bug: provider can mangle ENVBUILDER_INIT_SCRIPT

Given:

locals = {
  envbuilder_env = {
    "CODER_AGENT_TOKEN": coder_agent.main.token,
    ...
  }
  # Convert the above map to the format expected by the docker provider.
  docker_env = [
    for k, v in local.envbuilder_env : "${k}=${v}"
  ]
)

...

resource "envbuilder_cached_image" "cached" {
   ...
  extra_env = local.envbuilder_env
}

resource "docker_container" "workspace" {
  ...
  env = var.cache_repo == "" ? local.docker_env : envbuilder_cached_image.cached.0.env
}

You may get:

root@0cb1aac9b261:/# $ENVBUILDER_INIT_SCRIPT
+ '#!/usr/bin/env' 'sh\nset' '-eux\n#' Sleep for a good long while before 'exiting.\n#' This is to allow folks to exec into a failed workspace and poke around 'to\n#' 'troubleshoot.\nwaitonexit()' '{\n\techo' '\"===' Agent script exited with non-zero code '($?).' Sleeping 24h to preserve 'logs...\"\n\tsleep' '86400\n}\ntrap' waitonexit 'EXIT\nBINARY_DIR=\"${BINARY_DIR:-$(mktemp' -d -t 'coder.XXXXXX)}\"\nBINARY_NAME=coder\nBINARY_URL=http://host.docker.internal:7080/bin/coder-linux-amd64\ncd' '\"$BINARY_DIR\"\n#' Attempt to download the coder 'agent.\n#' This could fail for a number of reasons, many of which are likely 'transient.\n#' So just keep 'trying!\nwhile' ':;' 'do\n\t#' Try a number of different download tools, as we don not know what 'we\n\t#' will have 'available.\n\tstatus=\"\"\n\tif' command -v curl '>/dev/null' '2>&1;' 'then\n\t\tcurl' -fsSL --compressed '\"${BINARY_URL}\"' -o '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telif' command -v wget '>/dev/null' '2>&1;' 'then\n\t\twget' -q '\"${BINARY_URL}\"' -O '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telif' command -v busybox '>/dev/null' '2>&1;' 'then\n\t\tbusybox' wget -q '\"${BINARY_URL}\"' -O '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telse\n\t\techo' '\"error:' no download tool found, please install curl, wget or busybox 'wget\"\n\t\texit' '127\n\tfi\n\techo' '\"error:' failed to download coder 'agent\"\n\techo' '\"' command returned: '${status}\"\n\techo' '\"Trying' again in 30 'seconds...\"\n\tsleep' '30\ndone\n\nif' '!' chmod +x '$BINARY_NAME;' 'then\n\techo' '\"Failed' to make '$BINARY_NAME' 'executable\"\n\texit' '1\nfi\n\nhaslibcap2()' '{\n\tcommand' -v setcap /dev/null '2>&1\n\tcommand' -v capsh /dev/null '2>&1\n}\nprintnetadminmissing()' '{\n\techo' '\"The' root user does not have CAP_NET_ADMIN permission. '\"' + '\\\n\t\t\"If' running in Docker, add the capability to the container for '\"' + '\\\n\t\t\"improved' network 'performance.\"\n\techo' '\"This' has security implications. See 'https://man7.org/linux/man-pages/man7/capabilities.7.html\"\n}\n\n#' Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to 'increase\n#' network buffers which improves network transfer 'speeds.\nif' '[' -n '\"${USE_CAP_NET_ADMIN:-}\"' '];' 'then\n\t#' If running as root, we do not need to do 'anything.\n\tif' '[' '\"$(id' '-u)\"' -eq 0 '];' 'then\n\t\techo' '\"Running' as root, skipping 'setcap\"\n\t\t#' Warn the user if root does not have 'CAP_NET_ADMIN.\n\t\tif' '!' capsh '--has-p=CAP_NET_ADMIN;' 'then\n\t\t\tprintnetadminmissing\n\t\tfi\n\n\t#' If not running as root, make sure we have sudo perms and the '\"setcap\"' '+\n\t#' '\"capsh\"' binaries 'exist.\n\telif' sudo -nl '&&' 'haslibcap2;' 'then\n\t\t#' Make sure the root user has 'CAP_NET_ADMIN.\n\t\tif' sudo -n capsh '--has-p=CAP_NET_ADMIN;' 'then\n\t\t\tsudo' -n setcap CAP_NET_ADMIN=+ep './$BINARY_NAME' '||' 'true\n\t\telse\n\t\t\tprintnetadminmissing\n\t\tfi\n\n\t#' If we are not running as root, cant sudo, and '\"setcap\"' does not exist, 'we\n\t#' cannot do 'anything.\n\telse\n\t\techo' '\"Unable' to setcap agent binary. To enable improved network performance, '\"' + '\\\n\t\t\t\"give' the agent passwordless sudo permissions and the '\\\"setcap\\\"' + '\\\"capsh\\\"' 'binaries.\"\n\t\techo' '\"This' has security implications. See 'https://man7.org/linux/man-pages/man7/capabilities.7.html\"\n\tfi\nfi\n\nexport' 'CODER_AGENT_AUTH=\"token\"\nexport' 'CODER_AGENT_URL=\"http://host.docker.internal:7080/\"\n\noutput=$(./${BINARY_NAME}' --version '|' head '-n1)\nif' '!' echo '\"${output}\"' '|' grep -q 'Coder;' 'then\n\techo' '>&2' '\"ERROR:' Downloaded agent binary returned unexpected version 'output\"\n\techo' '>&2' '\"${BINARY_NAME}' --version output: '\\\"${output}\\\"\"\n\texit' '2\nfi\n\nexec' './${BINARY_NAME}' 'agent\n'
bash: #!/usr/bin/env: No such file or directory

