Pin Alpine image digest and add SHA256 verification for TF provider download

Co-authored-by: Isaac

Author: shreyas-goenka

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.22 as builder
+FROM alpine:3.22@sha256:55ae5d250caebc548793f321534bc6a8ef1d116f334f18f4ada1b2daad3251b2 as builder
 
 RUN ["apk", "add", "jq"]
 RUN ["apk", "add", "bash"]
@@ -13,7 +13,7 @@ ARG ARCH
 RUN /build/docker/setup.sh
 
 # Start from a fresh base image, to remove any build artifacts and scripts.
-FROM alpine:3.22
+FROM alpine:3.22@sha256:55ae5d250caebc548793f321534bc6a8ef1d116f334f18f4ada1b2daad3251b2
 
 ENV DATABRICKS_TF_EXEC_PATH "/app/bin/terraform"
 ENV DATABRICKS_TF_CLI_CONFIG_FILE "/app/config/config.tfrc"

bundle/deploy/terraform/pkg.go

@@ -77,11 +77,12 @@ type Checksum struct {
 }
 
 type TerraformMetadata struct {
-	Version         string   `json:"version"`
-	Checksum        Checksum `json:"checksum"`
-	ProviderHost    string   `json:"providerHost"`
-	ProviderSource  string   `json:"providerSource"`
-	ProviderVersion string   `json:"providerVersion"`
+	Version          string   `json:"version"`
+	Checksum         Checksum `json:"checksum"`
+	ProviderHost     string   `json:"providerHost"`
+	ProviderSource   string   `json:"providerSource"`
+	ProviderVersion  string   `json:"providerVersion"`
+	ProviderChecksum Checksum `json:"providerChecksum"`
 }
 
 func NewTerraformMetadata(ctx context.Context) (*TerraformMetadata, error) {
@@ -98,6 +99,10 @@ func NewTerraformMetadata(ctx context.Context) (*TerraformMetadata, error) {
 		ProviderHost:    schema.ProviderHost,
 		ProviderSource:  schema.ProviderSource,
 		ProviderVersion: schema.ProviderVersion,
+		ProviderChecksum: Checksum{
+			LinuxAmd64: schema.ProviderChecksumLinuxAmd64,
+			LinuxArm64: schema.ProviderChecksumLinuxArm64,
+		},
 	}, nil
 }
 

bundle/deploy/terraform/pkg_test.go

@@ -54,6 +54,17 @@ func TestTerraformArchiveChecksums(t *testing.T) {
 	downloadAndChecksum(t, armUrl, tv.ChecksumLinuxArm64)
 }
 
+func TestTerraformProviderArchiveChecksums(t *testing.T) {
+	metadata, err := NewTerraformMetadata(t.Context())
+	require.NoError(t, err)
+
+	amdUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_amd64.zip", metadata.ProviderVersion, metadata.ProviderVersion)
+	armUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_arm64.zip", metadata.ProviderVersion, metadata.ProviderVersion)
+
+	downloadAndChecksum(t, amdUrl, metadata.ProviderChecksum.LinuxAmd64)
+	downloadAndChecksum(t, armUrl, metadata.ProviderChecksum.LinuxArm64)
+}
+
 func TestGetTerraformVersionDefault(t *testing.T) {
 	// Verify that the default version is used
 	tv, isDefault, err := GetTerraformVersion(t.Context())

bundle/internal/tf/codegen/generator/generator.go

@@ -35,8 +35,10 @@ func (c *collection) Generate(path string) error {
 }
 
 type root struct {
-	OutputFile      string
-	ProviderVersion string
+	OutputFile                 string
+	ProviderVersion            string
+	ProviderChecksumLinuxAmd64 string
+	ProviderChecksumLinuxArm64 string
 }
 
 func (r *root) Generate(path string) error {
@@ -147,8 +149,10 @@ func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error
 	// Generate root.go
 	{
 		r := &root{
-			OutputFile:      "root.go",
-			ProviderVersion: schemapkg.ProviderVersion,
+			OutputFile:                 "root.go",
+			ProviderVersion:            schemapkg.ProviderVersion,
+			ProviderChecksumLinuxAmd64: schemapkg.ProviderChecksumLinuxAmd64,
+			ProviderChecksumLinuxArm64: schemapkg.ProviderChecksumLinuxArm64,
 		}
 		err := r.Generate(path)
 		if err != nil {

bundle/internal/tf/codegen/schema/version.go

@@ -1,3 +1,12 @@
 package schema
 
 const ProviderVersion = "1.111.0"
+
+// Checksums for the Databricks Terraform provider archive. These are not used
+// inside the CLI. They are co-located here to be output in the
+// "databricks bundle debug terraform" output. Downstream applications like the
+// CLI docker image use these checksums to verify the integrity of the downloaded
+// provider archive. Please update these when the provider version is bumped.
+// The checksums are obtained from https://github.com/databricks/terraform-provider-databricks/releases.
+const ProviderChecksumLinuxAmd64 = "c1b46bbaf5c4a0b253309dad072e05025e24731536719d4408bacd48dc0ccfd9"
+const ProviderChecksumLinuxArm64 = "ce379c424009b01ec4762dee4d0db27cfc554d921b55a0af8e4203b3652259e9"

bundle/internal/tf/codegen/templates/root.go.tmpl

@@ -22,6 +22,8 @@ type Root struct {
 const ProviderHost = "registry.terraform.io"
 const ProviderSource = "databricks/databricks"
 const ProviderVersion = "{{ .ProviderVersion }}"
+const ProviderChecksumLinuxAmd64 = "{{ .ProviderChecksumLinuxAmd64 }}"
+const ProviderChecksumLinuxArm64 = "{{ .ProviderChecksumLinuxArm64 }}"
 
 func NewRoot() *Root {
 	return &Root{

bundle/internal/tf/schema/root.go

@@ -30,3 +30,11 @@ mv zip/terraform/terraform /app/bin/terraform
 TF_PROVIDER_NAME=terraform-provider-databricks_${DATABRICKS_TF_PROVIDER_VERSION}_linux_${ARCH}.zip
 mkdir -p /app/providers/registry.terraform.io/databricks/databricks
 wget https://github.com/databricks/terraform-provider-databricks/releases/download/v${DATABRICKS_TF_PROVIDER_VERSION}/${TF_PROVIDER_NAME} -O /app/providers/registry.terraform.io/databricks/databricks/${TF_PROVIDER_NAME}
+
+# Verify the provider checksum.
+EXPECTED_PROVIDER_CHECKSUM="$(/app/databricks bundle debug terraform --output json | jq -r .terraform.providerChecksum.linux_$ARCH)"
+COMPUTED_PROVIDER_CHECKSUM=$(sha256sum /app/providers/registry.terraform.io/databricks/databricks/${TF_PROVIDER_NAME} | awk '{ print $1 }')
+if [ "$COMPUTED_PROVIDER_CHECKSUM" != "$EXPECTED_PROVIDER_CHECKSUM" ]; then
+    echo "Checksum mismatch for Terraform provider. Version: $DATABRICKS_TF_PROVIDER_VERSION, Arch: $ARCH, Expected checksum: $EXPECTED_PROVIDER_CHECKSUM, Computed checksum: $COMPUTED_PROVIDER_CHECKSUM."
+    exit 1
+fi