feat: replace Compute Engine metadata startup scripts with Cloud Build #128
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
these steps weren't tested; you can't do interactive steps in distroless ubuntu latest is sufficiently small, allows installing/executing utils
… propagation delay
glasnt
changed the title
This was referenced Jul 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
description originally from #125, updated for this variation
This repo is designed to be a single Terraform module that deploys a complete sample application. In this case, there are database migrations and firebase deployments that also need to happen. These have been containerised into Cloud Run jobs, but the Terraform resource for Cloud Run jobs only creates them, it doesn't execute them.
So, we have to use Terraform in unusual ways to get this execution happening.
A way we previously did this was to deploy a Compute Engine instance, with a metadata startup script that performs actions for us, ensuring this is provisioned at the end of the apply process through use of resource dependencies.
However, given the amount of regions this solution could be deployed to, there's no one-size compute engine instance that would work in all available regions. Thus we encountered issues in testing and deployments where the compute engine instance couldn't be successfully deployed.
Compute Engine isn't required in this solution, just the ability to start jobs and call APIs.
This PR implements this functionality by creating Cloud Build triggers, and using
data "http"to execute them. Given we aren't connecting these triggers to a codebase, we use a placeholder pubsub topic as the event type. We don't execute the triggers with this topic, we call the triggers via the API (as you would clicking the "Run" button in the console). These triggers can perform any arbitrary tasks we want.Terraform normally presumes that any data calls are inert and don't have side effects. In this case, any time terraform inspects the state (including on destroy), these triggers are started. Earlier iterations in #123 had failing test cases where on terraform destroy, terraform tried to delete the jobs, but since terraform also created executions of these jobs, the delete would fail, as there were active running executions. This isn't an issue when the jobs are executed within a Compute Engine metadata startup script, because this is part of a defined resource, and isn't started as part of Terraform's state inspection process.
But Terraform can't delete resources that it doesn't know about.
This PR replaces the Compute Engine, Sub/Network, and VPC with Cloud Build triggers, that:
The database setup requires an authorised connection to the Cloud SQL instance, which is complicated (but possible) to do in Cloud Build, but it's simpler to perform in a Cloud Run job.
The placeholder image execution doesn't require this complexity, so instead of creating a job to run this container, it can be run directly as steps in the Cloud Build trigger itself.
The client job could also use this method, but the terraform infra tests wait for this job to execute, so to reduce complexity in having to change tests, this was retained.
The migrate job still exists, but isn't used by the deployment process. It is referenced in walkthrough tutorials, and is useful as helper functionality.
Additionally, a new fast-follow trigger "activate gcb" (gcb == google cloud build) has been created, to help optimize the changes of success with the deployment. This and additional wait times ensure that IAM propagation, async API enabling, and other processes have time to settle before applying changes. The testing infra for this project creates new projects and applies the Terraform, so these processes would not be required for a human-provisioned project, but they help ensure success in this automated setup.