oci_tags resource (#75)

imjasonh · web-flow · commit dba8f3c657af · 2023-09-22T16:58:00.000-04:00
This adds a new `oci_tags` resource that's designed to be used to apply
multiple tags to multiple digests.

We do this today with `oci_tag` and a huge mess of `for_each`es, which
result in a huge explosion of resources, which at scale can cause TF to
get very slow since it marshals and unmarshals TF state each time a
resource is applied, and it serializes those state writes to be sure it
wrote them completely before proceeding.

With this resource, we can apply multiple tags in one resource, which
can massively reduce the number of resources in play at a time.

---------

Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;
diff --git a/docs/resources/tags.md b/docs/resources/tags.md
@@ -0,0 +1,25 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "oci_tags Resource - terraform-provider-oci"
+subcategory: ""
+description: |-
+  Tag many digests with many tags.
+---
+
+# oci_tags (Resource)
+
+Tag many digests with many tags.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `repo` (String) Repository for the tags.
+- `tags` (Map of String) Map of tag -> digest to apply.
+
+### Read-Only
+
+- `id` (String) The resulting fully-qualified image ref by digest (e.g. {repo}:tag@sha256:deadbeef).
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -97,6 +97,7 @@ func (p *OCIProvider) Resources(ctx context.Context) []func() resource.Resource
 	return []func() resource.Resource{
 		NewAppendResource,
 		NewTagResource,
+		NewTagsResource,
 	}
 }
 
