Metric changes

.github/workflows/security.yml

@@ -0,0 +1,50 @@
+name: Wasp (Semgrep) - SAST Check
+
+on:
+  pull_request_target:
+    branches:
+        - main
+
+  schedule:
+    - cron: '0 */24 * * *' 
+  workflow_dispatch: 
+
+jobs:
+  wasp-scan:
+    name: Wasp scan
+    runs-on:
+      group: security-lrg
+    steps:
+      - name: Setting permission
+        run: sudo chown runner:runner -R .*
+
+      - name: Repository checkout
+        uses: actions/checkout@v4
+
+      - name: Running Wasp scan
+        uses: freshactions/wasp@latest
+        env:
+          WASP_LOG_LEVEL: DEBUG
+          WASP_SAVE_JSON: true
+          WASP_SAVE_HTML: true
+          WASP_SAVE_CSV: true
+          WASP_FRESHRELEASE_PR_PROJECT_KEY: ${{ vars.SECURITY_APPSEC_FRESHRELEASE_PROJECT_KEY }}
+          WASP_DRY_RUN: ${{ vars.SECURITY_APPSEC_WASP_DRY_RUN }}
+
+          WASP_FRESHRELEASE_URL: ${{ vars.SECURITY_APPSEC_FRESHRELEASE_URL }}
+          WASP_FRESHRELEASE_PR_ISSUE_TYPE: ${{ vars.SECURITY_APPSEC_FRESHRELEASE_PR_ISSUE_TYPE }}          
+
+          WASP_TOKEN: ${{ secrets.SECURITY_APPSEC_WASP_TOKEN }}
+          WASP_FRESHRELEASE_TOKEN: ${{ secrets.SECURITY_APPSEC_FRESHRELEASE_TOKEN }}
+          WASP_SLACK_TOKEN: ${{ secrets.SECURITY_APPSEC_SLACK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.SECURITY_APPSEC_GH_TOKEN }}
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: Wasp scan report archive
+          retention-days: ${{ vars.SECURITY_APPSEC_WASP_RESULT_RETENTION_DAYS }}
+          path: |
+            wasp-report.csv
+            wasp-report.json
+            wasp-report.html

Makefile

@@ -33,7 +33,7 @@ CROSSPLANE_VERSION = 1.16.0
 -include build/makelib/k8s_tools.mk
 
 # Setup Images
-REGISTRY_ORGS ?= xpkg.upbound.io/upbound
+REGISTRY_ORGS ?= 696234406407.dkr.ecr.us-east-1.amazonaws.com
 IMAGES = provider-terraform
 -include build/makelib/imagelight.mk
 
@@ -59,10 +59,10 @@ submodules:
 # ====================================================================================
 # Setup XPKG
 
-XPKG_REG_ORGS ?= xpkg.upbound.io/upbound
+XPKG_REG_ORGS ?= 696234406407.dkr.ecr.us-east-1.amazonaws.com/upbound
 # NOTE(hasheddan): skip promoting on xpkg.upbound.io as channel tags are
 # inferred.
-XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/upbound
+XPKG_REG_ORGS_NO_PROMOTE ?= 696234406407.dkr.ecr.us-east-1.amazonaws.com/upbound
 XPKGS = provider-terraform
 -include build/makelib/xpkg.mk
 

apis/v1beta1/workspace_types.go

@@ -123,6 +123,12 @@ type WorkspaceParameters struct {
 	// +optional
 	Entrypoint string `json:"entrypoint"`
 
+	// Include the output of terraform plan in the status.
+	// The plan will be gzipped and base64 encoded.
+	// +kubebuilder:default=false
+	// +optional
+	IncludePlan *bool `json:"includePlan"`
+
 	// Environment variables.
 	// +optional
 	Env []EnvVar `json:"env,omitempty"`
@@ -159,8 +165,11 @@ type WorkspaceParameters struct {
 
 // WorkspaceObservation are the observable fields of a Workspace.
 type WorkspaceObservation struct {
-	Checksum string                       `json:"checksum,omitempty"`
-	Outputs  map[string]extensionsV1.JSON `json:"outputs,omitempty"`
+	// +optional
+	PlanStamp *string                      `json:"planStamp,omitempty"`
+	Plan      *string                      `json:"tfPlan,omitempty"`
+	Checksum  string                       `json:"checksum,omitempty"`
+	Outputs   map[string]extensionsV1.JSON `json:"outputs,omitempty"`
 }
 
 // A WorkspaceSpec defines the desired state of a Workspace.
@@ -181,6 +190,7 @@ type WorkspaceStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
+// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,terraform}
 type Workspace struct {

cluster/images/provider-terraform/Dockerfile

@@ -5,7 +5,7 @@ ARG TARGETARCH
 
 ENV TERRAFORM_VERSION=1.5.5
 ENV TF_IN_AUTOMATION=1
-ENV TF_PLUGIN_CACHE_DIR=/tf/plugin-cache
+ENV TF_DIR=/tf/
 
 ADD "bin/${TARGETOS}_${TARGETARCH}/provider" /usr/local/bin/crossplane-terraform-provider
 ADD .gitconfig .gitconfig
@@ -17,7 +17,7 @@ RUN curl -s -L https://github.com/upbound/terraform/releases/download/v${TERRAFO
   && unzip -d /usr/local/bin terraform.zip \
   && rm terraform.zip \
   && chmod +x /usr/local/bin/terraform \
-  && mkdir -p ${TF_PLUGIN_CACHE_DIR} \
+  && mkdir -p ${TF_DIR} \
   && chown -R 2000 /tf
 # As of Crossplane v1.3.0 provider controllers run as UID 2000.
 # https://github.com/crossplane/crossplane/blob/v1.3.0/internal/controller/pkg/revision/deployment.go#L32

examples/workspace-inline.yaml

@@ -13,6 +13,7 @@ spec:
     # For simple cases you can use an inline source to specify the content of
     # main.tf as opaque, inline HCL.
     source: Inline
+    showPlan: true
     module: |
       // Outputs are written to the connection secret.
       output "url" {
@@ -29,7 +30,7 @@ spec:
         name = "crossplane-example-${terraform.workspace}-${random_id.example.hex}"
         location      = "US"
         force_destroy = true
-      
+
         public_access_prevention = "enforced"
       }
   writeConnectionSecretToRef:

go.mod

@@ -17,6 +17,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.29.4
 	k8s.io/apimachinery v0.29.4
 	k8s.io/client-go v0.29.4
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.17.3
 	sigs.k8s.io/controller-tools v0.14.0
 )
@@ -109,7 +110,6 @@ require (
 	k8s.io/component-base v0.29.4 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

internal/controller/workspace/workspace.go

@@ -32,6 +32,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	extensionsV1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -106,7 +107,7 @@ type tfclient interface {
 	Workspace(ctx context.Context, name string) error
 	Outputs(ctx context.Context) ([]terraform.Output, error)
 	Resources(ctx context.Context) ([]string, error)
-	Diff(ctx context.Context, o ...terraform.Option) (bool, error)
+	Diff(ctx context.Context, o ...terraform.Option) (bool, string, error)
 	Apply(ctx context.Context, o ...terraform.Option) error
 	Destroy(ctx context.Context, o ...terraform.Option) error
 	DeleteCurrentWorkspace(ctx context.Context) error
@@ -357,32 +358,34 @@ type external struct {
 	logger logging.Logger
 }
 
-func (c *external) checkDiff(ctx context.Context, cr *v1beta1.Workspace) (bool, error) {
+func (c *external) checkDiff(ctx context.Context, cr *v1beta1.Workspace) (bool, string, error) {
 	o, err := c.options(ctx, cr.Spec.ForProvider)
 	if err != nil {
-		return false, errors.Wrap(err, errOptions)
+		return false, "", errors.Wrap(err, errOptions)
 	}
 
 	o = append(o, terraform.WithArgs(cr.Spec.ForProvider.PlanArgs))
-	differs, err := c.tf.Diff(ctx, o...)
+	differs, planOutput, err := c.tf.Diff(ctx, o...)
+
 	if err != nil {
 		if !meta.WasDeleted(cr) {
-			return false, errors.Wrap(err, errDiff)
+			return false, planOutput, errors.Wrap(err, errDiff)
 		}
 		// terraform plan can fail on deleted resources, so let the reconciliation loop
 		// call Delete() if there are still resources in the tfstate file
 		differs = false
 	}
-	return differs, nil
+	return differs, planOutput, nil
 }
 
+//nolint:gocyclo
 func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) {
 	cr, ok := mg.(*v1beta1.Workspace)
 	if !ok {
 		return managed.ExternalObservation{}, errors.New(errNotWorkspace)
 	}
 
-	differs, err := c.checkDiff(ctx, cr)
+	differs, planOutput, err := c.checkDiff(ctx, cr)
 	if err != nil {
 		return managed.ExternalObservation{}, err
 	}
@@ -409,6 +412,12 @@ func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
 	}
 	cr.Status.AtProvider.Checksum = checksum
 
+	if ptr.Deref[bool](cr.Spec.ForProvider.IncludePlan, false) {
+		cr.Status.AtProvider.Plan = &planOutput
+		planStamp := time.Now().UTC().Format("2006-01-02 15:04:05")
+		cr.Status.AtProvider.PlanStamp = &planStamp
+	}
+
 	if !differs {
 		// TODO(negz): Allow Workspaces to optionally derive their readiness from an
 		// output - similar to the logic XRs use to derive readiness from a field of