foreman_opentofu 0.0.1 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1a821d0e6f43b76c17c48f1a84cb7bc753f9bbebd6c31c532fea9fcf6cf843b
-  data.tar.gz: 515d5f582f9911cbdaf339b9854baf644437171695f4a7062ac44eb2eb203105
+  metadata.gz: ccfa3742aa9fe09edc20f685bf1a65f0f32aa34603572812fd250f64f84c7f60
+  data.tar.gz: 632627c1dbecb3da3282fa29085647263f588eb99753db33d2f2ada53b57680c
 SHA512:
-  metadata.gz: 3d0b019416cc34fd4f9c17ca83c08ef7f5861ea88d9d50905508a878be1e05ad2c7a998dacd8a58209eb494845923843015820c1acb20227e6f59b40b15d92c6
-  data.tar.gz: 6286eb806d3b5afca40e28e6d064512b5477b698eb531ab1b4063d18d66ae4b5644536372511c40d7cccac8e0d26ff534625c3dd242c6d19534a949796ed50c6
+  metadata.gz: 1858acdfd4b8e7e32dd3c91765ca1e5e6921da70b8754842e1fa8284bb9b1ceb23b5abb7b22320218d6326167f821d032071915458155545e19ace88dfadd996
+  data.tar.gz: a9f29bd6e263acb43c2a692ed848a71b99c61dce3fb3b64a9ebd7597bceae0280f8b93879b2e5b89a6a8a2244f9cfd5644fdfdc20444353fc962211def091591

data/README.md

@@ -34,6 +34,158 @@ Provisioning workflow:
 
 Provider-specific details (for example Nutanix, Hetzner) are handled entirely through openTOFU scripts.
 