diff --git a/internal/provider/tag_resource_test.go b/internal/provider/tag_resource_test.go
@@ -40,7 +40,7 @@ func TestAccTagResource(t *testing.T) {
 	if err := remote.Write(ref2, img2); err != nil {
 		t.Fatalf("failed to write image: %v", err)
 	}
-	d2, err := img1.Digest()
+	d2, err := img2.Digest()
 	if err != nil {
 		t.Fatalf("failed to get digest: %v", err)
 	}
diff --git a/internal/provider/tags_resource.go b/internal/provider/tags_resource.go
@@ -0,0 +1,204 @@
+package provider
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+
+	"github.com/chainguard-dev/terraform-provider-oci/pkg/validators"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/mapplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
+)
+
+var _ resource.Resource = &TagsResource{}
+var _ resource.ResourceWithImportState = &TagsResource{}
+
+func NewTagsResource() resource.Resource {
+	return &TagsResource{}
+}
+
+// TagsResource defines the resource implementation.
+type TagsResource struct {
+	popts ProviderOpts
+}
+
+// TagsResourceModel describes the resource data model.
+type TagsResourceModel struct {
+	Id types.String `tfsdk:"id"`
+
+	Repo string            `tfsdk:"repo"`
+	Tags map[string]string `tfsdk:"tags"` // tag -> digest
+}
+
+func (r *TagsResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_tags"
+}
+
+func (r *TagsResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: "Tag many digests with many tags.",
+		Attributes: map[string]schema.Attribute{
+			"repo": schema.StringAttribute{
+				MarkdownDescription: "Repository for the tags.",
+				Required:            true,
+				Validators:          []validator.String{validators.RepoValidator{}},
+				PlanModifiers:       []planmodifier.String{stringplanmodifier.RequiresReplace()},
+			},
+			"tags": schema.MapAttribute{
+				MarkdownDescription: "Map of tag -> digest to apply.",
+				Required:            true,
+				ElementType:         basetypes.StringType{},
+				// TODO: validator -- check that digests and tags are well formed.
+				PlanModifiers: []planmodifier.Map{mapplanmodifier.RequiresReplace()},
+			},
+
+			// TODO: any outputs?
+
+			"id": schema.StringAttribute{
+				Computed:            true,
+				MarkdownDescription: "The resulting fully-qualified image ref by digest (e.g. {repo}:tag@sha256:deadbeef).",
+				PlanModifiers:       []planmodifier.String{stringplanmodifier.UseStateForUnknown()},
+			},
+		},
+	}
+}
+
+func (r *TagsResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	popts, ok := req.ProviderData.(*ProviderOpts)
+	if !ok || popts == nil {
+		resp.Diagnostics.AddError("Client Error", "invalid provider data")
+		return
+	}
+	r.popts = *popts
+}
+
+func (r *TagsResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data *TagsResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	digest, err := r.doTags(ctx, data)
+	if err != nil {
+		resp.Diagnostics.AddError("Tag Error", fmt.Sprintf("Error tagging image: %s", err.Error()))
+		return
+	}
+
+	data.Id = types.StringValue(digest)
+
+	// Save data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *TagsResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data *TagsResourceModel
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Don't actually tag, but check whether the digests are already tagged with all requested tags, so we get a useful diff.
+	// If the digests are already tagged with all requested tags, we'll set the ID to the correct output value.
+	// Otherwise, we'll set them to empty strings so that the create will run when applied.
+	// TODO: Can we get a better diff about what new updates will be applied?
+	if id, err := r.checkTags(ctx, data); err != nil {
+		data.Id = types.StringValue("")
+	} else {
+		data.Id = types.StringValue(id)
+	}
+
+	// Save updated data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *TagsResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var data *TagsResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	id, err := r.doTags(ctx, data)
+	if err != nil {
+		resp.Diagnostics.AddError("Tag Error", fmt.Sprintf("Error tagging images: %s", err.Error()))
+		return
+	}
+
+	data.Id = types.StringValue(id)
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *TagsResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	resp.Diagnostics.Append(req.State.Get(ctx, &TagsResourceModel{})...)
+}
+
+func (r *TagsResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+}
+
+func (r *TagsResource) checkTags(ctx context.Context, data *TagsResourceModel) (string, error) {
+	repo, err := name.NewRepository(data.Repo)
+	if err != nil {
+		return "", fmt.Errorf("error parsing repo ref: %w", err)
+	}
+
+	for tag, digest := range data.Tags {
+		t := repo.Tag(tag)
+		desc, err := remote.Head(t, r.popts.withContext(ctx)...)
+		if err != nil {
+			return "", fmt.Errorf("error getting tag %q: %w", t, err)
+		}
+		if desc.Digest.String() != digest {
+			return "", fmt.Errorf("tag %q does not point to digest %q (got %q)", tag, digest, desc.Digest.String())
+		}
+	}
