Auto-fetch provider checksums during codegen instead of hardcoding

The codegen tool (`go run .`) now automatically downloads the SHA256SUMS
file from the GitHub release and embeds the checksums into the generated
root.go. When bumping the provider version, developers only need to
update version.go — checksums are resolved automatically.

Co-authored-by: Isaac

Author: shreyas-goenka

bundle/internal/tf/codegen/README.md

@@ -7,6 +7,7 @@ The entry point for this tool is `.`.
 It uses `./tmp` a temporary data directory and `../schema` as output directory.
 
 It automatically installs the Terraform binary as well as the Databricks Terraform provider.
+It also fetches SHA256 checksums for the provider archive from GitHub releases.
 
 Run with:
 

bundle/internal/tf/codegen/generator/generator.go

@@ -53,7 +53,7 @@ func (r *root) Generate(path string) error {
 	return tmpl.Execute(f, r)
 }
 
-func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error {
+func Run(ctx context.Context, schema *tfjson.ProviderSchema, checksums *schemapkg.ProviderChecksums, path string) error {
 	// Generate types for resources
 	var resources []*namedBlock
 	for _, k := range sortKeys(schema.ResourceSchemas) {
@@ -151,8 +151,8 @@ func Run(ctx context.Context, schema *tfjson.ProviderSchema, path string) error
 		r := &root{
 			OutputFile:                 "root.go",
 			ProviderVersion:            schemapkg.ProviderVersion,
-			ProviderChecksumLinuxAmd64: schemapkg.ProviderChecksumLinuxAmd64,
-			ProviderChecksumLinuxArm64: schemapkg.ProviderChecksumLinuxArm64,
+			ProviderChecksumLinuxAmd64: checksums.LinuxAmd64,
+			ProviderChecksumLinuxArm64: checksums.LinuxArm64,
 		}
 		err := r.Generate(path)
 		if err != nil {

bundle/internal/tf/codegen/main.go

@@ -11,12 +11,20 @@ import (
 func main() {
 	ctx := context.Background()
 
-	schema, err := schema.Load(ctx)
+	s, err := schema.Load(ctx)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	err = generator.Run(ctx, schema, "../schema")
+	log.Printf("fetching provider checksums for v%s", schema.ProviderVersion)
+	checksums, err := schema.FetchProviderChecksums(schema.ProviderVersion)
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("  linux_amd64: %s", checksums.LinuxAmd64)
+	log.Printf("  linux_arm64: %s", checksums.LinuxArm64)
+
+	err = generator.Run(ctx, s, checksums, "../schema")
 	if err != nil {
 		log.Fatal(err)
 	}

bundle/internal/tf/codegen/schema/checksum.go

@@ -0,0 +1,67 @@
+package schema
+
+import (
+	"bufio"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+// ProviderChecksums holds the SHA256 checksums for the Databricks Terraform
+// provider archive for supported Linux architectures.
+type ProviderChecksums struct {
+	LinuxAmd64 string
+	LinuxArm64 string
+}
+
+// FetchProviderChecksums downloads the SHA256SUMS file from the GitHub release
+// for the given provider version and extracts checksums for the linux_amd64 and
+// linux_arm64 archives.
+// https://github.com/databricks/terraform-provider-databricks/releases
+func FetchProviderChecksums(version string) (*ProviderChecksums, error) {
+	url := fmt.Sprintf(
+		"https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_SHA256SUMS",
+		version, version,
+	)
+
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("downloading SHA256SUMS for provider v%s: %w", version, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("downloading SHA256SUMS for provider v%s: HTTP %s", version, resp.Status)
+	}
+
+	checksums := &ProviderChecksums{}
+	amd64Suffix := fmt.Sprintf("terraform-provider-databricks_%s_linux_amd64.zip", version)
+	arm64Suffix := fmt.Sprintf("terraform-provider-databricks_%s_linux_arm64.zip", version)
+
+	scanner := bufio.NewScanner(resp.Body)
+	for scanner.Scan() {
+		line := scanner.Text()
+		parts := strings.Fields(line)
+		if len(parts) != 2 {
+			continue
+		}
+		switch parts[1] {
+		case amd64Suffix:
+			checksums.LinuxAmd64 = parts[0]
+		case arm64Suffix:
+			checksums.LinuxArm64 = parts[0]
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("reading SHA256SUMS for provider v%s: %w", version, err)
+	}
+
+	if checksums.LinuxAmd64 == "" {
+		return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", amd64Suffix)
+	}
+	if checksums.LinuxArm64 == "" {
+		return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", arm64Suffix)
+	}
+
+	return checksums, nil
+}

bundle/internal/tf/codegen/schema/version.go

@@ -1,12 +1,3 @@
 package schema
 
 const ProviderVersion = "1.111.0"
-
-// Checksums for the Databricks Terraform provider archive. These are not used
-// inside the CLI. They are co-located here to be output in the
-// "databricks bundle debug terraform" output. Downstream applications like the
-// CLI docker image use these checksums to verify the integrity of the downloaded
-// provider archive. Please update these when the provider version is bumped.
-// The checksums are obtained from https://github.com/databricks/terraform-provider-databricks/releases.
-const ProviderChecksumLinuxAmd64 = "c1b46bbaf5c4a0b253309dad072e05025e24731536719d4408bacd48dc0ccfd9"
-const ProviderChecksumLinuxArm64 = "ce379c424009b01ec4762dee4d0db27cfc554d921b55a0af8e4203b3652259e9"