feat: enforce monotonicity in terraform provider

Previous value must come from env var. To read tfstate requires changing param from a `data` block to a `resource` block

Author: Emyrk

provider/parameter.go

@@ -144,7 +144,13 @@ func parameterDataSource() *schema.Resource {
 input = &envValue
 }
 
-value, diags := parameter.ValidateInput(input)
+var previous *string
+envPreviousValue, ok := os.LookupEnv(ParameterEnvironmentVariablePrevious(parameter.Name))
+if ok {
+previous = &envPreviousValue
+}
+
+value, diags := parameter.ValidateInput(input, previous)
 if diags.HasError() {
 return diags
 }
@@ -395,7 +401,7 @@ func valueIsType(typ OptionType, value string) error {
 return nil
 }
 
-func (v *Parameter) ValidateInput(input *string) (string, diag.Diagnostics) {
+func (v *Parameter) ValidateInput(input *string, previous *string) (string, diag.Diagnostics) {
 var err error
 var optionType OptionType
 
@@ -442,7 +448,7 @@ func (v *Parameter) ValidateInput(input *string) (string, diag.Diagnostics) {
 forcedValue = *value
 }
 
-d := v.validValue(forcedValue, optionType, optionValues, valuePath)
+d := v.validValue(forcedValue, previous, optionType, optionValues, valuePath)
 if d.HasError() {
 return "", d
 }
@@ -506,7 +512,7 @@ func (v *Parameter) ValidOptions(optionType OptionType) (map[string]struct{}, di
 return optionValues, nil
 }
 
-func (v *Parameter) validValue(value string, optionType OptionType, optionValues map[string]struct{}, path cty.Path) diag.Diagnostics {
+func (v *Parameter) validValue(value string, previous *string, optionType OptionType, optionValues map[string]struct{}, path cty.Path) diag.Diagnostics {
 // name is used for constructing more precise error messages.
 name := "Value"
 if path.Equals(defaultValuePath) {
@@ -573,7 +579,7 @@ func (v *Parameter) validValue(value string, optionType OptionType, optionValues
 
 if len(v.Validation) == 1 {
 validCheck := &v.Validation[0]
-err := validCheck.Valid(v.Type, value)
+err := validCheck.Valid(v.Type, value, previous)
 if err != nil {
 return diag.Diagnostics{
 {
@@ -589,7 +595,7 @@ func (v *Parameter) validValue(value string, optionType OptionType, optionValues
 return nil
 }
 
-func (v *Validation) Valid(typ OptionType, value string) error {
+func (v *Validation) Valid(typ OptionType, value string, previous *string) error {
 if typ != OptionTypeNumber {
 if !v.MinDisabled {
 return fmt.Errorf("a min cannot be specified for a %s type", typ)
@@ -639,6 +645,28 @@ func (v *Validation) Valid(typ OptionType, value string) error {
 if v.Monotonic != "" && v.Monotonic != ValidationMonotonicIncreasing && v.Monotonic != ValidationMonotonicDecreasing {
 return fmt.Errorf("number monotonicity can be either %q or %q", ValidationMonotonicIncreasing, ValidationMonotonicDecreasing)
 }
+
+switch v.Monotonic {
+case "":
+// No monotonicity check
+case ValidationMonotonicIncreasing, ValidationMonotonicDecreasing:
+if previous != nil { // Only check if previous value exists
+previousNum, err := strconv.Atoi(*previous)
+if err != nil {
+return fmt.Errorf("previous value %q is not a number", *previous)
+}
+
+if v.Monotonic == ValidationMonotonicIncreasing && !(num >= previousNum) {
+return fmt.Errorf("parameter value '%d' must be equal or greater than previous value: %d", num, previousNum)
+}
+
+if v.Monotonic == ValidationMonotonicDecreasing && !(num <= previousNum) {
+return fmt.Errorf("parameter value '%d' must be equal or lower than previous value: %d", num, previousNum)
+}
+}
+default:
+return fmt.Errorf("number monotonicity can be either %q or %q", ValidationMonotonicIncreasing, ValidationMonotonicDecreasing)
+}
 case OptionTypeListString:
 var listOfStrings []string
 err := json.Unmarshal([]byte(value), &listOfStrings)
@@ -666,6 +694,15 @@ func ParameterEnvironmentVariable(name string) string {
 return "CODER_PARAMETER_" + hex.EncodeToString(sum[:])
 }
 
