data source to validate image structure

[imjasonh]

Prior art: https://github.com/GoogleContainerTools/container-structure-test

Something like:

data "oci_ref" "image" {
  ref = "alpine"
}

data "oci_validate" "validate" {
  test {
    rule = (oci_ref.image.config.user = "nobody")
  }
  test {
    rule = (contains(oci_ref.image.config.env, "FOO=bar"))
  }
  test {
    file = {
      digest = oci_ref.image.id
      path = "/etc/passwd"
      contains = "nobody"
      not_contains = "my credit card number is:"
      permissions = "-rw-r--r--"
    }
  }
}

resource "google_cloud_run_service" "service" {
  image = oci_validate.validate.validated_ref
}

We can also consider command tests that effectively docker run <image> and inspect the result.

[imjasonh]

We (edit: don't) need separate data sources for validating images and indexes.

image is a misnomer though, maybe digest instead?

data "oci_ref" "alpine" {
  ref = "alpine"
}

data "oci_validate" "validate" {
  image = oci_ref.alpine.image_ref
  test {
    rule = keys(oci_ref.alpine.manifests) = ["linux/amd64", "linux/arm64"]
  }
  # TODO: test index annotations and SBOM
}

data "oci_validate" "validate" {
  # test each platform
  for_each = keys(oci_ref.alpine.manifests)
  image = each.value.image_ref

  test {
    path     = "/etc/passwd"
    contains = "nobody"
  }
  # TODO: test image annotations and SBOM
}