+### Create new ProviderType
+
+This Plugin empowers you to add support of a new backend VM- or Cloud-Platform yourself.
+Follow these simple steps to do so:
+
+#### Find OpenTofu Provider
+
+Visit the OpenTofu Registry to find a suitable [provider supported by OpenTofu](https://search.opentofu.org/providers).
+The Registry supplies the necessary Data Sources to read information from the Backend as well as Resources to create/update/destroy resources on the Backend.
+
+#### Create Template
+
+You may use the UI-Editor in Hosts -> Templates -> Provisioning Templates to create a new Template.
+Either clone a pre-installed template or create one from scratch.
+In the latter case be sure to select the correct Template Type: OpenTofu Script template.
+
+#### Create Parameter Config
+
+To define which Virtual Machine parameters can be set for a new Host a new config file under `/config` must be added.
+Feel free to use either YAML or JSON (be sure to end the filename with `.json` or `.yaml`).
+The config file defines an array of dicts, where each dict represents a configuration-parameter.
+
+A config-parameter has the following values:
+
+* `name`: the OpenTofu Provider Resource Arguments as stated on the OpenTofu Registry
+* `label`: the label shown in the Foreman UI
+* `type`: data-type of the value, supported values:
+  * `string`
+  * `number`
+  * `bool`
+  * `select`: requires setting `options`
+* `help`: Tooltip describing what that value does and what values are allowed
+* `mandatory`: `true`/`false` defines if omitting the value triggers an error
+* `options`: array of strings representing the possible values
+* `group`: define where the value should be configured
+   * `vm`: ones per Host in the 'Virtual Machine' tab,
+   * `disk`: for each defined disk/volume in the 'Virtual Machine' tab
+   * `nic`: for each defined network-interface on the 'Interfaces' tab
+
+A short config file might look like this:
+
+```json
+[
+  { "name": "memory_size_mib", "type": "number", "group": "vm", "mandatory": false,
+    "label": "Memory (MB)" },
+  { "name": "boot_type", "type": "select", "group": "vm", "mandatory": false,
+    "label": "Firmware", "options": [ "UEFI", "LEGACY", "SECURE_BOOT" ] },
+  { "name": "disk_size_mib", "type": "number", "group": "disk", "mandatory": true,
+    "label": "Size (MB)" },
+  { "name": "model", "type": "select", "group": "nic", "mandatory": true,
+    "options": [ "VIRTIO", "E1000" ] }
+]
+```
+
+The name of the file must be the same as the provider-type name we set in the next step (e.g. `/config/nutanix.json`).
+
+##### Dynamic Config Parameter
+
+Sometimes it is necessary to provide a list of possible values that are defined by the backend-service.
+Curating the 'options'-Array is tedious at best or not possible if multiple instances of the backend service are in use.
+This can be addressed by specifiying an OpenTofu-Provider's [DataSource](https://opentofu.org/docs/language/data-sources/) in the following way:
+
+```json
+{
+  "name": "volume_group", "type": "select", "group": "disk", "mandatory": true, "label": "Volume Group",
+  "options": {
+    "data_source": {
+      "name": "nutanix_volume_groups_v2",
+      "arguments": {
+        "filter": "name eq 'volume_group_test'",
+        "limit": 20
+      },
+      "entity": {
+        "id": "metadata.uuid"
+      }
+    },
+    "output_path_postfix": "volume_groups"
+  }
+}
+
+```
+The GUI requires a list of objects that at least contain a name and an id for each select-option.
+The `entity` section can be used to define a specific value from an object within the list that the DataSource returns.
+If the object already has `name` and `id` entries, these will automatically used.
+In the above example `name` exists in the object and can be used.
+For the `id` however, a different value must be selected from the object.
+
+This requests the data via OpenTofu in the following construct:
+
+```hcl
+data "nutanix_volume_groups_v2" "all" {
+  filter = "name eq 'volume_group_test'"
+  limit = 20
+}
+output "resources" {
+  value = [ for e in data.nutanix_volume_groups_v2.all.volume_groups: {
+    id = e.metadata.uuid
+    name = e.name
+  } ]
+}
+```
+
+##### Special Parameter
+
+Some config parameter names have special meanings.
+For instance, Image-based Deployment requires binding images available on the backend-service with Operating Systems configured in Foreman.
+To enable Foreman OpenTofu to display the available images, a `select`-parameter with the name `available_images` must be specified.
+It is recommended to tie this to a data-source available in the OpenTofu provider.
+
+```json
+{
+  "name": "available_images", "type": "select",
+  "options": {
+    "data_source": {
+      "name": "hcloud_images",
+      "arguments": { "with_architecture": ["x86"] }
+    },
+    "output_path_postfix": "images"
+  }
+}
+```
+
+
+#### Create Provider Type
+
+To let the Foreman OpenTofu Plugin know about your new Provider Type, one additional file has to be created in `/lib/foreman_opentofu/provider_types/`.
+
+A very simple ProviderType file to add a new Provider named `nutanix` has to be located in `lib/foreman_opentofu/provider_types/nutanix.rb` and might look like this:
+
+```ruby
+ForemanOpentofu::ProviderTypeManager.register('nutanix') do
+end
+```
+
+Additional informations about the ProviderType can be set within the `register`-block:
+
+##### `default_attributes`
+
+Define values that should be set as default for attributes.
+The values do not have to be defined in the config-file.
+If attributes are also defined in the config-file and therefore set during Host creation, the default\_attribute values will be overwritten.
+
+```ruby
+ForemanOpentofu::ProviderTypeManager.register('nutanix') do
+  @default_attributes = {
+    'enable_cpu_passthrough' => true,
+    'num_threads_per_core' => 2,
+  }
+end
+```
+
+
 ## Development
 
