Added - Support for OCI Container Registry (OCIR): Tagging

Author: Steven Cheong

examples/artifacts/ContainerImageSignature/container_image_signature.tf

@@ -16,29 +16,53 @@ provider "oci" {
   region           = var.region
 }
 
-variable "container_image_signature_compartment_id_in_subtree" {}
+variable "container_image_signature_compartment_id_in_subtree" {
+  default = false
+}
+
+variable "container_image_signature_defined_tags_value" {
+  default = "value"
+}
+
+variable "container_image_signature_freeform_tags" {
+  default = { "Department" = "Finance" }
+}
 
 // specify the container image to upload to
-variable "container_image_id" {}
+variable "container_image_id" {
+  default = "container_image_id"
+}
 
-// specify the management endpoint for the key
-variable "crypto_endpoint" {}
+// specify the crypto endpoint for the key
+variable "crypto_endpoint" {
+  default = "https://xxxxx-crypto.kms.us-phoenix-1.oraclecloud.com"
+}
 
 // specify the kms key to sign the message
-variable "kms_rsa_key_id" {}
+variable "kms_rsa_key_id" {
+  default = "kms_rsa_key_id"
+}
 
 // specify the kms key version to sign the message
-variable "kms_rsa_key_version_id" {}
+variable "kms_rsa_key_version_id" {
+  default = "kms_rsa_key_version_id"
+}
 
 // the algorithm to sign with the key
-variable "kms_signing_algorithm" {}
+variable "kms_signing_algorithm" {
+  default = "SHA_224_RSA_PKCS_PSS"
+}
 
 // user inputted description to include in the signature
-variable "description" {}
+variable "description" {
+  default = "test"
+}
 
 // user defined a json string to include in the signature (eg. use escape character for the key/value string)
 // ex. "{\\\"buildNumber\\\":\\\"123\\\"}"
-variable "metadata" {}
+variable "metadata" {
+  default = ""
+}
 
 data "oci_artifacts_container_image" "test_container_image" {
   image_id = var.container_image_id
@@ -80,6 +104,10 @@ resource "oci_artifacts_container_image_signature" "test_container_image_signatu
   message = base64encode(local.message)
   signature = oci_kms_sign.test_sign.signature
   signing_algorithm = var.kms_signing_algorithm
+
+  #Optional
+  defined_tags  = { "example-tag-namespace-all.example-tag" = var.container_image_signature_defined_tags_value }
+  freeform_tags = var.container_image_signature_freeform_tags
 }
 
 data "oci_artifacts_container_image_signatures" "test_container_image_signatures" {

examples/artifacts/ContainerRepository/container_repository.tf

@@ -12,6 +12,14 @@ variable "container_repository_compartment_id_in_subtree" {
   default = false
 }
 
+variable "container_repository_defined_tags_value" {
+  default = "value"
+}
+
+variable "container_repository_freeform_tags" {
+  default = { "Department" = "Finance" }
+}
+
 variable "container_repository_is_immutable" {
   default = false
 }
@@ -45,7 +53,7 @@ provider "oci" {
 // repository displayName needs to be unique within a tenant, so generate random string here to avoid collision
 resource "random_string" "container_repository_display_name" {
   length  = 5
-  number  = false
+  numeric  = false
   special = false
   upper = false
 }
@@ -56,8 +64,10 @@ resource "oci_artifacts_container_repository" "test_container_repository" {
   display_name   = random_string.container_repository_display_name.result
 
   #Optional
-  is_immutable = var.container_repository_is_immutable
-  is_public    = var.container_repository_is_public
+  defined_tags  = { "example-tag-namespace-all.example-tag" = var.container_repository_defined_tags_value }
+  freeform_tags = var.container_repository_freeform_tags
+  is_immutable  = var.container_repository_is_immutable
+  is_public     = var.container_repository_is_public
   readme {
     #Required
     content = var.container_repository_readme_content

internal/integrationtest/artifacts_container_image_signature_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -24,6 +25,10 @@ import (
 )
 