+	// ID is the SHA256 of the JSONified map.
+	b, err := json.Marshal(data.Tags)
+	if err != nil {
+		return "", fmt.Errorf("error marshaling tags: %w", err)
+	}
+	return fmt.Sprintf("%x", sha256.Sum256(b)), nil
+}
+
+func (r *TagsResource) doTags(ctx context.Context, data *TagsResourceModel) (string, error) {
+	repo, err := name.NewRepository(data.Repo)
+	if err != nil {
+		return "", fmt.Errorf("error parsing repo ref: %w", err)
+	}
+
+	for tag, digest := range data.Tags {
+		t := repo.Tag(tag)
+		d := repo.Digest(digest)
+		desc, err := remote.Get(d, r.popts.withContext(ctx)...)
+		if err != nil {
+			return "", fmt.Errorf("error getting digest %q: %w", digest, err)
+		}
+		if err := remote.Tag(t, desc, r.popts.withContext(ctx)...); err != nil {
+			return "", fmt.Errorf("error tagging %q with %q: %w", digest, tag, err)
+		}
+	}
+
+	// ID is the SHA256 of the JSONified map.
+	b, err := json.Marshal(data.Tags)
+	if err != nil {
+		return "", fmt.Errorf("error marshaling tags: %w", err)
+	}
+	return fmt.Sprintf("%x", sha256.Sum256(b)), nil
+}
diff --git a/internal/provider/tags_resource_test.go b/internal/provider/tags_resource_test.go
@@ -0,0 +1,123 @@
+package provider
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	ocitesting "github.com/chainguard-dev/terraform-provider-oci/testing"
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/random"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccTagsResource(t *testing.T) {
+	repo, cleanup := ocitesting.SetupRepository(t, "repo")
+	defer cleanup()
+
+	// Push an image to the local registry.
+	ref1 := repo.Tag("1")
+	img1, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatalf("failed to create image: %v", err)
+	}
+	if err := remote.Write(ref1, img1); err != nil {
+		t.Fatalf("failed to write image: %v", err)
+	}
+	d1, err := img1.Digest()
+	if err != nil {
+		t.Fatalf("failed to get digest: %v", err)
+	}
+	dig1 := ref1.Context().Digest(d1.String())
+	t.Logf("Using ref1: %s -> %s", ref1, dig1)
+
+	// Push another image to the local registry.
+	ref2 := repo.Tag("2")
+	img2, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatalf("failed to create image: %v", err)
+	}
+	if err := remote.Write(ref2, img2); err != nil {
+		t.Fatalf("failed to write image: %v", err)
+	}
+	d2, err := img2.Digest()
+	if err != nil {
+		t.Fatalf("failed to get digest: %v", err)
+	}
+	dig2 := ref2.Context().Digest(d2.String())
+	t.Logf("Using ref2: %s -> %s", ref2, dig2)
+
+	// Tag the digests with some tags.
+	marshal := func(a any) string {
+		b, err := json.MarshalIndent(a, "", "  ")
+		if err != nil {
+			t.Fatalf("failed to marshal: %v", err)
+		}
+		return string(b)
+	}
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{{
+			Config: fmt.Sprintf(`resource "oci_tags" "test" {
+				repo = %q
+				tags = %s
+			}`, repo, marshal(map[string]v1.Hash{
+				"foo":   d1,
+				"bar":   d1,
+				"baz":   d1,
+				"hello": d2,
+				"world": d2,
+			})),
+		}},
+	})
+
+	// Check those tags were applied, and the original tags didn't change.
+	checkTags := func(want map[string][]string) {
+		for dig, tags := range want {
+			d, err := name.NewDigest(dig)
+			if err != nil {
+				t.Fatalf("error parsing digest ref: %v", err)
+			}
+			for _, tag := range tags {
+				got, err := remote.Head(repo.Tag(tag))
+				if err != nil {
+					t.Errorf("failed to get image with tag %q: %v", tag, err)
+				}
+				if got.Digest.String() != d.DigestStr() {
+					t.Errorf("image with tag %q has wrong digest: got %s, want %s", tag, got.Digest, d.DigestStr())
+				}
+			}
+		}
+	}
+	checkTags(map[string][]string{
+		dig1.String(): {"1", "foo", "bar", "baz"},
+		dig2.String(): {"2", "hello", "world"},
+	})
+
+	// Update some tags.
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{{
+			Config: fmt.Sprintf(`resource "oci_tags" "test" {
+				repo = %q
+				tags = %s
+			}`, repo, marshal(map[string]v1.Hash{
+				// "foo" isn't specified, but this doesn't untag it.
+				"bar":     d1,
+				"baz":     d1,
+				"hello":   d1, // "hello" moved from 2 to 1.
+				"world":   d2,
+				"goodbye": d1, // new tag on 1.
+				"kevin":   d2, // new tag on 2.
+			})),
+		}},
+	})
+	checkTags(map[string][]string{
+		dig1.String(): {"1", "foo", "bar", "baz", "hello", "goodbye"},
+		dig2.String(): {"2", "world", "kevin"},
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,7 @@ func (p *OCIProvider) Resources(ctx context.Context) []func() resource.Resource`
`97`	`97`	`return []func() resource.Resource{`
`98`	`98`	`NewAppendResource,`
`99`	`99`	`NewTagResource,`
	`100`	`+ NewTagsResource,`
`100`	`101`	`}`
`101`	`102`	`}`
`102`	`103`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func TestAccTagResource(t *testing.T) {`
`40`	`40`	`if err := remote.Write(ref2, img2); err != nil {`
`41`	`41`	`t.Fatalf("failed to write image: %v", err)`
`42`	`42`	`}`
`43`		`- d2, err := img1.Digest()`
	`43`	`+ d2, err := img2.Digest()`
`44`	`44`	`if err != nil {`
`45`	`45`	`t.Fatalf("failed to get digest: %v", err)`
`46`	`46`	`}`