 ### Dev prerequisites

data/app/assets/javascripts/foreman_opentofu/locale/en/foreman_opentofu.js

@@ -0,0 +1,58 @@
+ locales['foreman_opentofu'] = locales['foreman_opentofu'] || {}; locales['foreman_opentofu']['en'] = {
+  "domain": "foreman_opentofu",
+  "locale_data": {
+    "foreman_opentofu": {
+      "": {
+        "Project-Id-Version": "foreman_opentofu 1.0.0",
+        "Report-Msgid-Bugs-To": "",
+        "PO-Revision-Date": "2026-02-16 18:46+0000",
+        "Last-Translator": "FULL NAME <EMAIL@ADDRESS>",
+        "Language-Team": "LANGUAGE <LL@li.org>",
+        "Language": "",
+        "MIME-Version": "1.0",
+        "Content-Type": "text/plain; charset=UTF-8",
+        "Content-Transfer-Encoding": "8bit",
+        "Plural-Forms": "nplurals=INTEGER; plural=EXPRESSION;",
+        "lang": "en",
+        "domain": "foreman_opentofu",
+        "plural_forms": "nplurals=INTEGER; plural=EXPRESSION;"
+      },
+      "127.0.0.1": [
+        ""
+      ],
+      "Common fields": [
+        ""
+      ],
+      "OpenTofu Provider": [
+        ""
+      ],
+      "OpenTofu Script template": [
+        ""
+      ],
+      "OpenTofu Template": [
+        ""
+      ],
+      "Storage": [
+        ""
+      ],
+      "TODO: Description of ForemanPluginTemplate.": [
+        ""
+      ],
+      "URL": [
+        ""
+      ],
+      "Unable to find template specified by %s setting": [
+        ""
+      ],
+      "Unable to render provisioning template": [
+        ""
+      ],
+      "VM Config": [
+        ""
+      ],
+      "e.g. admin": [
+        ""
+      ]
+    }
+  }
+};

data/app/controllers/api/v2/tf_states_controller.rb

@@ -3,14 +3,25 @@ module Api
     class TfStatesController < ::Api::V2::BaseController
       include ::Api::Version2
 
+      # TODO: verify this
+      # We don't require any of these methods for provisioning
+      # skip_before_action :require_login, :check_user_enabled, :session_expiry, :update_activity_time, :set_taxonomy, :authorize, unless: -> { preview? }
+      skip_before_action :set_taxonomy
+
+      # Allow HTTP POST methods without CSRF
+      skip_before_action :verify_authenticity_token
+
+      # overwrite authorize with the local token-based authorization
+      before_action :authorize, except: [:destroy]
+
       resource_description do
         api_version 'v2'
         api_base_url '/foreman_opentofu/api'
       end
 
-      skip_before_action :verify_authenticity_token
       def show
         state = ForemanOpentofu::TfState.find_by(name: params[:name])
+
         if state
           render plain: state.state, content_type: 'application/json'
         else
@@ -19,8 +30,6 @@ module Api
       end
 
       def create
-        state = ForemanOpentofu::TfState.find_or_create_by(name: params[:name])
-
         raw_state = request.body.read
         if raw_state.blank?
           render plain: 'Missing state body', status: :unprocessable_entity
@@ -29,6 +38,7 @@ module Api
         begin
           JSON.parse(raw_state)
 
+          state = ForemanOpentofu::TfState.find_or_initialize_by(name: params[:name])
           state.state = raw_state
           state.save!
           render plain: '', status: :ok
@@ -39,14 +49,42 @@ module Api
       end
 
       def destroy
-        state = ForemanOpentofu::TfState.find_by(name: params[:name])
-        state&.destroy
+        # TODO: at the moment we want to get 200 OK, if the TfState does not exist.
+        #       normally, this would fail with 401, because of no valid token.
+        #       Needs re-evaluation, if this is a security risk.
+        state = ForemanOpentofu::TfState.where(name: params[:name])
+        if state.any?
+          authorize
+          state.first.destroy
+        end
+
         render plain: '', status: :ok
       end
 
       def resource_class
         @resource_class ||= ForemanOpentofu::TfState
       end
+
+      private
+
+      def authorize
+        authenticate_or_request_with_http_token do |token, _options|
+          token = ForemanOpentofu::Token.find_by(name: params[:name], token: token)
+          unless token
+            Rails.logger.warn('TfState-Auth-Token not found')
+            render_error('unauthorized', status: :unauthorized)
+            return false
+          end
+
+          if token.expired?
+            Rails.logger.warn 'TfState token expired, if this keeps happening increase the validity of the token'
+            render_error('unauthorized', status: :unauthorized)
+            return false
+          end
+
+          return true
+        end
+      end
     end
   end
 end

data/app/controllers/concerns/foreman_opentofu/controller/parameters/compute_resource.rb