 var (
+	// We need a few resources such as KMS vault and container image pre-created
+	// Therefore, before running the signature tests below, please first set the following env var:
+	// TF_VAR_container_image_ocid, TF_VAR_kms_vault_ocid, TF_VAR_management_endpoint, and TF_VAR_container_image_signing_signature
+
 	message             = utils.GetEnvSettingWithBlankDefault("container_image_signing_signature")
 	signingAlgorithm    = "SHA_224_RSA_PKCS_PSS"
 	signingAlgorithmStr = fmt.Sprintf("variable \"signingAlgorithm\" { default = \"%s\" }\n", signingAlgorithm)
@@ -55,12 +60,19 @@ var (
 		"message":            acctest.Representation{RepType: acctest.Required, Create: message},
 		"signature":          acctest.Representation{RepType: acctest.Required, Create: `${oci_kms_sign.test_container_image_signature_kms_sign.signature}`},
 		"signing_algorithm":  acctest.Representation{RepType: acctest.Required, Create: signingAlgorithm},
+		"defined_tags":       acctest.Representation{RepType: acctest.Optional, Create: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "value")}`, Update: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "updatedValue")}`},
+		"freeform_tags":      acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
 	}
 
 	ArtifactsArtifactscontainerContainerImageSignatureSingularDataSourceRepresentation = map[string]interface{}{
 		"image_signature_id": acctest.Representation{RepType: acctest.Required, Create: `${oci_artifacts_container_image_signature.test_container_image_signature.id}`},
 	}
 
+	ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies = descriptionStr + metadataStr + signingAlgorithmStr +
+		DefinedTagsDependencies +
+		ArtifactsArtifactscontainerImageResourceConfig +
+		ArtifactsArtifactscontainerContainerImageSignatureKmsSignResourceDependencies
+
 	ArtifactsArtifactscontainerContainerImageSignatureDataSourceRepresentation = map[string]interface{}{
 		"compartment_id":            acctest.Representation{RepType: acctest.Required, Create: `${data.oci_artifacts_container_image.test_container_image.compartment_id}`},
 		"compartment_id_in_subtree": acctest.Representation{RepType: acctest.Optional, Create: `false`},
@@ -88,18 +100,18 @@ func TestArtifactsContainerImageSignatureResource_basic(t *testing.T) {
 
 	config := acctest.ProviderTestConfig()
 
+	compartmentId := utils.GetEnvSettingWithBlankDefault("compartment_ocid")
+
 	resourceName := "oci_artifacts_container_image_signature.test_container_image_signature"
 	datasourceName := "data.oci_artifacts_container_image_signatures.test_container_image_signatures"
 	singularDatasourceName := "data.oci_artifacts_container_image_signature.test_container_image_signature"
 
-	var resId string
+	var resId, resId2 string
 
 	acctest.ResourceTest(t, testAccCheckArtifactsContainerImageSignatureDestroy, []resource.TestStep{
 		// verify Create
 		{
-			Config: config + descriptionStr + metadataStr + signingAlgorithmStr +
-				ArtifactsArtifactscontainerImageResourceConfig +
-				ArtifactsArtifactscontainerContainerImageSignatureKmsSignResourceDependencies +
+			Config: config + ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies +
 				acctest.GenerateResourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Required, acctest.Create, ArtifactsArtifactscontainerContainerImageSignatureRepresentation),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentId),
@@ -113,6 +125,37 @@ func TestArtifactsContainerImageSignatureResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 				resource.TestCheckResourceAttr(resourceName, "signing_algorithm", signingAlgorithm),
 
+				func(s *terraform.State) (err error) {
+					resId, err = acctest.FromInstanceState(s, resourceName, "id")
+					return err
+				},
+			),
+		},
+
+		// delete before next Create
+		{
+			Config: config + ArtifactsArtifactscontainerImageResourceConfig,
+		},
+		// verify Create with optionals
+		{
+			Config: config + ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies +
+				acctest.GenerateResourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Optional, acctest.Create, ArtifactsArtifactscontainerContainerImageSignatureRepresentation),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentId),
+				resource.TestCheckResourceAttrSet(resourceName, "created_by"),
+				resource.TestCheckResourceAttrSet(resourceName, "display_name"),
+				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
+				resource.TestCheckResourceAttr(resourceName, "defined_tags.%", "1"),
+				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "image_id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_version_id"),
+				resource.TestCheckResourceAttr(resourceName, "message", message),
+				resource.TestCheckResourceAttrPair(resourceName, "signature", "oci_kms_sign.test_container_image_signature_kms_sign", "signature"),
+				resource.TestCheckResourceAttr(resourceName, "signing_algorithm", signingAlgorithm),
+				resource.TestCheckResourceAttrSet(resourceName, "state"),
+				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
+
 				func(s *terraform.State) (err error) {
 					resId, err = acctest.FromInstanceState(s, resourceName, "id")
 					if isEnableExportCompartment, _ := strconv.ParseBool(utils.GetEnvSettingWithDefault("enable_export_compartment", "true")); isEnableExportCompartment {
@@ -125,11 +168,38 @@ func TestArtifactsContainerImageSignatureResource_basic(t *testing.T) {
 			),
 		},
 
