wip remote runs

Author: breardon2011

taco/internal/api/internal.go

@@ -142,15 +142,34 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 
 	// Create identifier resolver for TFE org resolution
 	var tfeIdentifierResolver domain.IdentifierResolver
+	var runRepo domain.TFERunRepository
+	var planRepo domain.TFEPlanRepository
+	var configVerRepo domain.TFEConfigurationVersionRepository
+	
 	if deps.QueryStore != nil {
 		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
 			tfeIdentifierResolver = repositories.NewIdentifierResolver(db)
+			// Create TFE repositories for runs, plans, and configuration versions
+			runRepo = repositories.NewTFERunRepository(db)
+			planRepo = repositories.NewTFEPlanRepository(db)
+			configVerRepo = repositories.NewTFEConfigurationVersionRepository(db)
+			log.Println("TFE repositories initialized successfully (internal routes)")
 		}
 	}
 
 	// Create TFE handler with webhook auth context
 	// Pass both wrapped (for authenticated calls) and unwrapped (for signed URLs) repositories
-	tfeHandler := tfe.NewTFETokenHandler(authHandler, deps.Repository, deps.UnwrappedRepository, deps.BlobStore, deps.RBACManager, tfeIdentifierResolver)
+	tfeHandler := tfe.NewTFETokenHandler(
+		authHandler,
+		deps.Repository,
+		deps.UnwrappedRepository,
+		deps.BlobStore,
+		deps.RBACManager,
+		tfeIdentifierResolver,
+		runRepo,
+		planRepo,
+		configVerRepo,
+	)
 
 	// TFE group with webhook auth (for UI pass-through)
 	tfeInternal := e.Group("/internal/tfe/api/v2")
@@ -179,11 +198,13 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 	tfeInternal.GET("/configuration-versions/:id", tfeHandler.GetConfigurationVersion)
 	tfeInternal.POST("/runs", tfeHandler.CreateRun)
 	tfeInternal.GET("/runs/:id", tfeHandler.GetRun)
-	tfeInternal.GET("/runs/:id/policy-checks", tfeHandler.EmptyListResponse)
-	tfeInternal.GET("/runs/:id/task-stages", tfeHandler.EmptyListResponse)
-	tfeInternal.GET("/runs/:id/cost-estimates", tfeHandler.EmptyListResponse)
-	tfeInternal.GET("/runs/:id/run-events", tfeHandler.EmptyListResponse)
+	tfeInternal.POST("/runs/:id/actions/apply", tfeHandler.ApplyRun)
+	tfeInternal.GET("/runs/:id/policy-checks", tfeHandler.GetPolicyChecks)
+	tfeInternal.GET("/runs/:id/task-stages", tfeHandler.GetTaskStages)
+	tfeInternal.GET("/runs/:id/cost-estimates", tfeHandler.GetCostEstimates)
+	tfeInternal.GET("/runs/:id/run-events", tfeHandler.GetRunEvents)
 	tfeInternal.GET("/plans/:id", tfeHandler.GetPlan)
+	tfeInternal.GET("/applies/:id", tfeHandler.GetApply)
 
 
 	log.Println("TFE API endpoints registered at /internal/tfe/api/v2 with webhook auth")

taco/internal/api/routes.go

@@ -250,12 +250,32 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 	// Unwrapped repository is used for signed URL operations (pre-authorized, no RBAC checks needed)
 	// Create identifier resolver for org resolution
 	var tfeIdentifierResolver domain.IdentifierResolver
+	var runRepo domain.TFERunRepository
+	var planRepo domain.TFEPlanRepository
+	var configVerRepo domain.TFEConfigurationVersionRepository
+	
 	if deps.QueryStore != nil {
 		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
 			tfeIdentifierResolver = repositories.NewIdentifierResolver(db)
+			// Create TFE repositories for runs, plans, and configuration versions
+			runRepo = repositories.NewTFERunRepository(db)
+			planRepo = repositories.NewTFEPlanRepository(db)
+			configVerRepo = repositories.NewTFEConfigurationVersionRepository(db)
+			log.Println("TFE repositories initialized successfully")
 		}
 	}
-	tfeHandler := tfe.NewTFETokenHandler(authHandler, deps.Repository, deps.UnwrappedRepository, deps.BlobStore, deps.RBACManager, tfeIdentifierResolver)
+	
+	tfeHandler := tfe.NewTFETokenHandler(
+		authHandler,
+		deps.Repository,
+		deps.UnwrappedRepository,
+		deps.BlobStore,
+		deps.RBACManager,
+		tfeIdentifierResolver,
+		runRepo,
+		planRepo,
+		configVerRepo,
+	)
 
