feat(file): add support to set the file mode (#1478)

* feat(file): Add support to set the file mode GH-733 [1] implemented basic support for hook scripts, but the authors "did not manage to find time to work on" [2] also including support to set the file mode. This small but important feature makes the use of the `proxmox_virtual_environment_container.hook_script_file_id` [3] and `virtual_environment_vm.hook_script_file_id` [34] attributes basically useless when not combined with the manual step of making the uploaded file executable (manually running `chmod +x /path/to/script` or using other methods, based on the storage backend). Using the `hook_script_file_id` on its own also causes all planned and applies changes in the same execution to not be saved in the state because the Proxmox VE API responses with a HTTP `500` because the uploaded and assigned file is not executable. This pull request implements the missing feature to set the file mode by adding a new `file_mode` attribute of type `string` where an octal-formatted value can be passed, e.g. `0700` or only `600`. Note that the support for the octal prefixes `0o` and `0x` are not supported to reduced the complexity, even though Go of course support it, including the used `os.FileMode` type [5]. Changing the file mode also causes the file to be replaced, which is true for almost any attribute in the `proxmox_virtual_environment_file` resource, to ensure that the file mode can also be changed after the initial creation. [1]: https://github.com/bpg/terraform-provider-proxmox/pull/733 [2]: https://github.com/bpg/terraform-provider-proxmox/pull/733#issuecomment-2096716738 [3]: https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_container#hook_script_file_id [4]: https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_vm#hook_script_file_id [5]: https://pkg.go.dev/os#FileMode Related to GH-570 Related to GH-733 Signed-off-by: Sven Greb <development@svengreb.de> --------- Signed-off-by: Sven Greb <development@svengreb.de>
2025-07-02 03:22:59 +00:00 · 2024-08-14 03:28:48 +02:00 · 2024-08-14 03:28:48 +02:00 · cc9d0e7131
commit cc9d0e7131
parent 8f82d1a384
9 changed files with 164 additions and 2 deletions
--- a/docs/resources/virtual_environment_container.md
+++ b/docs/resources/virtual_environment_container.md
@ -233,7 +233,7 @@ output "ubuntu_container_public_key" {
    - `keyctl` - (Optional) Whether the container supports `keyctl()` system
      call (defaults to `false`)
    - `mount` - (Optional) List of allowed mount types (`cifs` or `nfs`)
- `hook_script_file_id` - (Optional) The identifier for a file containing a hook script (needs to be executable).
+- `hook_script_file_id` - (Optional) The identifier for a file containing a hook script (needs to be executable, e.g. by using the `proxmox_virtual_environment_file.file_mode` attribute).
 ## Attribute Reference
--- a/docs/resources/virtual_environment_file.md
+++ b/docs/resources/virtual_environment_file.md
@ -80,6 +80,27 @@ resource "proxmox_virtual_environment_file" "cloud_config" {
 }
 ```
 The `file_mode` attribute can be used to make a script file executable, e.g. when referencing the file in the `hook_script_file_id` attribute of [a container](https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_container#hook_script_file_id) or [a VM](https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_vm#hook_script_file_id) resource which is a requirement enforced by the Proxmox VE API.
 ```hcl
 resource "proxmox_virtual_environment_file" "hook_script" {
  content_type = "snippets"
  datastore_id = "local"
  node_name    = "pve"
  # Hook scripts must be executable, otherwise the Proxmox VE API will reject the configuration for the VM/CT.
  file_mode    = "0700"
  source_raw {
    data      = <<-EOF
      #!/usr/bin/env bash
      echo "Running hook script"
      EOF
    file_name = "prepare-hook.sh"
  }
 }
 ```
 ### Container Template (`vztmpl`)
 -> Consider using `proxmox_virtual_environment_download_file` resource instead. Using this resource for container images is less efficient (requires to transfer uploaded image to node) though still supported.
@ -105,6 +126,7 @@ resource "proxmox_virtual_environment_file" "ubuntu_container_template" {
    - `snippets` (allowed extensions: any)
    - `vztmpl` (allowed extensions: `.tar.gz`, `.tar.xz`, `tar.zst`)
 - `datastore_id` - (Required) The datastore id.
 - `file_mode` - The file mode in octal format, e.g. `0700` or `600`. Note that the prefixes `0o` and `0x` is not supported! Setting this attribute is also only allowed for `root@pam` authenticated user.
 - `node_name` - (Required) The node name.
 - `overwrite` - (Optional) Whether to overwrite an existing file (defaults to
    `true`).
--- a/docs/resources/virtual_environment_vm.md
+++ b/docs/resources/virtual_environment_vm.md
@ -545,7 +545,7 @@ output "ubuntu_vm_public_key" {
        - `vmware` - VMware Compatible.
    - `clipboard` - (Optional) Enable VNC clipboard by setting to `vnc`. See the [Proxmox documentation](https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_virtual_machines_settings) section 10.2.8 for more information.
 - `vm_id` - (Optional) The VM identifier.
- `hook_script_file_id` - (Optional) The identifier for a file containing a hook script (needs to be executable).
+- `hook_script_file_id` - (Optional) The identifier for a file containing a hook script (needs to be executable, e.g. by using the `proxmox_virtual_environment_file.file_mode` attribute). 
 ## Attribute Reference
--- a/proxmox/api/client_types.go
+++ b/proxmox/api/client_types.go
@ -29,4 +29,9 @@ type FileUploadRequest struct {
 	ContentType string
 	FileName    string
 	File        *os.File
 	// Will be handled as unsigned 32-bit integer since the underlying type of os.FileMode is the same, but must be parsed
 	// as string due to the conversion of the octal format.
 	// References:
 	//   1. https://en.wikipedia.org/wiki/Chmod#Special_modes
 	Mode string
 }
--- a/proxmox/ssh/client.go
+++ b/proxmox/ssh/client.go
@ -16,6 +16,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
@ -332,6 +333,17 @@ func (c *client) NodeStreamUpload(
 		return err
 	}
 	if d.Mode != "" {
 		parsedFileMode, parseErr := strconv.ParseUint(d.Mode, 8, 12)
 		if parseErr != nil {
 			return fmt.Errorf("failed to parse file mode %q: %w", d.Mode, err)
 		}
 		if err = c.changeModeUploadedFile(ctx, sshClient, remoteFilePath, os.FileMode(uint32(parsedFileMode))); err != nil {
 			return err
 		}
 	}
 	tflog.Debug(ctx, "uploaded file to datastore", map[string]interface{}{
 		"remote_file_path": remoteFilePath,
 	})
@ -410,6 +422,49 @@ func (c *client) checkUploadedFile(
 	return nil
 }
 func (c *client) changeModeUploadedFile(
 	ctx context.Context,
 	sshClient *ssh.Client,
 	remoteFilePath string,
 	fileMode os.FileMode,
 ) error {
 	sftpClient, err := sftp.NewClient(sshClient)
 	if err != nil {
 		return fmt.Errorf("failed to create SFTP client: %w", err)
 	}
 	defer func(sftpClient *sftp.Client) {
 		e := sftpClient.Close()
 		if e != nil {
 			tflog.Warn(ctx, "failed to close SFTP client", map[string]interface{}{
 				"error": e,
 			})
 		}
 	}(sftpClient)
 	remoteFile, err := sftpClient.Open(remoteFilePath)
 	if err != nil {
 		return fmt.Errorf("failed to open remote file %s: %w", remoteFilePath, err)
 	}
 	remoteStat, err := remoteFile.Stat()
 	if err != nil {
 		return fmt.Errorf("failed to read remote file %s: %w", remoteFilePath, err)
 	}
 	if err = sftpClient.Chmod(remoteFilePath, fileMode); err != nil {
 		return fmt.Errorf("failed to change file mode of remote file from %#o (%s) to %#o (%s): %w",
 			remoteStat.Mode().Perm(), remoteStat.Mode(), fileMode.Perm(), fileMode, err)
 	}
 	tflog.Debug(ctx, "changed mode of uploaded file", map[string]interface{}{
 		"before": fmt.Sprintf("%#o (%s)", remoteStat.Mode().Perm(), remoteStat.Mode()),
 		"after":  fmt.Sprintf("%#o (%s)", fileMode.Perm(), fileMode),
 	})
 	return nil
 }
 // openNodeShell establishes a new SSH connection to a node.
