Merge pull request #5679 from 1000hz/add-file-handling

workers_script: support `content_file` and `content_sha256` attribute pair as alternative to `content`

Author: vaishakdinesh

docs/resources/workers_script.md

@@ -28,10 +28,10 @@ resource "cloudflare_workers_script" "example_workers_script" {
     name = "MY_ENV_VAR"
     type = "plain_text"
   }]
-  body_part = "worker.js"
   compatibility_date = "2021-01-01"
   compatibility_flags = ["nodejs_compat"]
-  content = file("worker.js")
+  content_file = "worker.js"
+  content_sha256 = filesha256("worker.js")
   keep_assets = false
   keep_bindings = ["string"]
   logpush = false

examples/resources/cloudflare_workers_script/resource.tf

@@ -14,10 +14,10 @@ resource "cloudflare_workers_script" "example_workers_script" {
     name = "MY_ENV_VAR"
     type = "plain_text"
   }]
-  body_part = "worker.js"
   compatibility_date = "2021-01-01"
   compatibility_flags = ["nodejs_compat"]
-  content = file("worker.js")
+  content_file = "worker.js"
+  content_sha256 = filesha256("worker.js")
   keep_assets = false
   keep_bindings = ["string"]
   logpush = false

internal/services/workers_script/custom.go

@@ -1,11 +1,18 @@
 package workers_script
 
 import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"net/textproto"
+	"os"
+	"path/filepath"
 	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 )
 
 func writeFileBytes(partName string, filename string, contentType string, content io.Reader, writer *multipart.Writer) error {
@@ -35,3 +42,134 @@ var quoteEscaper = strings.NewReplacer("\\", "\\\\", `"`, "\\\"")
 func escapeQuotes(s string) string {
 	return quoteEscaper.Replace(s)
 }
+
+func readFile(path string) (string, error) {
+	if strings.HasPrefix(path, "~/") {
+		dirname, err := os.UserHomeDir()
+		if err != nil {
+			return "", fmt.Errorf("could not expand home directory in path %s: %w", path, err)
+		}
+		path = filepath.Join(dirname, path[2:])
+	}
+
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return "", fmt.Errorf("could not read file %s: %w", path, err)
+	}
+
+	return string(content), nil
+}
+
+func calculateFileHash(filePath string) (string, error) {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open file: %w", err)
+	}
+	defer file.Close()
+
+	hasher := sha256.New()
+	if _, err := io.Copy(hasher, file); err != nil {
+		return "", fmt.Errorf("failed to read file: %w", err)
+	}
+
+	return hex.EncodeToString(hasher.Sum(nil)), nil
+}
+
+func calculateStringHash(content string) (string, error) {
+	hash := sha256.Sum256([]byte(content))
+	return hex.EncodeToString(hash[:]), nil
+}
+
+var _ validator.String = &contentSHA256Validator{}
+
+type contentSHA256Validator struct {
+	ContentPath     string
+	ContentFilePath string
+}
+
+func (v contentSHA256Validator) Description(_ context.Context) string {
+	return fmt.Sprintf("Validates that the provided value matches the SHA-256 hash of content in either `content` or `content_file`.")
+}
+
+func (v contentSHA256Validator) MarkdownDescription(ctx context.Context) string {
+	return v.Description(ctx)
+}
+
+func (v contentSHA256Validator) ValidateString(ctx context.Context, req validator.StringRequest, resp *validator.StringResponse) {
+	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
+		return
+	}
+
+	providedHash := req.ConfigValue.ValueString()
+
+	var config WorkersScriptModel
+
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	var hasContent, hasContentFile bool
+
+	if !config.Content.IsNull() {
+		hasContent = true
+	}
+
+	if !config.ContentFile.IsNull() {
+		hasContentFile = true
+	}
+
+	if !hasContent && !hasContentFile {
+		resp.Diagnostics.AddError("Missing required attributes", "One of `content` or `content_file` is required")
+		return
+	}
+
+	var actualHash string
+	var err error
+
+	if hasContent {
+		actualHash, err = calculateStringHash(config.Content.ValueString())
+		if err != nil {
+			resp.Diagnostics.AddAttributeError(
+				req.Path,
+				"Hash Calculation Error",
+				fmt.Sprintf("Failed to calculate SHA-256 hash of content: %s", err.Error()),
+			)
+			return
+		}
+	} else if hasContentFile {
+		actualHash, err = calculateFileHash(config.ContentFile.ValueString())
+		if err != nil {
+			resp.Diagnostics.AddAttributeError(
+				req.Path,
+				"Hash Calculation Error",
+				fmt.Sprintf("Failed to calculate SHA-256 hash of file '%s': %s", config.ContentFile.ValueString(), err.Error()),
+			)
+			return
+		}
+	}
+
+	if providedHash != actualHash {
+		var source string
+		if hasContent {
+			source = "content"
+		} else if hasContentFile {
+			source = fmt.Sprintf("content_file (%s)", config.ContentFile.ValueString())
+		}
+
+		resp.Diagnostics.AddAttributeError(
+			req.Path,
+			"SHA-256 Hash Mismatch",
+			fmt.Sprintf("The provided SHA-256 hash '%s' does not match the actual hash '%s' of %s",
+				providedHash, actualHash, source),
+		)
+	}
+}
+
+func ValidateContentSHA256() validator.String {
+	return contentSHA256Validator{
+		ContentPath:     "content",
+		ContentFilePath: "content_file",
+	}
+}

