From 9b3aed6ba279c0486bb9fe010d19ad41f19bf6ed Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:14:37 +0100 Subject: [PATCH 1/6] Pin Alpine image digest and add SHA256 verification for TF provider download Co-authored-by: Isaac --- Dockerfile | 4 ++-- bundle/deploy/terraform/pkg.go | 15 ++++++++++----- bundle/deploy/terraform/pkg_test.go | 11 +++++++++++ bundle/internal/tf/codegen/generator/generator.go | 12 ++++++++---- bundle/internal/tf/codegen/schema/version.go | 9 +++++++++ bundle/internal/tf/codegen/templates/root.go.tmpl | 2 ++ bundle/internal/tf/schema/root.go | 2 ++ docker/setup.sh | 8 ++++++++ 8 files changed, 52 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index f48b90b437..0945680299 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.22 as builder +FROM alpine:3.22@sha256:55ae5d250caebc548793f321534bc6a8ef1d116f334f18f4ada1b2daad3251b2 as builder RUN ["apk", "add", "jq"] RUN ["apk", "add", "bash"] @@ -13,7 +13,7 @@ ARG ARCH RUN /build/docker/setup.sh # Start from a fresh base image, to remove any build artifacts and scripts. -FROM alpine:3.22 +FROM alpine:3.22@sha256:55ae5d250caebc548793f321534bc6a8ef1d116f334f18f4ada1b2daad3251b2 ENV DATABRICKS_TF_EXEC_PATH "/app/bin/terraform" ENV DATABRICKS_TF_CLI_CONFIG_FILE "/app/config/config.tfrc" diff --git a/bundle/deploy/terraform/pkg.go b/bundle/deploy/terraform/pkg.go index 6c8b108337..83ea796024 100644 --- a/bundle/deploy/terraform/pkg.go +++ b/bundle/deploy/terraform/pkg.go @@ -77,11 +77,12 @@ type Checksum struct { } type TerraformMetadata struct { - Version string `json:"version"` - Checksum Checksum `json:"checksum"` - ProviderHost string `json:"providerHost"` - ProviderSource string `json:"providerSource"` - ProviderVersion string `json:"providerVersion"` + Version string `json:"version"` + Checksum Checksum `json:"checksum"` + ProviderHost string `json:"providerHost"` + ProviderSource string `json:"providerSource"` + ProviderVersion string `json:"providerVersion"` + ProviderChecksum Checksum `json:"providerChecksum"` } func NewTerraformMetadata(ctx context.Context) (*TerraformMetadata, error) { @@ -98,6 +99,10 @@ func NewTerraformMetadata(ctx context.Context) (*TerraformMetadata, error) { ProviderHost: schema.ProviderHost, ProviderSource: schema.ProviderSource, ProviderVersion: schema.ProviderVersion, + ProviderChecksum: Checksum{ + LinuxAmd64: schema.ProviderChecksumLinuxAmd64, + LinuxArm64: schema.ProviderChecksumLinuxArm64, + }, }, nil } diff --git a/bundle/deploy/terraform/pkg_test.go b/bundle/deploy/terraform/pkg_test.go index 2b19e99234..f427112271 100644 --- a/bundle/deploy/terraform/pkg_test.go +++ b/bundle/deploy/terraform/pkg_test.go @@ -54,6 +54,17 @@ func TestTerraformArchiveChecksums(t *testing.T) { downloadAndChecksum(t, armUrl, tv.ChecksumLinuxArm64) } +func TestTerraformProviderArchiveChecksums(t *testing.T) { + metadata, err := NewTerraformMetadata(t.Context()) + require.NoError(t, err) + + amdUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_amd64.zip", metadata.ProviderVersion, metadata.ProviderVersion) + armUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_arm64.zip", metadata.ProviderVersion, metadata.ProviderVersion) + + downloadAndChecksum(t, amdUrl, metadata.ProviderChecksum.LinuxAmd64) + downloadAndChecksum(t, armUrl, metadata.ProviderChecksum.LinuxArm64) +} + func TestGetTerraformVersionDefault(t *testing.T) { // Verify that the default version is used tv, isDefault, err := GetTerraformVersion(t.Context()) diff --git a/bundle/internal/tf/codegen/generator/generator.go b/bundle/internal/tf/codegen/generator/generator.go index e135d13f9e..f96a9e4bc3 100644 --- a/bundle/internal/tf/codegen/generator/generator.go +++ b/bundle/internal/tf/codegen/generator/generator.go @@ -35,8 +35,10 @@ func (c *collection) Generate(path string) error { } type root struct { - OutputFile string - ProviderVersion string + OutputFile string + ProviderVersion string + ProviderChecksumLinuxAmd64 string + ProviderChecksumLinuxArm64 string } func (r *root) Generate(path string) error { @@ -147,8 +149,10 @@ func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error // Generate root.go { r := &root{ - OutputFile: "root.go", - ProviderVersion: schemapkg.ProviderVersion, + OutputFile: "root.go", + ProviderVersion: schemapkg.ProviderVersion, + ProviderChecksumLinuxAmd64: schemapkg.ProviderChecksumLinuxAmd64, + ProviderChecksumLinuxArm64: schemapkg.ProviderChecksumLinuxArm64, } err := r.Generate(path) if err != nil { diff --git a/bundle/internal/tf/codegen/schema/version.go b/bundle/internal/tf/codegen/schema/version.go index 5c02827381..8ca5a2a6c8 100644 --- a/bundle/internal/tf/codegen/schema/version.go +++ b/bundle/internal/tf/codegen/schema/version.go @@ -1,3 +1,12 @@ package schema const ProviderVersion = "1.111.0" + +// Checksums for the Databricks Terraform provider archive. These are not used +// inside the CLI. They are co-located here to be output in the +// "databricks bundle debug terraform" output. Downstream applications like the +// CLI docker image use these checksums to verify the integrity of the downloaded +// provider archive. Please update these when the provider version is bumped. +// The checksums are obtained from https://github.com/databricks/terraform-provider-databricks/releases. +const ProviderChecksumLinuxAmd64 = "c1b46bbaf5c4a0b253309dad072e05025e24731536719d4408bacd48dc0ccfd9" +const ProviderChecksumLinuxArm64 = "ce379c424009b01ec4762dee4d0db27cfc554d921b55a0af8e4203b3652259e9" diff --git a/bundle/internal/tf/codegen/templates/root.go.tmpl b/bundle/internal/tf/codegen/templates/root.go.tmpl index b5c53c1615..fc356042cd 100644 --- a/bundle/internal/tf/codegen/templates/root.go.tmpl +++ b/bundle/internal/tf/codegen/templates/root.go.tmpl @@ -22,6 +22,8 @@ type Root struct { const ProviderHost = "registry.terraform.io" const ProviderSource = "databricks/databricks" const ProviderVersion = "{{ .ProviderVersion }}" +const ProviderChecksumLinuxAmd64 = "{{ .ProviderChecksumLinuxAmd64 }}" +const ProviderChecksumLinuxArm64 = "{{ .ProviderChecksumLinuxArm64 }}" func NewRoot() *Root { return &Root{ diff --git a/bundle/internal/tf/schema/root.go b/bundle/internal/tf/schema/root.go index ed77d10967..4c19c2c4a4 100644 --- a/bundle/internal/tf/schema/root.go +++ b/bundle/internal/tf/schema/root.go @@ -22,6 +22,8 @@ type Root struct { const ProviderHost = "registry.terraform.io" const ProviderSource = "databricks/databricks" const ProviderVersion = "1.111.0" +const ProviderChecksumLinuxAmd64 = "c1b46bbaf5c4a0b253309dad072e05025e24731536719d4408bacd48dc0ccfd9" +const ProviderChecksumLinuxArm64 = "ce379c424009b01ec4762dee4d0db27cfc554d921b55a0af8e4203b3652259e9" func NewRoot() *Root { return &Root{ diff --git a/docker/setup.sh b/docker/setup.sh index 0dc06ce1e2..d6e6e3b4ad 100755 --- a/docker/setup.sh +++ b/docker/setup.sh @@ -30,3 +30,11 @@ mv zip/terraform/terraform /app/bin/terraform TF_PROVIDER_NAME=terraform-provider-databricks_${DATABRICKS_TF_PROVIDER_VERSION}_linux_${ARCH}.zip mkdir -p /app/providers/registry.terraform.io/databricks/databricks wget https://github.com/databricks/terraform-provider-databricks/releases/download/v${DATABRICKS_TF_PROVIDER_VERSION}/${TF_PROVIDER_NAME} -O /app/providers/registry.terraform.io/databricks/databricks/${TF_PROVIDER_NAME} + +# Verify the provider checksum. +EXPECTED_PROVIDER_CHECKSUM="$(/app/databricks bundle debug terraform --output json | jq -r .terraform.providerChecksum.linux_$ARCH)" +COMPUTED_PROVIDER_CHECKSUM=$(sha256sum /app/providers/registry.terraform.io/databricks/databricks/${TF_PROVIDER_NAME} | awk '{ print $1 }') +if [ "$COMPUTED_PROVIDER_CHECKSUM" != "$EXPECTED_PROVIDER_CHECKSUM" ]; then + echo "Checksum mismatch for Terraform provider. Version: $DATABRICKS_TF_PROVIDER_VERSION, Arch: $ARCH, Expected checksum: $EXPECTED_PROVIDER_CHECKSUM, Computed checksum: $COMPUTED_PROVIDER_CHECKSUM." + exit 1 +fi From fc48e0d7e836132e861e4860a3092c330c2c340f Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:29:08 +0100 Subject: [PATCH 2/6] Auto-fetch provider checksums during codegen instead of hardcoding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The codegen tool (`go run .`) now automatically downloads the SHA256SUMS file from the GitHub release and embeds the checksums into the generated root.go. When bumping the provider version, developers only need to update version.go — checksums are resolved automatically. Co-authored-by: Isaac --- bundle/internal/tf/codegen/README.md | 1 + .../tf/codegen/generator/generator.go | 6 +- bundle/internal/tf/codegen/main.go | 12 +++- bundle/internal/tf/codegen/schema/checksum.go | 67 +++++++++++++++++++ bundle/internal/tf/codegen/schema/version.go | 9 --- 5 files changed, 81 insertions(+), 14 deletions(-) create mode 100644 bundle/internal/tf/codegen/schema/checksum.go diff --git a/bundle/internal/tf/codegen/README.md b/bundle/internal/tf/codegen/README.md index b1f8a33a8b..f309785a21 100644 --- a/bundle/internal/tf/codegen/README.md +++ b/bundle/internal/tf/codegen/README.md @@ -7,6 +7,7 @@ The entry point for this tool is `.`. It uses `./tmp` a temporary data directory and `../schema` as output directory. It automatically installs the Terraform binary as well as the Databricks Terraform provider. +It also fetches SHA256 checksums for the provider archive from GitHub releases. Run with: diff --git a/bundle/internal/tf/codegen/generator/generator.go b/bundle/internal/tf/codegen/generator/generator.go index f96a9e4bc3..47af677c00 100644 --- a/bundle/internal/tf/codegen/generator/generator.go +++ b/bundle/internal/tf/codegen/generator/generator.go @@ -53,7 +53,7 @@ func (r *root) Generate(path string) error { return tmpl.Execute(f, r) } -func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error { +func Run(ctx context.Context, schema *tfjson.ProviderSchema, checksums *schemapkg.ProviderChecksums, path string) error { // Generate types for resources var resources []*namedBlock for _, k := range sortKeys(schema.ResourceSchemas) { @@ -151,8 +151,8 @@ func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error r := &root{ OutputFile: "root.go", ProviderVersion: schemapkg.ProviderVersion, - ProviderChecksumLinuxAmd64: schemapkg.ProviderChecksumLinuxAmd64, - ProviderChecksumLinuxArm64: schemapkg.ProviderChecksumLinuxArm64, + ProviderChecksumLinuxAmd64: checksums.LinuxAmd64, + ProviderChecksumLinuxArm64: checksums.LinuxArm64, } err := r.Generate(path) if err != nil { diff --git a/bundle/internal/tf/codegen/main.go b/bundle/internal/tf/codegen/main.go index e4982c2bc8..bc7ce6663a 100644 --- a/bundle/internal/tf/codegen/main.go +++ b/bundle/internal/tf/codegen/main.go @@ -11,12 +11,20 @@ import ( func main() { ctx := context.Background() - schema, err := schema.Load(ctx) + s, err := schema.Load(ctx) if err != nil { log.Fatal(err) } - err = generator.Run(ctx, schema, "../schema") + log.Printf("fetching provider checksums for v%s", schema.ProviderVersion) + checksums, err := schema.FetchProviderChecksums(schema.ProviderVersion) + if err != nil { + log.Fatal(err) + } + log.Printf(" linux_amd64: %s", checksums.LinuxAmd64) + log.Printf(" linux_arm64: %s", checksums.LinuxArm64) + + err = generator.Run(ctx, s, checksums, "../schema") if err != nil { log.Fatal(err) } diff --git a/bundle/internal/tf/codegen/schema/checksum.go b/bundle/internal/tf/codegen/schema/checksum.go