fixing bug with terraform state transition for bastion

for some reason when you add a bastion to the host the first run of
terraform apply doesn't see the bastion, but see the changes in ssh
settings (port in my case).
found this while writing post about the provider (applied test
configuration to localhost).
teraform sdk is a piece of crap, it is simplier to just make all
settings flat than try to maintain some sort of hierarchy
(which is more obvious because bastion uses ssh.config if it is defined)

docs/index.md

@@ -19,13 +19,25 @@ description: |-
 
 - `address_filter` (List of String) List of network cidr's to filter addresses used to connect to nixos_instance resources
 - `address_priority` (Map of Number) Map of network cidr's with associated weight which will affect address ordering for nixos_isntance resource
+- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--bastion))
 - `nix` (Block Set, Max: 1) Nix package manager configuration options (see [below for nested schema](#nestedblock--nix))
 - `retry` (Number) Amount of retries for retryable operations
 - `retry_wait` (Number) Amount of seconds to wait between retries
 - `secret` (Block Set) Describes secret which should be transfered to host (see [below for nested schema](#nestedblock--secret))
 - `secrets` (Block Set, Max: 1) Describes secrets settings (see [below for nested schema](#nestedblock--secrets))
 - `ssh` (Block Set, Max: 1) SSH protocol settings (see [below for nested schema](#nestedblock--ssh))
 
+<a id="nestedblock--bastion"></a>
+### Nested Schema for `bastion`
+
+Optional:
+
+- `config` (Map of String) SSH configuration map
+- `host` (String) SSH bastion remote hostname
+- `port` (Number) SSH remote port
+- `user` (String) SSH remote user name
+
+
 <a id="nestedblock--nix"></a>
 ### Nested Schema for `nix`
 
@@ -98,17 +110,6 @@ Optional:
 
 Optional:
 
-- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--ssh--bastion))
-- `config` (Map of String) SSH configuration map
-- `port` (Number) SSH remote port
-- `user` (String) SSH remote user name
-
-<a id="nestedblock--ssh--bastion"></a>
-### Nested Schema for `ssh.bastion`
-
-Optional:
-
 - `config` (Map of String) SSH configuration map
-- `host` (String) SSH remote hostname
 - `port` (Number) SSH remote port
 - `user` (String) SSH remote user name

docs/resources/instance.md

@@ -22,6 +22,7 @@ NixOS instance
 
 ### Optional
 
+- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--bastion))
 - `derivations` (Block List) List of derivations which is built during apply (see [below for nested schema](#nestedblock--derivations))
 - `nix` (Block Set, Max: 1) Nix package manager configuration options (see [below for nested schema](#nestedblock--nix))
 - `secret` (Block Set) Describes secret which should be transfered to host (see [below for nested schema](#nestedblock--secret))
@@ -35,6 +36,17 @@ NixOS instance
 - `id` (String) The ID of this resource.
 - `secret_fingerprint` (Map of String) Secrets state fingerprint information which is used to maintain state
 
+<a id="nestedblock--bastion"></a>
+### Nested Schema for `bastion`
+
+Optional:
+
+- `config` (Map of String) SSH configuration map
+- `host` (String) SSH bastion remote hostname
+- `port` (Number) SSH remote port
+- `user` (String) SSH remote user name
+
+
 <a id="nestedblock--derivations"></a>
 ### Nested Schema for `derivations`
 
@@ -116,18 +128,7 @@ Optional:
 
 Optional:
 
-- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--ssh--bastion))
-- `config` (Map of String) SSH configuration map
-- `port` (Number) SSH remote port
-- `user` (String) SSH remote user name
-
-<a id="nestedblock--ssh--bastion"></a>
-### Nested Schema for `ssh.bastion`
-
-Optional:
-
 - `config` (Map of String) SSH configuration map
-- `host` (String) SSH remote hostname
 - `port` (Number) SSH remote port
 - `user` (String) SSH remote user name
 

makefile

@@ -2,6 +2,7 @@
 .ONESHELL:
 
 export TF_LOG ?= ERROR
+export SSH_AUTH_SOCK =
 
 root       = $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 result     = $(root)/result/libexec/terraform-providers

provider/provider.go

@@ -229,8 +229,8 @@ func (p *Provider) SshSettings(resource ResourceBox) map[string]interface{} {
 	return p.settings(resource, KeySsh)
 }
 
