agent_linux_amd64)",
         "@@YQ@@": "$(rootpath @yq_toolchains//:resolved_toolchain)",
     },

bazel/devbuild/prepare_developer_workspace.sh.in

@@ -27,6 +27,10 @@ stat "${cdbg}" >> /dev/null
 container_sums=$(realpath @@CONTAINER_SUMS@@)
 stat "${container_sums}" >> /dev/null
 edition=$(cat @@EDITION@@)
+terraform_provider=$(realpath @@TERRAFORM_PROVIDER@@)
+stat "${terraform_provider}" >> /dev/null
+terraform_rc=$(realpath @@TERRAFORM_RC@@)
+stat "${terraform_rc}" >> /dev/null
 
 cd "${BUILD_WORKING_DIRECTORY}"
 
@@ -62,6 +66,12 @@ ln -sf "$(replace_prefix "${host_cache}" "${builder_cache}" "${cdbg}")" "${workd
 ln -sf "$(replace_prefix "${host_cache}" "${builder_cache}" "${container_sums}")" "${workdir}/container_sums.sha256"
 ln -sf "$(replace_prefix "${host_cache}" "${builder_cache}" "${cli}")" "${workdir}/constellation"
 
+TF_PROVIDER_DIR="${workdir}/terraform"
+mkdir -p "${TF_PROVIDER_DIR}"
+ln -sf "$(replace_prefix "${host_cache}" "${builder_cache}" "${terraform_provider}")" "${TF_PROVIDER_DIR}/terraform-provider-constellation"
+cp "$(replace_prefix "${host_cache}" "${builder_cache}" "${terraform_rc}")" "${TF_PROVIDER_DIR}/config.tfrc"
+sed -i "s|@@TERRAFORM_PROVIDER_PATH@@|${terraform_provider}|g" "${TF_PROVIDER_DIR}/config.tfrc"
+
 build_version=$("${cli}" version | grep ^Version: | awk '{print $2}')
 if [[ ! -f "${workdir}/constellation-conf.yaml" ]]; then
   echo "constellation-conf.yaml not present in workspace"

bazel/settings/BUILD.bazel

@@ -80,6 +80,6 @@ config_setting(
 stamp_tags(
     # generates a container image version tag based on the version stamp
     name = "tag",
-    repotags = [""""v"+($stamp.STABLE_STAMP_VERSION // "0.0.0")"""],
+    repotags = [""""v"+($stamp[0].STABLE_STAMP_VERSION // "0.0.0")"""],
     visibility = ["//visibility:public"],
 )

bazel/toolchains/aspect_bazel_lib.bzl

@@ -0,0 +1,15 @@
+"""aspect bazel library"""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def aspect_bazel_lib():
+    http_archive(
+        name = "aspect_bazel_lib",
+        sha256 = "4b32cf6feab38b887941db022020eea5a49b848e11e3d6d4d18433594951717a",
+        strip_prefix = "bazel-lib-2.0.1",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/4b32cf6feab38b887941db022020eea5a49b848e11e3d6d4d18433594951717a",
+            "https://github.com/aspect-build/bazel-lib/releases/download/v2.0.1/bazel-lib-v2.0.1.tar.gz",
+        ],
+        type = "tar.gz",
+    )