WIP: Add ensure-integration-network job and terraform for GCP integration subnet#591
Draft
aramprice wants to merge 1 commit intoubuntu-jammyfrom
Draft
WIP: Add ensure-integration-network job and terraform for GCP integration subnet#591aramprice wants to merge 1 commit intoubuntu-jammyfrom
aramprice wants to merge 1 commit intoubuntu-jammyfrom
Conversation
…tion subnet
Introduces a manually-triggered Concourse job, ensure-integration-network,
that idempotently creates the per-branch GCP subnetwork consumed by the
test-stemcells-ipv4 and bats jobs (deploy-director, cleanup-bats-vms,
prepare-bats) under the bosh-concourse VPC.
Why
---
The test-stemcells-ipv4 and bats jobs in ci/pipelines/builder.yml assume a
subnetwork named stemcell-builder-integration-<subnet_int> exists in the
projects/cloud-foundry-310819/global/networks/bosh-concourse VPC, with a
/24 at 10.100.<subnet_int>.0/24, gateway .1, private Google access, and
IPV4_ONLY stack type. Until now this subnet had to be created and
maintained out of band; this change captures it as code so it can be
recreated reproducibly per branch (subnet_int is set per branch in
ci/pipelines/vars.yml).
What
----
* ci/tasks/ensure-integration-network/{input,network,output}.tf
- hashicorp/google ~> 5.0
- google_compute_subnetwork "integration":
name = stemcell-builder-integration-<subnet_int>
ip_cidr_range = 10.100.<subnet_int>.0/24
region = europe-north2 (matches GCP_ZONE
europe-north2-a in deploy-director)
network = bosh-concourse (configurable)
private_ip_google_access = true
purpose = PRIVATE
stack_type = IPV4_ONLY
- subnet_int is taken as input so the same module produces the
appropriate subnet for any branch.
* ci/pipelines/builder.yml
- New `infrastructure` group containing the new job.
- New resource_type `terraform_type` (ljfranklin/terraform-resource).
- New resource `integration-network-environment` (GCS backend). The
bucket is referenced via the Concourse credential
((integration_network_terraform_state_bucket)); pick a bucket name
and add the credential before flying. A TODO comment marks this.
- New job `ensure-integration-network`:
* serial: true, manual trigger only (no `trigger: true` on get).
* Puts to integration-network-environment with
env_name = stemcell-builder-integration-<subnet_int>, so the
state file is deterministically named and re-discovered on
subsequent runs (no recreate-on-rerun).
* Apply only — never destroyed by this job, since the subnet is
long-lived shared infrastructure.
* No `passed:` constraint on the existing test/bats jobs to avoid
coupling; the job is intended to be run on demand when the
subnet needs to be created or reconciled.
Verification
------------
* `ytt -f ci/pipelines/builder.yml -f ci/pipelines/vars.yml` renders
successfully.
* `fly validate-pipeline -c <rendered>` reports "looks good".
Follow-ups
----------
* Create the GCS bucket that will hold terraform state and set the
((integration_network_terraform_state_bucket)) Concourse credential.
* If the existing subnetwork in cloud-foundry-310819 is to be adopted
rather than recreated, run `terraform import` once before flying the
job (or delete the existing subnet first).
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI Description of Changes:
Introduces a manually-triggered Concourse job, ensure-integration-network, that idempotently creates the per-branch GCP subnetwork consumed by the test-stemcells-ipv4 and bats jobs (deploy-director, cleanup-bats-vms, prepare-bats) under the bosh-concourse VPC.
Why
The test-stemcells-ipv4 and bats jobs in ci/pipelines/builder.yml assume a subnetwork named stemcell-builder-integration-<subnet_int> exists in the projects/cloud-foundry-310819/global/networks/bosh-concourse VPC, with a /24 at 10.100.<subnet_int>.0/24, gateway .1, private Google access, and IPV4_ONLY stack type. Until now this subnet had to be created and maintained out of band; this change captures it as code so it can be recreated reproducibly per branch (subnet_int is set per branch in ci/pipelines/vars.yml).
What
name = stemcell-builder-integration-<subnet_int>
ip_cidr_range = 10.100.<subnet_int>.0/24
region = europe-north2 (matches GCP_ZONE
europe-north2-a in deploy-director)
network = bosh-concourse (configurable)
private_ip_google_access = true
purpose = PRIVATE
stack_type = IPV4_ONLY
appropriate subnet for any branch.
infrastructuregroup containing the new job.terraform_type(ljfranklin/terraform-resource).integration-network-environment(GCS backend). Thebucket is referenced via the Concourse credential
((integration_network_terraform_state_bucket)); pick a bucket name
and add the credential before flying. A TODO comment marks this.
ensure-integration-network:trigger: trueon get).env_name = stemcell-builder-integration-<subnet_int>, so the
state file is deterministically named and re-discovered on
subsequent runs (no recreate-on-rerun).
long-lived shared infrastructure.
passed:constraint on the existing test/bats jobs to avoidcoupling; the job is intended to be run on demand when the
subnet needs to be created or reconciled.
Verification
ytt -f ci/pipelines/builder.yml -f ci/pipelines/vars.ymlrenderssuccessfully.
fly validate-pipeline -c <rendered>reports "looks good".Follow-ups
((integration_network_terraform_state_bucket)) Concourse credential.
rather than recreated, run
terraform importonce before flying thejob (or delete the existing subnet first).
NOTE: this repository uses a "Merge Forward" strategy
Changes should be made in the earliest applicable branch, and
merged forward through subsequent branches.
ubuntu-<short_name>)merge-to-<next_short_name>branchubuntu-<short_name>intomerge-to-<next_short_name>merge-to-<next_short_name>intoubuntu-<next_short_name>