@@ -1,22 +1,3 @@
-# frozen_string_literal: true
-
-# Copyright 2018 Tristan Robert
-
-# This file is part of ForemanFogProxmox.
-
-# ForemanFogProxmox is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# ForemanFogProxmox is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with ForemanFogProxmox. If not, see <http://www.gnu.org/licenses/>.
-
 module ForemanOpentofu
   module Controller
     module Parameters
@@ -28,6 +9,7 @@ module ForemanOpentofu
             super.tap do |filter|
               filter.permit :endpoint,
                 :opentofu_provider,
+                :opentofu_template_id,
                 :username
             end
           end

data/app/lib/foreman_opentofu/concerns/base_template_scope_extensions.rb

@@ -3,19 +3,65 @@ module ForemanOpentofu
     module BaseTemplateScopeExtensions
       extend ActiveSupport::Concern
       extend ApipieDSL::Module
+      include ForemanOpentofu::HclFormat
+      include ForemanOpentofu::NicHelpers
 
       apipie :class, 'Base macros related to Opentofu templates' do
-        name 'Base Content'
-        sections only: %w[all provisioning]
+        name 'OpenTofu helpers'
+        sections only: %w[opentofu_script]
+      end
+
+      apipie :method, 'Returns `terraform`-block including necessary backend definition, if applicable' do
+        required :data, Hash, desc: 'Define the provider-type to pull in, e.g. `{ \'nutanix\' => { \'source\' => \'nutanix/nutanix\', \'version\' => \'2.4.0\' }`'
+        returns String, desc: '`terraform {}`-block based on the data-input, if applicable with TfState-Backend definition.'
+      end
+      # e.g. terraform_block({ 'nutanix' => { 'source' => 'nutanix/nutanix', 'version' => '2.4.0' })
+      def terraform_block(data)
+        block = block_to_hcl(['terraform'])
+        block << '{'
+        block << block_to_hcl(['required_providers'], data, depth: 1)
+        block << backend_block
+        block << "\n}"
+      end
+
+      apipie :method, 'Add "resource" data_source block' do
+        returns String, desc: ''
+      end
+      def resource_block(resource)
+        block = ''
+        path = ['data', resource[:name], 'all']
+
+        # data "<%= @resource[:name] %>" "all" {
+        # <% @resource.dig(:options, 'data_source', 'arguments')&.each do |key, value| %>
+        #   <%= key %> = <%= value.inspect %>
+        # <% end %>
+        # }
+        block << block_to_hcl(path, resource.dig(:options, 'data_source', 'arguments') || {})
+
+        # output "resources" {
+        #   value = [ for e in data.<%= @resource[:name] %>.all.<%= @resource.dig(:options, 'output_path_postfix') %>: {
+        #     id = e.<%= @resource.dig(:options, 'entity', 'id') || 'id' %>
+        #     name = e.<%= @resource.dig(:options, 'entity', 'name') || 'name' %>
+        #     # obj = e
+        #     } ]
+        # }
+        block << block_to_hcl(%w[output resources])
+        block << '{' << "\n"
+        block << "  value = [ for e in data.#{resource[:name]}.all.#{resource.dig(:options, 'output_path_postfix')}: {\n"
+        block << "    id = e.#{resource.dig(:options, 'entity', 'id') || 'id'}\n"
+        block << "    name = e.#{resource.dig(:options, 'entity', 'name') || 'name'}\n"
+        # block << 'obj = e'
+        block << '  } ]' << "\n"
+        block << '}' << "\n"
       end
 
       apipie :method, 'Returns all VM parameters' do
         required :skip_list, Array, desc: 'List of parameters to skip'
         returns String, desc: '"key = value" lines'
       end
-
       def vm_attributes(skip_list = [])
         available_attributes = @compute_resource.available_attributes
+        data = {}
         res = ''
         @cr_attrs.each do |key, value|
           next if skip_list.include? key
@@ -28,60 +74,22 @@ module ForemanOpentofu
           next if conf['group'] != 'vm'
           next if value.blank? && !conf['mandatory']
 
-          res << "#{key} = #{format_value(value, conf['type'])}\n"
-        end
-        res << nic_attributes(available_attributes)
-      end
-
-      def nic_attributes(available_attributes)
-        interfaces = @cr_attrs['interfaces'] || @cr_attrs['interfaces_attributes']
-        return '' if interfaces.blank?
-
-        interfaces = normalize_interfaces(interfaces)
-        nic_defs = available_attributes.values.select do |attrs|
-          attrs['group'] == 'nic'
-        end
-        res = ''
-        interfaces.each do |iface|
-          next if iface['subnet_uuid'].blank?
-
-          res << build_attribute_block('nic_list', iface, nic_defs)
+          data[key] = format_value(value, conf['type'])
         end
-        res
+        res << to_hcl(data, snippet: true)
       end
 
-      def normalize_interfaces(interfaces)
-        if interfaces.is_a?(Hash)
-          if interfaces.keys.all? { |k| k.to_s =~ /^\d+$/ }
-            interfaces.values
-          else
-            [interfaces]
-          end
+      def backend_block
+        if @token
+          data = {
+            address: "#{Setting[:foreman_url]}/api/v2/tf_states/#{@host_name}",
+            headers: {
+              'Authorization' => "Token #{@token}",
+            },
+          }
+          block_to_hcl(%w[backend http], data, depth: 1)
         else
-          Array(interfaces)
-        end
-      end
-
-      def build_attribute_block(block_name, attrs, nic_defs)
-        res = "#{block_name} {\n"
-        attrs.each do |k, v|
-          next if v.blank?
-          conf = nic_defs.find { |a| (a['name'] || a[:name]) == k }
-          next unless conf
-          res << "  #{k} = #{format_value(v, conf['type'])}\n" if conf
-        end
-        res << "}\n"
-        res
-      end
-
-      private
-
-      def format_value(val, type)
-        case type
-        when 'string', 'select' then "\"#{val}\""
-        when 'bool' then Foreman::Cast.to_bool(val)
-        when 'number' then val.to_i
-        else val
+          ''
         end
       end
     end

data/app/lib/foreman_opentofu/hcl_format.rb

@@ -0,0 +1,95 @@
+module ForemanOpentofu
+  module HclFormat
+    def default_opts(opts = {})
+      {
+        indent: 2,
+        depth: 0,
+        snippet: false,
+      }.merge opts
+    end
+
+    # possible `opts`:
+    #   `indent` : number of whitespace to indent; default 2
+    #   `depth`  : start value of depth (for indentation); default: 0
+    #   `snippet`: if `true` and var is a `Hash` string will not be framed with `{}`
+    def to_hcl(var, opts = {})
+      opts = default_opts.merge(opts)
+
+      case var
+      when Hash then hash_to_hcl(var, opts)
+      when Array then array_to_hcl(var, opts)
+      when String then var.inspect
+      else var.to_s
+      end
+    end
+
+    def prefix_hcl(opts)
+      "\n#{' ' * opts[:indent] * opts[:depth]}"
+    end
+
+    # output a hcl-block:
+    # hello "how" "are" "you" { ... }
+    # the above would be created by: block_to_hcl(['hello,'how', 'are', 'you'], { .. })
+    def block_to_hcl(names, content = nil, opts = {})
+      opts = default_opts(opts)
+
+      hcl = prefix_hcl(opts)
+      hcl << names[0]
+      hcl << ' '
+      # sub-block-names are quoted
+      hcl << names[1..].map(&:to_s).map(&:inspect).join(' ')
+      hcl << ' ' if hcl[-1] != ' '
+      hcl << to_hcl(content, opts)
+    end
+
+    def hash_to_hcl(hsh, opts)
+      opts = default_opts(opts)
+      hcl = ''
+      new_opts = opts.merge(snippet: false)
+
+      unless opts[:snippet]
+        hcl << '{'
+        new_opts[:depth] = opts[:depth] + 1
+      end
+
+      close_block_on_newline = false
+
+      hsh.each do |key, value|
+        hcl << prefix_hcl(new_opts)
+        hcl << "#{key} = #{to_hcl(value, new_opts)}"
+        close_block_on_newline = true
+      end
+      hcl << prefix_hcl(opts) if close_block_on_newline
+      hcl << '}' unless opts[:snippet]
+      hcl
+    end
+
+    def array_to_hcl(hsh, opts)
+      opts = default_opts(opts)
+      hcl = '['
+      new_opts = opts.merge(
+        depth: opts[:depth] + 1
+      )
+      close_block_on_newline = false
+
+      hsh.each do |value|
+        hcl << prefix_hcl(new_opts)
+        hcl << to_hcl(value, new_opts)
+        hcl << ','
+        close_block_on_newline = true
+      end
+      hcl.chomp!(',')
+      hcl << prefix_hcl(opts) if close_block_on_newline
+      hcl << ']'
+    end
+
+    def format_value(val, type)
+      case type
+      when 'string', 'select' then val
+      when 'bool' then Foreman::Cast.to_bool(val)
+      when 'number' then val.to_i
+      else val
+      end
+    end
+  end
+end

data/app/lib/foreman_opentofu/nic_helpers.rb

@@ -0,0 +1,47 @@
+module ForemanOpentofu
+  module NicHelpers
+    include ForemanOpentofu::HclFormat
+
+    def nic_attributes(block_name = nil)
+      nic_defs = @compute_resource.available_attributes('nic')
+      interfaces = normalize_interfaces(@cr_attrs['interfaces'] || @cr_attrs['interfaces_attributes'])
+      res = ''
+      interfaces.each do |iface|
+        missing_attrs = nic_defs.select { |name, cfg| cfg[:mandatory] && iface[name].blank? }
+        # TODO: log the fact that we skip this due to missing mandatory attributes
+        next unless missing_attrs.empty?
+
+        res << if block_given?
+                 yield(iface, nic_defs)
+               else
+                 block_to_hcl([block_name], sanitize_attributes(iface, nic_defs), depth: 1)
+               end
+      end
+      res
+    end
+
+    def normalize_interfaces(interfaces)
+      if interfaces.is_a?(Hash)
+        if interfaces.keys.all? { |k| k.to_s =~ /^\d+$/ }
+          interfaces.values
+        else
+          [interfaces]
+        end
+      else
+        Array(interfaces)
+      end
+    end
+
+    def sanitize_attributes(attrs, defs)
+      data = {}
+      attrs.each do |k, v|
+        next if v.blank?
+
+        next unless defs[k]
+
+        data[k] = format_value(v, defs.dig(k, :type))
+      end
+      data
+    end
+  end
+end

data/app/models/concerns/orchestration/tofu/compute.rb

@@ -3,13 +3,9 @@ module Orchestration
     module Compute
       extend ActiveSupport::Concern
 
-      def computeValue(_foreman_attr, fog_attr)
-        value = ''
-        value += vm.send(fog_attr).to_s
-        value
-      end
-
       def match_macs_to_nics(fog_attr)
+        return super unless compute_resource.is_a?(ForemanOpentofu::Tofu)
+
         interfaces.select(&:physical?).each do |nic|
           mac = vm.send(fog_attr)
           logger.debug "Orchestration::Compute: nic #{nic.inspect} assigned to #{vm.inspect}"
@@ -19,6 +15,29 @@ module Orchestration
         end
         true
       end
+
+      def setUserData
+        return super unless compute_resource.is_a?(ForemanOpentofu::Tofu)
+
+        logger.info "Rendering UserData template for #{name}"
+        template = provisioning_template(kind: 'cloud-init')
+        template ||= provisioning_template(kind: 'user_data')
+        # For some reason this renders as 'built' in spoof view but 'provision' when
+        # actually used. For now, use foreman_url('built') in the template
+        if template.nil?
+          # rubocop:disable Layout/LineLength
+          failure(format(_("Image \"%{image}\" needs user data, but \"%{os}\" is not associated to any provisioning template of the kind user_data. Please associate it with a suitable template or uncheck 'User data' from the image definition."),
+            image: image.name,
+            os: operatingsystem))
+          # rubocop:enable Layout/LineLength
+          return false
+        end
+
+        compute_attributes['user_data'] = render_template(template: template)
+
+        return false if errors.any?
+        true
+      end
     end
   end
 end