 func (c *client) openNodeShell(ctx context.Context, node ProxmoxNode) (*ssh.Client, error) {
 	homeDir, err := os.UserHomeDir()
--- a/proxmoxtf/resource/file.go
+++ b/proxmoxtf/resource/file.go
@ -48,6 +48,7 @@ const (
 	mkResourceVirtualEnvironmentFileDatastoreID          = "datastore_id"
 	mkResourceVirtualEnvironmentFileFileModificationDate = "file_modification_date"
 	mkResourceVirtualEnvironmentFileFileName             = "file_name"
 	mkResourceVirtualEnvironmentFileFileMode             = "file_mode"
 	mkResourceVirtualEnvironmentFileFileSize             = "file_size"
 	mkResourceVirtualEnvironmentFileFileTag              = "file_tag"
 	mkResourceVirtualEnvironmentFileNodeName             = "node_name"
@ -95,6 +96,15 @@ func File() *schema.Resource {
 				Description: "The file name",
 				Computed:    true,
 			},
 			mkResourceVirtualEnvironmentFileFileMode: {
 				Type: schema.TypeString,
 				Description: `The file mode in octal format, e.g. "0700" or "600".` +
 					`Note that the prefixes "0o" and "0x" are not supported!` +
 					`Setting this attribute is also only allowed for "root@pam" authenticated user.`,
 				Optional:         true,
 				ValidateDiagFunc: validators.FileMode(),
 				ForceNew:         true,
 			},
 			mkResourceVirtualEnvironmentFileFileSize: {
 				Type:        schema.TypeInt,
 				Description: "The file size in bytes",
@ -308,6 +318,7 @@ func fileParseImportID(id string) (string, fileVolumeID, error) {
 func fileCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	uploadTimeout := d.Get(mkResourceVirtualEnvironmentFileTimeoutUpload).(int)
 	fileMode := d.Get(mkResourceVirtualEnvironmentFileFileMode).(string)
 	ctx, cancel := context.WithTimeout(ctx, time.Duration(uploadTimeout)*time.Second)
 	defer cancel()
@ -538,6 +549,7 @@ func fileCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag
 		ContentType: *contentType,
 		FileName:    *fileName,
 		File:        file,
 		Mode:        fileMode,
 	}
 	switch *contentType {
--- a/proxmoxtf/resource/file_test.go
+++ b/proxmoxtf/resource/file_test.go
@ -39,6 +39,7 @@ func TestFileSchema(t *testing.T) {
 	test.AssertOptionalArguments(t, s, []string{
 		mkResourceVirtualEnvironmentFileContentType,
 		mkResourceVirtualEnvironmentFileSourceFile,
 		mkResourceVirtualEnvironmentFileFileMode,
 		mkResourceVirtualEnvironmentFileSourceRaw,
 		mkResourceVirtualEnvironmentFileTimeoutUpload,
 	})
@ -55,6 +56,7 @@ func TestFileSchema(t *testing.T) {
 		mkResourceVirtualEnvironmentFileDatastoreID:          schema.TypeString,
 		mkResourceVirtualEnvironmentFileFileModificationDate: schema.TypeString,
 		mkResourceVirtualEnvironmentFileFileName:             schema.TypeString,
 		mkResourceVirtualEnvironmentFileFileMode:             schema.TypeString,
 		mkResourceVirtualEnvironmentFileFileSize:             schema.TypeInt,
 		mkResourceVirtualEnvironmentFileFileTag:              schema.TypeString,
 		mkResourceVirtualEnvironmentFileNodeName:             schema.TypeString,
--- a/proxmoxtf/resource/validators/file.go
+++ b/proxmoxtf/resource/validators/file.go
@ -9,6 +9,7 @@ package validators
 import (
 	"fmt"
 	"regexp"
 	"strconv"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@ -66,6 +67,35 @@ func FileID() schema.SchemaValidateDiagFunc {
 	})
 }
 // FileMode is a schema validation function for file mode.
 func FileMode() schema.SchemaValidateDiagFunc {
 	return validation.ToDiagFunc(
 		func(i interface{}, k string) ([]string, []error) {
 			var errs []error
 			v, ok := i.(string)
 			if !ok {
 				errs = append(errs, fmt.Errorf(
 					`expected string in octal format (e.g. "0o700" or "0700"") for %q, but got %v of type %T`, k, v, i))
 				return nil, errs
 			}
 			mode, err := strconv.ParseInt(v, 10, 64)
 			if err != nil {
 				errs = append(errs, fmt.Errorf("failed to parse file mode %q: %w", v, err))
 				return nil, errs
 			}
 			if mode < 1 || mode > int64(^uint32(0)) {
 				errs = append(errs, fmt.Errorf("%q must be in the range (%d - %d), got %d", v, 1, ^uint32(0), mode))
 				return nil, errs
 			}
 			return []string{}, errs
 		},
 	)
 }
 // FileSize is a schema validation function for file size.
 func FileSize() schema.SchemaValidateDiagFunc {
 	return validation.ToDiagFunc(func(i interface{}, k string) ([]string, []error) {
--- a/proxmoxtf/resource/validators/file_test.go
+++ b/proxmoxtf/resource/validators/file_test.go
@ -41,3 +41,39 @@ func TestFileID(t *testing.T) {
 		})
 	}
 }
 func TestFileMode(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name  string
 		value string
 		valid bool
 	}{
 		{"valid", "0700", true},
 		{"invalid", "invalid", false},
 		// Even though Go supports octal prefixes, we should not allow them in the string value to reduce the complexity.
 		{"invalid", "0o700", false},
 		{"invalid", "0x700", false},
 		// Maximum value for uint32, incremented by one.
 		{"too large", "4294967296", false},
 		{"too small", "0", false},
 		{"negative", "-1", false},
 		{"empty", "", false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			f := FileMode()
 			res := f(tt.value, nil)
 			if tt.valid {
 				require.Empty(t, res, "validate: '%s'", tt.value)
 			} else {
 				require.NotEmpty(t, res, "validate: '%s'", tt.value)
 			}
 		})
 	}
 }