new file mode 100644 index 0000000000..ef266740df --- /dev/null +++ b/bundle/internal/tf/codegen/schema/checksum.go @@ -0,0 +1,67 @@ +package schema + +import ( + "bufio" + "fmt" + "net/http" + "strings" +) + +// ProviderChecksums holds the SHA256 checksums for the Databricks Terraform +// provider archive for supported Linux architectures. +type ProviderChecksums struct { + LinuxAmd64 string + LinuxArm64 string +} + +// FetchProviderChecksums downloads the SHA256SUMS file from the GitHub release +// for the given provider version and extracts checksums for the linux_amd64 and +// linux_arm64 archives. +// https://github.com/databricks/terraform-provider-databricks/releases +func FetchProviderChecksums(version string) (*ProviderChecksums, error) { + url := fmt.Sprintf( + "https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_SHA256SUMS", + version, version, + ) + + resp, err := http.Get(url) + if err != nil { + return nil, fmt.Errorf("downloading SHA256SUMS for provider v%s: %w", version, err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("downloading SHA256SUMS for provider v%s: HTTP %s", version, resp.Status) + } + + checksums := &ProviderChecksums{} + amd64Suffix := fmt.Sprintf("terraform-provider-databricks_%s_linux_amd64.zip", version) + arm64Suffix := fmt.Sprintf("terraform-provider-databricks_%s_linux_arm64.zip", version) + + scanner := bufio.NewScanner(resp.Body) + for scanner.Scan() { + line := scanner.Text() + parts := strings.Fields(line) + if len(parts) != 2 { + continue + } + switch parts[1] { + case amd64Suffix: + checksums.LinuxAmd64 = parts[0] + case arm64Suffix: + checksums.LinuxArm64 = parts[0] + } + } + if err := scanner.Err(); err != nil { + return nil, fmt.Errorf("reading SHA256SUMS for provider v%s: %w", version, err) + } + + if checksums.LinuxAmd64 == "" { + return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", amd64Suffix) + } + if checksums.LinuxArm64 == "" { + return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", arm64Suffix) + } + + return checksums, nil +} diff --git a/bundle/internal/tf/codegen/schema/version.go b/bundle/internal/tf/codegen/schema/version.go index 8ca5a2a6c8..5c02827381 100644 --- a/bundle/internal/tf/codegen/schema/version.go +++ b/bundle/internal/tf/codegen/schema/version.go @@ -1,12 +1,3 @@ package schema const ProviderVersion = "1.111.0" - -// Checksums for the Databricks Terraform provider archive. These are not used -// inside the CLI. They are co-located here to be output in the -// "databricks bundle debug terraform" output. Downstream applications like the -// CLI docker image use these checksums to verify the integrity of the downloaded -// provider archive. Please update these when the provider version is bumped. -// The checksums are obtained from https://github.com/databricks/terraform-provider-databricks/releases. -const ProviderChecksumLinuxAmd64 = "c1b46bbaf5c4a0b253309dad072e05025e24731536719d4408bacd48dc0ccfd9" -const ProviderChecksumLinuxArm64 = "ce379c424009b01ec4762dee4d0db27cfc554d921b55a0af8e4203b3652259e9" From cbbc9a39928868708d44191d810ca4be8e89e8f8 Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:52:38 +0100 Subject: [PATCH 3/6] Skip checksum download tests in short mode These tests download large archives from the internet. Gate them behind `testing.Short()` so they're skipped during normal CI (`make test`) and only run in nightly/long test sessions. Co-authored-by: Isaac --- bundle/deploy/terraform/pkg_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bundle/deploy/terraform/pkg_test.go b/bundle/deploy/terraform/pkg_test.go index f427112271..79f332151f 100644 --- a/bundle/deploy/terraform/pkg_test.go +++ b/bundle/deploy/terraform/pkg_test.go @@ -44,6 +44,10 @@ func downloadAndChecksum(t *testing.T, url, expectedChecksum string) { } func TestTerraformArchiveChecksums(t *testing.T) { + if testing.Short() { + t.Skip("skipping slow test in short mode") + } + tv, isDefault, err := GetTerraformVersion(t.Context()) require.NoError(t, err) assert.True(t, isDefault) @@ -55,6 +59,10 @@ func TestTerraformArchiveChecksums(t *testing.T) { } func TestTerraformProviderArchiveChecksums(t *testing.T) { + if testing.Short() { + t.Skip("skipping slow test in short mode") + } + metadata, err := NewTerraformMetadata(t.Context()) require.NoError(t, err) From cf176528f26a59a66b0804ba22d07e44681275fe Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:55:27 +0100 Subject: [PATCH 4/6] Move provider checksum verification from unit test to codegen sanity check Instead of a separate test that downloads large archives on every test run, verify the checksum inline during codegen: FetchProviderChecksums now downloads the linux_amd64 zip and verifies it matches the parsed SHA256SUMS entry. This runs once during `go run .` (provider version bump) rather than on every `make test`. Co-authored-by: Isaac --- bundle/deploy/terraform/pkg_test.go | 14 ------ bundle/internal/tf/codegen/schema/checksum.go | 46 ++++++++++++++++++- 2 files changed, 45 insertions(+), 15 deletions(-) diff --git a/bundle/deploy/terraform/pkg_test.go b/bundle/deploy/terraform/pkg_test.go index 79f332151f..453ea15e98 100644 --- a/bundle/deploy/terraform/pkg_test.go +++ b/bundle/deploy/terraform/pkg_test.go @@ -58,20 +58,6 @@ func TestTerraformArchiveChecksums(t *testing.T) { downloadAndChecksum(t, armUrl, tv.ChecksumLinuxArm64) } -func TestTerraformProviderArchiveChecksums(t *testing.T) { - if testing.Short() { - t.Skip("skipping slow test in short mode") - } - - metadata, err := NewTerraformMetadata(t.Context()) - require.NoError(t, err) - - amdUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_amd64.zip", metadata.ProviderVersion, metadata.ProviderVersion) - armUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_arm64.zip", metadata.ProviderVersion, metadata.ProviderVersion) - - downloadAndChecksum(t, amdUrl, metadata.ProviderChecksum.LinuxAmd64) - downloadAndChecksum(t, armUrl, metadata.ProviderChecksum.LinuxArm64) -} func TestGetTerraformVersionDefault(t *testing.T) { // Verify that the default version is used diff --git a/bundle/internal/tf/codegen/schema/checksum.go b/bundle/internal/tf/codegen/schema/checksum.go index ef266740df..5927319e93 100644 --- a/bundle/internal/tf/codegen/schema/checksum.go +++ b/bundle/internal/tf/codegen/schema/checksum.go @@ -2,7 +2,11 @@ package schema import ( "bufio" + "crypto/sha256" + "encoding/hex" "fmt" + "io" + "log" "net/http" "strings" ) @@ -16,7 +20,8 @@ type ProviderChecksums struct { // FetchProviderChecksums downloads the SHA256SUMS file from the GitHub release // for the given provider version and extracts checksums for the linux_amd64 and -// linux_arm64 archives. +// linux_arm64 archives. It also downloads the linux_amd64 zip to verify that +// the parsed checksum is correct. // https://github.com/databricks/terraform-provider-databricks/releases func FetchProviderChecksums(version string) (*ProviderChecksums, error) { url := fmt.Sprintf( @@ -63,5 +68,44 @@ func FetchProviderChecksums(version string) (*ProviderChecksums, error) { return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", arm64Suffix) } + // Sanity check: download the linux_amd64 zip and verify the checksum matches. + err = verifyProviderChecksum(version, "linux_amd64", checksums.LinuxAmd64) + if err != nil { + return nil, err + } + return checksums, nil } + +// verifyProviderChecksum downloads the provider zip for the given platform and +// verifies it matches the expected SHA256 checksum. +func verifyProviderChecksum(version, platform, expectedChecksum string) error { + url := fmt.Sprintf( + "https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_%s.zip", + version, version, platform, + ) + + log.Printf("verifying checksum for %s provider archive", platform) + resp, err := http.Get(url) + if err != nil { + return fmt.Errorf("downloading provider archive for checksum verification: %w", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("downloading provider archive for checksum verification: HTTP %s", resp.Status) + } + + hash := sha256.New() + if _, err := io.Copy(hash, resp.Body); err != nil { + return fmt.Errorf("computing checksum for provider archive: %w", err) + } + + actualChecksum := hex.EncodeToString(hash.Sum(nil)) + if actualChecksum != expectedChecksum { + return fmt.Errorf("checksum mismatch for %s provider archive: expected %s, got %s", platform, expectedChecksum, actualChecksum) + } + + log.Printf("checksum verified for %s provider archive", platform) + return nil +} From 54b9d8a77402f076dbf0e9e208957341c9ba31da Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:56:48 +0100 Subject: [PATCH 5/6] Revert changes to pkg_test.go Co-authored-by: Isaac --- bundle/deploy/terraform/pkg_test.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/bundle/deploy/terraform/pkg_test.go b/bundle/deploy/terraform/pkg_test.go index 453ea15e98..2b19e99234 100644 --- a/bundle/deploy/terraform/pkg_test.go +++ b/bundle/deploy/terraform/pkg_test.go @@ -44,10 +44,6 @@ func downloadAndChecksum(t *testing.T, url, expectedChecksum string) { } func TestTerraformArchiveChecksums(t *testing.T) { - if testing.Short() { - t.Skip("skipping slow test in short mode") - } - tv, isDefault, err := GetTerraformVersion(t.Context()) require.NoError(t, err) assert.True(t, isDefault) @@ -58,7 +54,6 @@ func TestTerraformArchiveChecksums(t *testing.T) { downloadAndChecksum(t, armUrl, tv.ChecksumLinuxArm64) } - func TestGetTerraformVersionDefault(t *testing.T) { // Verify that the default version is used tv, isDefault, err := GetTerraformVersion(t.Context()) From faf09498b5da61b46839afefd1397715da2dba6b Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Thu, 26 Mar 2026 15:57:23 +0100 Subject: [PATCH 6/6] Verify both linux_amd64 and linux_arm64 provider checksums during codegen Co-authored-by: Isaac --- bundle/internal/tf/codegen/schema/checksum.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bundle/internal/tf/codegen/schema/checksum.go b/bundle/internal/tf/codegen/schema/checksum.go index 5927319e93..7cc0678eae 100644 --- a/bundle/internal/tf/codegen/schema/checksum.go +++ b/bundle/internal/tf/codegen/schema/checksum.go @@ -20,8 +20,8 @@ type ProviderChecksums struct { // FetchProviderChecksums downloads the SHA256SUMS file from the GitHub release // for the given provider version and extracts checksums for the linux_amd64 and -// linux_arm64 archives. It also downloads the linux_amd64 zip to verify that -// the parsed checksum is correct. +// linux_arm64 archives. It also downloads both zips to verify that the parsed +// checksums are correct. // https://github.com/databricks/terraform-provider-databricks/releases func FetchProviderChecksums(version string) (*ProviderChecksums, error) { url := fmt.Sprintf( @@ -68,11 +68,15 @@ func FetchProviderChecksums(version string) (*ProviderChecksums, error) { return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", arm64Suffix) } - // Sanity check: download the linux_amd64 zip and verify the checksum matches. + // Sanity check: download both zips and verify the checksums match. err = verifyProviderChecksum(version, "linux_amd64", checksums.LinuxAmd64) if err != nil { return nil, err } + err = verifyProviderChecksum(version, "linux_arm64", checksums.LinuxArm64) + if err != nil { + return nil, err + } return checksums, nil }