It appears that the provider is mangling quotes, likely due to a fmt.Sprintf("%q") somewhere.

root@0cb1aac9b261:/# declare -p ENVBUILDER_INIT_SCRIPT
+ declare -p ENVBUILDER_INIT_SCRIPT
declare -x ENVBUILDER_INIT_SCRIPT="#!/usr/bin/env sh\\nset -eux\\n# Sleep for a good long while before exiting.\\n# This is to allow folks to exec into a failed workspace and poke around to\\n# troubleshoot.\\nwaitonexit() {\\n\\techo \\\"=== Agent script exited with non-zero code (\$?). Sleeping 24h to preserve logs...\\\"\\n\\tsleep 86400\\n}\\ntrap waitonexit EXIT\\nBINARY_DIR=\\\"\${BINARY_DIR:-\$(mktemp -d -t coder.XXXXXX)}\\\"\\nBINARY_NAME=coder\\nBINARY_URL=http://host.docker.internal:7080/bin/coder-linux-amd64\\ncd \\\"\$BINARY_DIR\\\"\\n# Attempt to download the coder agent.\\n# This could fail for a number of reasons, many of which are likely transient.\\n# So just keep trying!\\nwhile :; do\\n\\t# Try a number of different download tools, as we don not know what we\\n\\t# will have available.\\n\\tstatus=\\\"\\\"\\n\\tif command -v curl >/dev/null 2>&1; then\\n\\t\\tcurl -fsSL --compressed \\\"\${BINARY_URL}\\\" -o \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telif command -v wget >/dev/null 2>&1; then\\n\\t\\twget -q \\\"\${BINARY_URL}\\\" -O \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telif command -v busybox >/dev/null 2>&1; then\\n\\t\\tbusybox wget -q \\\"\${BINARY_URL}\\\" -O \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telse\\n\\t\\techo \\\"error: no download tool found, please install curl, wget or busybox wget\\\"\\n\\t\\texit 127\\n\\tfi\\n\\techo \\\"error: failed to download coder agent\\\"\\n\\techo \\\"       command returned: \${status}\\\"\\n\\techo \\\"Trying again in 30 seconds...\\\"\\n\\tsleep 30\\ndone\\n\\nif ! chmod +x \$BINARY_NAME; then\\n\\techo \\\"Failed to make \$BINARY_NAME executable\\\"\\n\\texit 1\\nfi\\n\\nhaslibcap2() {\\n\\tcommand -v setcap /dev/null 2>&1\\n\\tcommand -v capsh /dev/null 2>&1\\n}\\nprintnetadminmissing() {\\n\\techo \\\"The root user does not have CAP_NET_ADMIN permission. \\\" + \\\\\\n\\t\\t\\\"If running in Docker, add the capability to the container for \\\" + \\\\\\n\\t\\t\\\"improved network performance.\\\"\\n\\techo \\\"This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html\\\"\\n}\\n\\n# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase\\n# network buffers which improves network transfer speeds.\\nif [ -n \\\"\${USE_CAP_NET_ADMIN:-}\\\" ]; then\\n\\t# If running as root, we do not need to do anything.\\n\\tif [ \\\"\$(id -u)\\\" -eq 0 ]; then\\n\\t\\techo \\\"Running as root, skipping setcap\\\"\\n\\t\\t# Warn the user if root does not have CAP_NET_ADMIN.\\n\\t\\tif ! capsh --has-p=CAP_NET_ADMIN; then\\n\\t\\t\\tprintnetadminmissing\\n\\t\\tfi\\n\\n\\t# If not running as root, make sure we have sudo perms and the \\\"setcap\\\" +\\n\\t# \\\"capsh\\\" binaries exist.\\n\\telif sudo -nl && haslibcap2; then\\n\\t\\t# Make sure the root user has CAP_NET_ADMIN.\\n\\t\\tif sudo -n capsh --has-p=CAP_NET_ADMIN; then\\n\\t\\t\\tsudo -n setcap CAP_NET_ADMIN=+ep ./\$BINARY_NAME || true\\n\\t\\telse\\n\\t\\t\\tprintnetadminmissing\\n\\t\\tfi\\n\\n\\t# If we are not running as root, cant sudo, and \\\"setcap\\\" does not exist, we\\n\\t# cannot do anything.\\n\\telse\\n\\t\\techo \\\"Unable to setcap agent binary. To enable improved network performance, \\\" + \\\\\\n\\t\\t\\t\\\"give the agent passwordless sudo permissions and the \\\\\\\"setcap\\\\\\\" + \\\\\\\"capsh\\\\\\\" binaries.\\\"\\n\\t\\techo \\\"This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html\\\"\\n\\tfi\\nfi\\n\\nexport CODER_AGENT_AUTH=\\\"token\\\"\\nexport CODER_AGENT_URL=\\\"http://host.docker.internal:7080/\\\"\\n\\noutput=\$(./\${BINARY_NAME} --version | head -n1)\\nif ! echo \\\"\${output}\\\" | grep -q Coder; then\\n\\techo >&2 \\\"ERROR: Downloaded agent binary returned unexpected version output\\\"\\n\\techo >&2 \\\"\${BINARY_NAME} --version output: \\\\\\\"\${output}\\\\\\\"\\\"\\n\\texit 2\\nfi\\n\\nexec ./\${BINARY_NAME} agent\\n"

coder / terraform-provider-envbuilder

bug: provider can mangle ENVBUILDER_INIT_SCRIPT #31