-func (p *Provider) SshBastionSettings(resource ResourceBox) map[string]interface{} {
-	return p.settings(resource, KeySsh, KeySshBastion)
+func (p *Provider) BastionSettings(resource ResourceBox) map[string]interface{} {
+	return p.settings(resource, KeyBastion)
 }
 
 func (p *Provider) SshConfigMap(settings map[string]interface{}) *SshConfigMap {
@@ -298,7 +298,7 @@ func (p *Provider) NewSsh(resource ResourceBox) *Ssh {
 
 		settings        = p.SshSettings(resource)
 		configMap       = p.SshConfigMap(settings)
-		bastionSettings = p.SshBastionSettings(resource)
+		bastionSettings = p.BastionSettings(resource)
 	)
 
 	bastionHost, _ := bastionSettings[KeySshHost].(string)

provider/schema.go

@@ -50,12 +50,13 @@ const (
 
 	//
 
-	KeySsh        = "ssh"
-	KeySshHost    = "host"
-	KeySshUser    = "user"
-	KeySshPort    = "port"
-	KeySshConfig  = "config"
-	KeySshBastion = "bastion"
+	KeySsh       = "ssh"
+	KeySshHost   = "host"
+	KeySshUser   = "user"
+	KeySshPort   = "port"
+	KeySshConfig = "config"
+
+	KeyBastion = "bastion"
 
 	//
 
@@ -112,35 +113,32 @@ var (
 			DefaultFunc: DefaultSshConfig,
 		},
 	}
+	ProviderSchemaSsh = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
+		Description: "SSH protocol settings",
+		Type:        schema.TypeSet,
+		MaxItems:    1,
+		Elem: &schema.Resource{
+			Schema: ProviderSchemaSshMap,
+		},
+		Optional: true,
+	})
+
 	ProviderSchemaBastionMap = SchemaMapExtend(
 		ProviderSchemaSshMap,
 		map[string]*schema.Schema{
 			KeySshHost: {
-				Description: "SSH remote hostname",
+				Description: "SSH bastion remote hostname",
 				Type:        schema.TypeString,
 				Optional:    true,
 			},
 		},
 	)
-	ProviderSchemaSsh = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
-		Description: "SSH protocol settings",
+	ProviderSchemaBastion = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
+		Description: "SSH configuration for bastion server",
 		Type:        schema.TypeSet,
 		MaxItems:    1,
 		Elem: &schema.Resource{
-			Schema: SchemaMapExtend(
-				ProviderSchemaSshMap,
-				map[string]*schema.Schema{
-					KeySshBastion: {
-						Description: "SSH configuration for bastion server",
-						Type:        schema.TypeSet,
-						MaxItems:    1,
-						Elem: &schema.Resource{
-							Schema: ProviderSchemaBastionMap,
-						},
-						Optional: true,
-					},
-				},
-			),
+			Schema: ProviderSchemaBastionMap,
 		},
 		Optional: true,
 	})
@@ -381,6 +379,7 @@ var (
 
 		KeyNix:     ProviderSchemaNix,
 		KeySsh:     ProviderSchemaSsh,
+		KeyBastion: ProviderSchemaBastion,
 		KeySecrets: ProviderSchemaSecrets,
 		KeySecret:  ProviderSchemaSecret,
 	}
@@ -424,6 +423,7 @@ var (
 
 				KeyNix:     ProviderSchemaNix,
 				KeySsh:     ProviderSchemaSsh,
+				KeyBastion: ProviderSchemaBastion,
 				KeySecrets: ProviderSchemaSecrets,
 				KeySecret:  ProviderSchemaSecret,
 

provider/schema_test.go

@@ -56,10 +56,10 @@ resource "nixos_instance" "test2" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
   }
 }
 `
@@ -78,15 +78,15 @@ provider "nixos" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-      config = {
-        userKnownHostsFile = "/dev/null"
-        strictHostKeyChecking = "no"
-        pubKeyAuthentication = "no"
-        passwordAuthentication = "yes"
-      }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
+    config = {
+      userKnownHostsFile = "/dev/null"
+      strictHostKeyChecking = "no"
+      pubKeyAuthentication = "no"
+      passwordAuthentication = "yes"
     }
   }
   secrets {
@@ -152,8 +152,8 @@ func TestResourceNixosInstance(t *testing.T) {
 						CheckEqual(t, "nixos_instance.test2", "address.2", ""),
 						CheckEqual(t, "nixos_instance.test2", "configuration", "../test/test.nix"),
 						CheckEqual(t, "nixos_instance.test2", "ssh.0.port", "2222"),
-						CheckEqual(t, "nixos_instance.test2", "ssh.0.bastion.0.host", "127.0.0.1"),
-						CheckEqual(t, "nixos_instance.test2", "ssh.0.bastion.0.port", "2222"),
+						CheckEqual(t, "nixos_instance.test2", "bastion.0.host", "127.0.0.1"),
+						CheckEqual(t, "nixos_instance.test2", "bastion.0.port", "2222"),
 					),
 				},
 				{

test/main.tf

@@ -19,10 +19,10 @@ provider "nixos" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 777
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 777
   }
 }
 
@@ -41,10 +41,10 @@ resource "nixos_instance" "test" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
   }
 
   secret {