+// ParameterEnvironmentVariablePrevious returns the environment variable to
+// specify for a parameter's previous value. This is used for workspace
+// subsequent builds after the first. Primarily to validate monotonicity in the
+// `validation` block.
+func ParameterEnvironmentVariablePrevious(name string) string {
+sum := sha256.Sum256([]byte(name))
+return "CODER_PARAMETER_PREVIOUS_" + hex.EncodeToString(sum[:])
+}
+
 func takeFirstError(errs ...error) error {
 for _, err := range errs {
 if err != nil {

provider/parameter_test.go

@@ -839,7 +839,7 @@ func TestParameterValidation(t *testing.T) {
 t.Run(tc.Name, func(t *testing.T) {
 t.Parallel()
 value := &tc.Value
-_, diags := tc.Parameter.ValidateInput(value)
+_, diags := tc.Parameter.ValidateInput(value, nil)
 if tc.ExpectError != nil {
 require.True(t, diags.HasError())
 errMsg := fmt.Sprintf("%+v", diags[0]) // close enough
@@ -919,11 +919,19 @@ func TestParameterValidationEnforcement(t *testing.T) {
 
 var validation *provider.Validation
 if columns[5] != "" {
-// Min-Max validation should look like:
-//	1-10 :: min=1, max=10
-//	-10 :: max=10
-//	1- :: min=1
-if validMinMax.MatchString(columns[5]) {
+switch {
+case columns[5] == provider.ValidationMonotonicIncreasing || columns[5] == provider.ValidationMonotonicDecreasing:
+validation = &provider.Validation{
+MinDisabled: true,
+MaxDisabled: true,
+Monotonic: columns[5],
+Error: "monotonicity",
+}
+case validMinMax.MatchString(columns[5]):
+// Min-Max validation should look like:
+//	1-10 :: min=1, max=10
+//	-10 :: max=10
+//	1- :: min=1
 parts := strings.Split(columns[5], "-")
 min, _ := strconv.ParseInt(parts[0], 10, 64)
 max, _ := strconv.ParseInt(parts[1], 10, 64)
@@ -936,7 +944,7 @@ func TestParameterValidationEnforcement(t *testing.T) {
 Regex: "",
 Error: "{min} < {value} < {max}",
 }
-} else {
+default:
 validation = &provider.Validation{
 Min: 0,
 MinDisabled: true,
@@ -1067,6 +1075,7 @@ func TestValueValidatesType(t *testing.T) {
 Name string
 Type provider.OptionType
 Value string
+Previous *string
 Regex string
 RegexError string
 Min int
@@ -1154,6 +1163,56 @@ func TestValueValidatesType(t *testing.T) {
 Min: 0,
 Max: 2,
 Monotonic: "decreasing",
+}, {
+Name: "IncreasingMonotonicityEqual",
+Type: "number",
+Previous: ptr("1"),
+Value: "1",
+Monotonic: "increasing",
+MinDisabled: true,
+MaxDisabled: true,
+}, {
+Name: "DecreasingMonotonicityEqual",
+Type: "number",
+Value: "1",
+Previous: ptr("1"),
+Monotonic: "decreasing",
+MinDisabled: true,
+MaxDisabled: true,
+}, {
+Name: "IncreasingMonotonicityGreater",
+Type: "number",
+Previous: ptr("0"),
+Value: "1",
+Monotonic: "increasing",
+MinDisabled: true,
+MaxDisabled: true,
+}, {
+Name: "DecreasingMonotonicityGreater",
+Type: "number",
+Value: "1",
+Previous: ptr("0"),
+Monotonic: "decreasing",
+MinDisabled: true,
+MaxDisabled: true,
+Error: regexp.MustCompile("must be equal or"),
+}, {
+Name: "IncreasingMonotonicityLesser",
+Type: "number",
+Previous: ptr("2"),
+Value: "1",
+Monotonic: "increasing",
+MinDisabled: true,
+MaxDisabled: true,
+Error: regexp.MustCompile("must be equal or"),
+}, {
+Name: "DecreasingMonotonicityLesser",
+Type: "number",
+Value: "1",
+Previous: ptr("2"),
+Monotonic: "decreasing",
+MinDisabled: true,
+MaxDisabled: true,
 }, {
 Name: "ValidListOfStrings",
 Type: "list(string)",
@@ -1205,7 +1264,7 @@ func TestValueValidatesType(t *testing.T) {
 Regex: tc.Regex,
 Error: tc.RegexError,
 }
-err := v.Valid(tc.Type, tc.Value)
+err := v.Valid(tc.Type, tc.Value, tc.Previous)
 if tc.Error != nil {
 require.Error(t, err)
 require.True(t, tc.Error.MatchString(err.Error()), "got: %s", err.Error())