+		// verify updates to updatable parameters
+		{
+			Config: config + ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies +
+				acctest.GenerateResourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Optional, acctest.Update, ArtifactsArtifactscontainerContainerImageSignatureRepresentation),
+			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
+				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentId),
+				resource.TestCheckResourceAttrSet(resourceName, "created_by"),
+				resource.TestCheckResourceAttrSet(resourceName, "display_name"),
+				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
+				resource.TestCheckResourceAttr(resourceName, "defined_tags.%", "1"),
+				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "image_id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_version_id"),
+				resource.TestCheckResourceAttr(resourceName, "message", message),
+				resource.TestCheckResourceAttrPair(resourceName, "signature", "oci_kms_sign.test_container_image_signature_kms_sign", "signature"),
+				resource.TestCheckResourceAttr(resourceName, "signing_algorithm", signingAlgorithm),
+				resource.TestCheckResourceAttrSet(resourceName, "state"),
+				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
+
+				func(s *terraform.State) (err error) {
+					resId2, err = acctest.FromInstanceState(s, resourceName, "id")
+					if resId != resId2 {
+						return fmt.Errorf("Resource recreated when it was supposed to be updated.")
+					}
+					return err
+				},
+			),
+		},
 		// verify datasource
 		{
-			Config: config + descriptionStr + metadataStr + signingAlgorithmStr +
-				ArtifactsArtifactscontainerImageResourceConfig +
-				ArtifactsArtifactscontainerContainerImageSignatureKmsSignResourceDependencies +
+			Config: config + ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies +
 				acctest.GenerateResourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Optional, acctest.Update, ArtifactsArtifactscontainerContainerImageSignatureRepresentation) +
 				acctest.GenerateDataSourceFromRepresentationMap("oci_artifacts_container_image_signatures", "test_container_image_signatures", acctest.Optional, acctest.Update, ArtifactsArtifactscontainerContainerImageSignatureDataSourceRepresentation),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
@@ -146,25 +216,28 @@ func TestArtifactsContainerImageSignatureResource_basic(t *testing.T) {
 
 				resource.TestCheckResourceAttr(datasourceName, "container_image_signature_collection.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "container_image_signature_collection.0.items.#", "1"),
+				resource.TestCheckResourceAttr(datasourceName, "container_image_signature_collection.0.items.0.defined_tags.%", "1"),
+				resource.TestCheckResourceAttr(datasourceName, "container_image_signature_collection.0.items.0.freeform_tags.%", "1"),
 			),
 		},
 
 		// verify singular datasource
 		{
-			Config: config + descriptionStr + metadataStr + signingAlgorithmStr +
-				ArtifactsArtifactscontainerImageResourceConfig +
-				ArtifactsArtifactscontainerContainerImageSignatureKmsSignResourceDependencies +
+			Config: config + ArtifactsArtifactscontainerContainerImageSignatureResourceDependencies +
 				acctest.GenerateResourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Optional, acctest.Update, ArtifactsArtifactscontainerContainerImageSignatureRepresentation) +
 				acctest.GenerateDataSourceFromRepresentationMap("oci_artifacts_container_image_signature", "test_container_image_signature", acctest.Required, acctest.Create, ArtifactsArtifactscontainerContainerImageSignatureSingularDataSourceRepresentation),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "image_signature_id"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "compartment_id", compartmentId),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "created_by"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "display_name"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "freeform_tags.%", "1"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "defined_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "id"),
 				//resource.TestCheckResourceAttr(singularDatasourceName, "message", encodedMessage),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "signature"),
 				resource.TestCheckResourceAttr(singularDatasourceName, "signing_algorithm", signingAlgorithm),
+				resource.TestCheckResourceAttrSet(singularDatasourceName, "state"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "time_created"),
 			),
 		},
@@ -193,10 +266,18 @@ func testAccCheckArtifactsContainerImageSignatureDestroy(s *terraform.State) err
 
 			request.RequestMetadata.RetryPolicy = tfresource.GetRetryPolicy(true, "artifacts")
 