internal/services/workers_script/model.go

@@ -38,7 +38,9 @@ type WorkersScriptModel struct {
 	ID            types.String      `tfsdk:"id" json:"-,computed"`
 	ScriptName    types.String      `tfsdk:"script_name" path:"script_name,required"`
 	AccountID     types.String      `tfsdk:"account_id" path:"account_id,required"`
-	Content       types.String      `tfsdk:"content" json:"content,required"`
+	Content       types.String      `tfsdk:"content" json:"-"`
+	ContentFile   types.String      `tfsdk:"content_file" json:"-"`
+	ContentSHA256 types.String      `tfsdk:"content_sha256" json:"-"`
 	CreatedOn     timetypes.RFC3339 `tfsdk:"created_on" json:"created_on,computed" format:"date-time"`
 	Etag          types.String      `tfsdk:"etag" json:"etag,computed"`
 	HasAssets     types.Bool        `tfsdk:"has_assets" json:"has_assets,computed"`

internal/services/workers_script/resource.go

@@ -68,6 +68,17 @@ func (r *WorkersScriptResource) Create(ctx context.Context, req resource.CreateR
 		return
 	}
 
+	contentSHA256 := data.ContentSHA256
+
+	if !data.ContentFile.IsNull() {
+		content, err := readFile((data.ContentFile.ValueString()))
+		if err != nil {
+			resp.Diagnostics.AddError("failed to read file", err.Error())
+			return
+		}
+		data.Content = types.StringValue(content)
+	}
+
 	dataBytes, contentType, err := data.MarshalMultipart()
 	if err != nil {
 		resp.Diagnostics.AddError("failed to serialize multipart http request", err.Error())
@@ -97,6 +108,12 @@ func (r *WorkersScriptResource) Create(ctx context.Context, req resource.CreateR
 	}
 	data = &env.Result
 	data.ID = data.ScriptName
+	data.ContentSHA256 = contentSHA256
+
+	// avoid storing `content` in state if `content_file` is configured
+	if !data.ContentFile.IsNull() {
+		data.Content = types.StringNull()
+	}
 
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }
@@ -118,6 +135,17 @@ func (r *WorkersScriptResource) Update(ctx context.Context, req resource.UpdateR
 		return
 	}
 
+	contentSHA256 := data.ContentSHA256
+
+	if !data.ContentFile.IsNull() {
+		content, err := readFile((data.ContentFile.ValueString()))
+		if err != nil {
+			resp.Diagnostics.AddError("failed to read file", err.Error())
+			return
+		}
+		data.Content = types.StringValue(content)
+	}
+
 	dataBytes, contentType, err := data.MarshalMultipart()
 	if err != nil {
 		resp.Diagnostics.AddError("failed to serialize multipart http request", err.Error())
@@ -147,6 +175,12 @@ func (r *WorkersScriptResource) Update(ctx context.Context, req resource.UpdateR
 	}
 	data = &env.Result
 	data.ID = data.ScriptName
+	data.ContentSHA256 = contentSHA256
+
+	// avoid storing `content` in state if `content_file` is configured
+	if !data.ContentFile.IsNull() {
+		data.Content = types.StringNull()
+	}
 
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }
@@ -253,7 +287,17 @@ func (r *WorkersScriptResource) Read(ctx context.Context, req resource.ReadReque
 		content = string(bytes)
 	}
 
-	data.Content = types.StringValue(content)
+	// only update `content` if it was already present in state
+	// which might not be the case if `content_file` is used instead
+	if !data.Content.IsNull() {
+		data.Content = types.StringValue(content)
+	}
+
+	// refresh the content hash in case the remote state has drifted
+	if !data.ContentSHA256.IsNull() {
+		hash, _ := calculateStringHash(content)
+		data.ContentSHA256 = types.StringValue(hash)
+	}
 
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }