Cross-cloud ephemeral IaCProviderRunner (RunJob): optional gRPC service + per-cloud impls

[intel352]

Cross-cloud ephemeral IaCProviderRunner (RunJob) — optional gRPC service + per-cloud impls

Spun out of the infra-admin Phase 2+3 program (ADR 0020 in the workspace repo; design docs/plans/2026-06-02-infra-admin-phase2-3-design.md). The Phase 3 ephemeral exec-env ships via the existing Argo Workflows module (k8s only). This issue tracks the cross-cloud ephemeral primitive, which is a proto-contract change rippling to every provider plugin and is therefore its own program (a spike confirmed ~2500–4500 LOC across ~6 repos).

Why

interfaces.JobSpec is defined but unused; interfaces.IaCProvider has no RunJob. There is no way to launch a one-off container/task on a cloud provider native job runner (ECS RunTask/Batch, GCP Cloud Run Jobs, Azure Container Instances, DigitalOcean App jobs) through the IaC provider contract. The Argo path covers k8s but not cloud-native job runners.

Proposed RPC (new OPTIONAL service on the IaC contract)

service IaCProviderRunner {
  rpc RunJob(JobSpec) returns (JobHandle);
  rpc JobStatus(JobHandle) returns (JobStatusReply);   // {state, exit_code}
  rpc JobLogs(JobHandle) returns (stream LogChunk);
}

• Optional, advertised via the plugin manifest (mirrors the IaCProviderRegionLister/DriftDetector accessor pattern from feat(iac): add provider region lister contract #819 / iac/providerclient). Providers that do not implement it advertise nothing; callers get a nil accessor.
• A provider-ephemeral sandbox.SandboxRunner dispatches to the resolved provider IaCProviderRunner (parallel to the ArgoEphemeralRunner that ships in the Phase 3 program).
• Secrets resolve provider-side (never cross the wire), consistent with ADR 0017.

Per-plugin task list (each provider plugin)

• aws — ECS RunTask implementation (workflow-plugin-aws PR Add UI Plugin Implementation using go-plugin for Hot-Reload/Hot-Deploy #38, released v2.3.0)
• gcp — Cloud Run Jobs implementation (workflow-plugin-gcp PR Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in the go_modules group across 1 directory #33, released v2.3.0)
• azure — Container Instances implementation (workflow-plugin-azure PR Extract Shared UI Component Library for Workflow Applications #36, released v2.3.0)
• digitalocean — App Platform jobs (not advertised yet; current JobSpec/provider target contract lacks the app/job identity needed for an honest App Platform job implementation)
• workflow core — proto + generated stubs + iac/providerclient accessor + the provider-ephemeral SandboxRunner + exec_env: provider-ephemeral factory wiring (workflow PR Add optional IaC provider job runner contract #850)
• workflow-registry — manifest capability flag and download integrity metadata for implementing providers (workflow-registry PRs build(deps): bump github.com/CrisisTextLine/modular/modules/eventbus/v2 from 2.0.0 to 2.1.0 #218 and build(deps): bump github.com/aws/aws-sdk-go-v2/service/iam from 1.53.2 to 1.53.3 #219)

Scope note

Carved out of the Phase 2+3 program with explicit user approval (AskUserQuestion 2026-06-02: "All deliverable now; cross-cloud RunJob designed-but-filed"). The Phase 2+3 program ships the Argo (k8s) ephemeral runner; this issue is the cross-cloud follow-on.

See ADR 0020 (decisions/0020-argo-ephemeral-direct-api-and-crosscloud-runjob-filed.md, workspace repo).

Current status

AWS, GCP, Azure, workflow core, and workflow-registry are implemented, released, and verified as of 2026-06-03. DigitalOcean remains open pending a contract/provider-target design for App Platform job identity.

[intel352]

Updated the checklist after completing the remaining actionable #840 work.

Completed and verified:

• workflow core: PR Add optional IaC provider job runner contract #850, released in workflow v0.73.0.
• AWS runner: workflow-plugin-aws PR Add UI Plugin Implementation using go-plugin for Hot-Reload/Hot-Deploy #38, released v2.3.0.
• GCP runner: workflow-plugin-gcp PR Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in the go_modules group across 1 directory #33, released v2.3.0.
• Azure runner: workflow-plugin-azure PR Extract Shared UI Component Library for Workflow Applications #36, released v2.3.0.
• wfctl registry sync support: PR fix(wfctl): sync versioned registry release assets #852 released v0.73.1, then checksum preservation follow-up PR fix(wfctl): preserve registry download checksums #853 released v0.74.1.
• workflow-registry: PR build(deps): bump github.com/CrisisTextLine/modular/modules/eventbus/v2 from 2.0.0 to 2.1.0 #218 added runner serviceMethods; PR build(deps): bump github.com/aws/aws-sdk-go-v2/service/iam from 1.53.2 to 1.53.3 #219 restored sha256 metadata and aligned validation/sync to wfctl v0.74.1. Post-merge registry validation and Pages deploy succeeded.

DigitalOcean remains intentionally open. DO App Platform jobs are app-scoped, and the current portable JobSpec/provider target contract does not carry the app/job identity needed for an honest implementation. I left DO unadvertised rather than adding a misleading partial runner.

[intel352]

Re-triaged as part of the current issue sweep.

Cross-cloud RunJob support appears to be implemented and released for the portable providers covered so far. I’m not adding a speculative DigitalOcean implementation here because App Platform job identity is still not represented cleanly in the portable JobSpec/target contract. Filling that in without a provider-backed contract would risk encoding the wrong abstraction.

No PR filed for this one in this sweep; it remains the tracker for the DigitalOcean-specific contract gap.