 	// Create protected TFE group - opaque tokens only
 	tfeGroup := e.Group("/tfe/api/v2")
@@ -276,7 +296,24 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 	tfeGroup.POST("/workspaces/:workspace_id/state-versions", tfeHandler.CreateStateVersion)
 	tfeGroup.GET("/state-versions/:id", tfeHandler.ShowStateVersion)
 
-	tfeGroup.GET("/plans/:planID/logs/:blobId", tfeHandler.GetPlanLogs)
+	// Configuration version routes
+	tfeGroup.POST("/workspaces/:workspace_name/configuration-versions", tfeHandler.CreateConfigurationVersions)
+	tfeGroup.GET("/configuration-versions/:id", tfeHandler.GetConfigurationVersion)
+	
+	// Run routes
+	tfeGroup.POST("/runs", tfeHandler.CreateRun)
+	tfeGroup.GET("/runs/:id", tfeHandler.GetRun)
+	tfeGroup.POST("/runs/:id/actions/apply", tfeHandler.ApplyRun)
+	tfeGroup.GET("/runs/:id/policy-checks", tfeHandler.GetPolicyChecks)
+	tfeGroup.GET("/runs/:id/task-stages", tfeHandler.GetTaskStages)
+	tfeGroup.GET("/runs/:id/cost-estimates", tfeHandler.GetCostEstimates)
+	tfeGroup.GET("/runs/:id/run-events", tfeHandler.GetRunEvents)
+	
+	// Plan routes
+	tfeGroup.GET("/plans/:id", tfeHandler.GetPlan)
+	
+	// Apply routes
+	tfeGroup.GET("/applies/:id", tfeHandler.GetApply)
 
 	// Upload endpoints exempt from auth middleware (Terraform doesn't send auth headers)
 	// Security: These validate lock ownership and have RBAC checks in handlers
@@ -287,6 +324,14 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 	tfeSignedUrlsGroup.PUT("/state-versions/:id/upload", tfeHandler.UploadStateVersion)
 	tfeSignedUrlsGroup.PUT("/state-versions/:id/json-upload", tfeHandler.UploadJSONStateOutputs)
 	tfeSignedUrlsGroup.PUT("/configuration-versions/:id/upload", tfeHandler.UploadConfigurationArchive)
+	
+	// Plan log streaming - token-based auth (token embedded in path, not query string)
+	// Security: Time-limited HMAC-signed tokens, Terraform CLI preserves path
+	e.GET("/tfe/api/v2/plans/:planID/logs/:token", tfeHandler.GetPlanLogs)
+	
+	// Apply log streaming - token-based auth (token embedded in path, not query string)
+	// Security: Time-limited HMAC-signed tokens, Terraform CLI preserves path
+	e.GET("/tfe/api/v2/applies/:applyID/logs/:token", tfeHandler.GetApplyLogs)
 
 	// Keep discovery endpoints unprotected (needed for terraform login)
 	e.GET("/.well-known/terraform.json", tfeHandler.GetWellKnownJson)

taco/internal/auth/signed_url.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/diggerhq/digger/opentaco/internal/config"
@@ -65,4 +66,84 @@ func VerifySignedUrl(signedUrl string) error {
 		return fmt.Errorf("the signed url is invalid")
 	}
 	return nil
+}
+
+// GenerateLogStreamToken creates a time-limited token for log streaming
+// Format: {expiry-unix}.{base64-hmac-signature}
+// This is designed to be embedded in URL paths (not query strings) since
+// Terraform CLI preserves paths but strips/replaces query parameters
+func GenerateLogStreamToken(planID string, validFor time.Duration) (string, error) {
+	secret, err := config.GetConfig().GetSecretKey()
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret key: %w", err)
+	}
+
+	expiry := time.Now().Add(validFor).Unix()
+	expiryStr := strconv.FormatInt(expiry, 10)
+
+	// Compute HMAC: HMAC(planID + expiry)
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(planID + expiryStr))
+	sig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
+
+	// Token format: expiry.signature (URL-safe, no special chars)
+	token := expiryStr + "." + sig
+	return token, nil
+}
+
+// VerifyLogStreamToken verifies a log streaming token for a specific plan
+// Token format: {expiry}.{signature} (embedded in URL path, not query string)
+func VerifyLogStreamToken(token string, planID string) bool {
+	secret, err := config.GetConfig().GetSecretKey()
+	if err != nil {
+		fmt.Printf("[VerifyLogStreamToken] Failed to get secret key: %v\n", err)
+		return false
+	}
+
+	// Parse token: expiry.signature (use strings.Split - simpler!)
+	parts := strings.SplitN(token, ".", 2)
+	if len(parts) != 2 {
+		fmt.Printf("[VerifyLogStreamToken] Invalid token format (expected expiry.signature): %s\n", token)
+		return false
+	}
+	
+	expiryStr := parts[0]
+	sig := parts[1]
+
+	fmt.Printf("[VerifyLogStreamToken] planID=%s, expiry=%s, sig=%s...\n", planID, expiryStr, sig[:min(20, len(sig))])
+
+	// Check expiry
+	expiry, err := strconv.ParseInt(expiryStr, 10, 64)
+	if err != nil {
+		fmt.Printf("[VerifyLogStreamToken] Failed to parse expiry: %v\n", err)
+		return false
+	}
+	
+	now := time.Now().Unix()
+	if now > expiry {
+		fmt.Printf("[VerifyLogStreamToken] Token expired (now=%d, expiry=%d, diff=%d sec)\n", now, expiry, now-expiry)
+		return false
+	}
+
+	// Verify signature using same HMAC logic as generation
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(planID + expiryStr))
+	expectedSig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
+
+	isValid := hmac.Equal([]byte(sig), []byte(expectedSig))
+	if !isValid {
+		fmt.Printf("[VerifyLogStreamToken] SIGNATURE MISMATCH - expected=%s..., got=%s...\n", 
+			expectedSig[:min(20, len(expectedSig))], sig[:min(20, len(sig))])
+	} else {
+		fmt.Printf("[VerifyLogStreamToken] ✓ Token valid for planID=%s\n", planID)
+	}
+	
+	return isValid
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
 }

taco/internal/domain/interfaces.go

@@ -61,6 +61,57 @@ type TFEOperations interface {
 	StateOperations
 }
 
+// TFERunRepository manages TFE run lifecycle
+type TFERunRepository interface {
+	// Create a new run
+	CreateRun(ctx context.Context, run *TFERun) error
+	
+	// Get run by ID
+	GetRun(ctx context.Context, runID string) (*TFERun, error)
+	
+	// List runs for a unit (workspace)
+	ListRunsForUnit(ctx context.Context, unitID string, limit int) ([]*TFERun, error)
+	
+	// Update run status
+	UpdateRunStatus(ctx context.Context, runID string, status string) error
+	
+	// Update run with plan ID
+	UpdateRunPlanID(ctx context.Context, runID string, planID string) error
+	
+	// Update run status and can_apply together
+	UpdateRunStatusAndCanApply(ctx context.Context, runID string, status string, canApply bool) error
+}
+
+// TFEPlanRepository manages TFE plan lifecycle
+type TFEPlanRepository interface {
+	// Create a new plan
+	CreatePlan(ctx context.Context, plan *TFEPlan) error
+	
+	// Get plan by ID
+	GetPlan(ctx context.Context, planID string) (*TFEPlan, error)
+	
+	// Update plan status and results
+	UpdatePlan(ctx context.Context, planID string, updates *TFEPlanUpdate) error
+	
+	// Get plan by run ID
+	GetPlanByRunID(ctx context.Context, runID string) (*TFEPlan, error)
+}
+
+// TFEConfigurationVersionRepository manages configuration versions
+type TFEConfigurationVersionRepository interface {
+	// Create a new configuration version
+	CreateConfigurationVersion(ctx context.Context, cv *TFEConfigurationVersion) error
+	
+	// Get configuration version by ID
+	GetConfigurationVersion(ctx context.Context, cvID string) (*TFEConfigurationVersion, error)
+	
+	// Update configuration version status (and optionally the archive blob ID)
+	UpdateConfigurationVersionStatus(ctx context.Context, cvID string, status string, uploadedAt *time.Time, archiveBlobID *string) error
+	
+	// List configuration versions for a unit (workspace)
+	ListConfigurationVersionsForUnit(ctx context.Context, unitID string, limit int) ([]*TFEConfigurationVersion, error)
+}
+
 // ============================================
 // Full Repository Interface
 // ============================================
@@ -156,3 +207,82 @@ func DecodeUnitID(encoded string) string {
 	return NormalizeUnitID(encoded)
 }
 
+// ============================================
+// TFE Domain Models
+// ============================================
+
+// TFERun represents a Terraform run (plan/apply execution)
+type TFERun struct {
+	ID                     string
+	OrgID                  string
+	UnitID                 string
+	CreatedAt              time.Time
+	UpdatedAt              time.Time
+	Status                 string
+	IsDestroy              bool
+	Message                string
+	PlanOnly               bool
+	AutoApply              bool // Whether to auto-trigger apply after successful plan
+	Source                 string
+	IsCancelable           bool
+	CanApply               bool
+	ConfigurationVersionID string
+	PlanID                 *string
+	ApplyID                *string
+	CreatedBy              string
+	ApplyLogBlobID         *string
+}
+
+// TFEPlan represents a Terraform plan execution
+type TFEPlan struct {
+	ID                   string
+	OrgID                string
+	RunID                string
+	CreatedAt            time.Time
+	UpdatedAt            time.Time
+	Status               string
+	ResourceAdditions    int
+	ResourceChanges      int
+	ResourceDestructions int
+	HasChanges           bool
+	LogBlobID            *string
+	LogReadURL           *string
+	PlanOutputBlobID     *string
+	PlanOutputJSON       *string
+	CreatedBy            string
+}
+
+// TFEPlanUpdate contains fields that can be updated on a plan
+type TFEPlanUpdate struct {
+	Status               *string
+	ResourceAdditions    *int
+	ResourceChanges      *int
+	ResourceDestructions *int
+	HasChanges           *bool
+	LogBlobID            *string
+	LogReadURL           *string
+	PlanOutputBlobID     *string
+	PlanOutputJSON       *string
+}
+
+// TFEConfigurationVersion represents an uploaded Terraform configuration
+type TFEConfigurationVersion struct {
+	ID               string
+	OrgID            string
+	UnitID           string
+	CreatedAt        time.Time
+	UpdatedAt        time.Time
+	Status           string
+	Source           string
+	Speculative      bool
+	AutoQueueRuns    bool
+	Provisional      bool
+	Error            *string
+	ErrorMessage     *string
+	UploadURL        *string
+	UploadedAt       *time.Time
+	ArchiveBlobID    *string
+	StatusTimestamps string
+	CreatedBy        string
+}
+

taco/internal/domain/tfe/apply.go

@@ -0,0 +1,12 @@
+package tfe
+
+// ApplyRecord represents a Terraform apply operation
+type ApplyRecord struct {
+	ID          string `jsonapi:"primary,applies" json:"id"`
+	Status      string `jsonapi:"attr,status" json:"status"`
+	LogReadURL  string `jsonapi:"attr,log-read-url" json:"log-read-url"`
+	
+	// Relationship to run (RunRef is declared in plan.go)
+	Run *RunRef `jsonapi:"relation,run,omitempty" json:"run,omitempty"`
+}
+

taco/internal/domain/tfe/configuration-versions.go

@@ -18,7 +18,7 @@ type ConfigurationVersionRecord struct {
 	StatusTimestamps map[string]string `jsonapi:"attr,status-timestamps" json:"status-timestamps"`
 	UploadURL        *string            `jsonapi:"attr,upload-url" json:"upload-url"`
 	Provisional      bool              `jsonapi:"attr,provisional" json:"provisional"`
-	IngressAttributes *IngressAttributesStub `jsonapi:"relation,ingress-attributes" json:"ingress-attributes"`
+	// IngressAttributes omitted - not used in remote execution mode
 }