-			_, err := client.GetContainerImageSignature(context.Background(), request)
+			response, err := client.GetContainerImageSignature(context.Background(), request)
 
 			if err == nil {
-				return fmt.Errorf("resource still exists")
+				deletedLifecycleStates := map[string]bool{
+					string(oci_artifacts.ContainerImageSignatureLifecycleStateDeleted): true,
+				}
+				if _, ok := deletedLifecycleStates[string(response.LifecycleState)]; !ok {
+					//resource lifecycle state is not in expected deleted lifecycle states.
+					return fmt.Errorf("resource lifecycle state: %s is not in expected deleted lifecycle states", response.LifecycleState)
+				}
+				//resource lifecycle state is in expected deleted lifecycle states. continue with next one.
+				continue
 			}
 
 			//Verify that exception is for '404 not found'.
@@ -241,6 +322,8 @@ func sweepArtifactsContainerImageSignatureResource(compartment string) error {
 				fmt.Printf("Error deleting ContainerImageSignature %s %s, It is possible that the resource is already deleted. Please verify manually \n", containerImageSignatureId, error)
 				continue
 			}
+			acctest.WaitTillCondition(acctest.TestAccProvider, &containerImageSignatureId, ArtifactsContainerImageSignatureSweepWaitCondition, time.Duration(3*time.Minute),
+				ArtifactsContainerImageSignatureSweepResponseFetchOperation, "artifacts", true)
 		}
 	}
 	return nil
@@ -269,3 +352,19 @@ func getContainerImageSignatureIds(compartment string) ([]string, error) {
 	}
 	return resourceIds, nil
 }
+
+func ArtifactsContainerImageSignatureSweepWaitCondition(response common.OCIOperationResponse) bool {
+	// Only stop if the resource is available beyond 3 mins. As there could be an issue for the sweeper to delete the resource and manual intervention required.
+	if containerImageSignatureResponse, ok := response.Response.(oci_artifacts.GetContainerImageSignatureResponse); ok {
+		return containerImageSignatureResponse.LifecycleState != oci_artifacts.ContainerImageSignatureLifecycleStateDeleted
+	}
+	return false
+}
+
+func ArtifactsContainerImageSignatureSweepResponseFetchOperation(client *tf_client.OracleClients, resourceId *string, retryPolicy *common.RetryPolicy) error {
+	_, err := client.ArtifactsClient().GetContainerImageSignature(context.Background(), oci_artifacts.GetContainerImageSignatureRequest{RequestMetadata: common.RequestMetadata{
+		RetryPolicy: retryPolicy,
+	},
+	})
+	return err
+}

internal/integrationtest/artifacts_container_image_test.go

@@ -29,7 +29,7 @@ var (
 	// Therefore, we need to set the env var of the pre-canned container image for testing, i.e. TF_VAR_container_image_ocid
 
 	imageId       = utils.GetEnvSettingWithBlankDefault("container_image_ocid")
-	compartmentId = utils.GetEnvSettingWithBlankDefault("tenancy_ocid")
+	compartmentId = utils.GetEnvSettingWithBlankDefault("compartment_ocid")
 
 	ArtifactsArtifactscontainerImageSingularDataSourceRepresentation = map[string]interface{}{
 		"image_id": acctest.Representation{RepType: acctest.Required, Create: imageId},
@@ -72,8 +72,9 @@ func TestArtifactsContainerImageResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(datasourceName, "state", "AVAILABLE"),
 
 				resource.TestCheckResourceAttr(datasourceName, "container_image_collection.#", "1"),
-
 				resource.TestCheckResourceAttr(datasourceName, "container_image_collection.0.items.#", "1"),
+				resource.TestCheckResourceAttr(datasourceName, "container_image_collection.0.items.0.defined_tags.%", "2"),
+				resource.TestCheckResourceAttr(datasourceName, "container_image_collection.0.items.0.freeform_tags.%", "3"),
 				resource.TestCheckResourceAttr(datasourceName, "container_image_collection.0.remaining_items_count", "0"),
 			),
 		},
@@ -98,6 +99,8 @@ func TestArtifactsContainerImageResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "time_created"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "version"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "versions.#"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "freeform_tags.%", "3"),
+				resource.TestCheckResourceAttr(singularDatasourceName, "defined_tags.%", "2"),
 			),
 		},
 	})