ci: Add TF configs for SSM #1790
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @Camila-B, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces the necessary Terraform configurations to provision Google Cloud Secure Source Manager (SSM) resources for end-to-end testing. This includes creating an SSM instance, enabling the required API, and setting up a dedicated service account with appropriate permissions. A significant refactoring of the service account module was also performed to support assigning multiple roles, and the Google Terraform provider was updated to a newer version.
Highlights
- Add Secure Source Manager (SSM) Instance: I've added a new
google_secure_source_manager_instanceresource namedssm-instancetoe2e/testinfra/terraform/common/registries.tf. This instance is configured forus-central1and hasprevent_destroyenabled to avoid accidental deletion. - Enable Secure Source Manager API: The
securesourcemanager.googleapis.comservice has been added to the list of enabled services ine2e/testinfra/terraform/common/services.tf, which is a prerequisite for using SSM. - Refactor Service Account Role Assignment: I've updated the
service_accountmodule to allow assigning multiple roles to a service account. This involved changing therolevariable type fromstringtolist(string)ine2e/testinfra/terraform/modules/service_account/variables.tfand modifying thegoogle_project_iam_memberresource ine2e/testinfra/terraform/modules/service_account/service_account.tfto usefor_eachto iterate over the list of roles. - Add SSM Reader Service Account: A new service account,
e2e-ssm-reader-sa, has been introduced ine2e/testinfra/terraform/common/service_accounts.tf. This service account is grantedroles/securesourcemanager.repoReaderandroles/securesourcemanager.instanceAccessorto allow reading from SSM repositories. - Update Google Terraform Provider Version: The
hashicorp/googleTerraform provider version has been upgraded from4.36.0to6.43.0ine2e/testinfra/terraform/main.tf. This update likely provides compatibility with the new SSM resources and other recent Google Cloud features.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request adds Terraform configurations to support Secure Source Manager (SSM) for e2e tests. This includes adding a new SSM instance, a service account with appropriate permissions, and enabling the necessary GCP service. The changes also refactor the service account module to support multiple IAM roles.
My review has identified a critical issue with an invalid Google provider version that will block Terraform initialization. I've also pointed out a potential issue with a prevent_destroy lifecycle setting that could interfere with test environment cleanup, and a minor formatting inconsistency. Overall, the changes are in the right direction to add SSM support.
| @@ -18,7 +18,7 @@ terraform { | |||
| required_providers { | |||
| google = { | |||
| source = "hashicorp/google" | |||
| version = "4.36.0" | |||
| version = "6.43.0" | |||
There was a problem hiding this comment.
The specified Google Provider version 6.43.0 is invalid. The hashicorp/google provider does not have a version in the 6.x range, which will cause terraform init to fail.
The google_secure_source_manager_instance resource requires provider version 5.1.0 or newer. Please update this to a valid version. Pinning to a recent, specific version is recommended for stability.
version = "5.30.0"
There was a problem hiding this comment.
There was a problem hiding this comment.
Thank you for providing the link, @Camila-B. Upon reviewing the Terraform Registry page you linked (https://registry.terraform.io/providers/hashicorp/google/latest), it confirms that the latest stable version of the hashicorp/google provider is currently in the 5.x series (e.g., 5.30.0 or newer 5.x versions). There is no 6.x release for this provider, which means version = "6.43.0" would indeed lead to a terraform init failure.
To resolve this, please update the version to a valid 5.x release. My previous suggestion of 5.30.0 is a good candidate, or you can choose the absolute latest 5.x version available on the registry for the google_secure_source_manager_instance resource, which requires 5.1.0 or newer.
| version = "6.43.0" | |
| version = "5.30.0" |
| # Prevent accidental deletions. | ||
| lifecycle { | ||
| prevent_destroy = "true" | ||
| } |
There was a problem hiding this comment.
Using prevent_destroy = true in a test environment is likely to cause issues with automated cleanup, as it will cause terraform destroy to fail. For ephemeral e2e resources, this lifecycle rule should typically be omitted to allow for proper teardown.
If this resource is not meant to be ephemeral, please add a comment explaining why it needs to be preserved. Otherwise, please remove this lifecycle block.
| role = ["roles/storage.objectViewer"] | ||
| } | ||
|
|
||
| module "e2e-ssm-reader-sa" { |
There was a problem hiding this comment.
There's an extra space at the beginning of this line, which is inconsistent with the formatting of other module blocks in this file. Please remove it for consistency. Running terraform fmt should fix this.
module "e2e-ssm-reader-sa" {
Camila-B
force-pushed
the
feat/ssm-validation-tf
branch
from
0d62dd9 to
699ea7a
Compare
Camila-B
changed the title
There was a problem hiding this comment.
This change generally LGTM. Ideally I'd like to see the followup test PR ready for review before we merge this
|
/hold SGTM |
There was a problem hiding this comment.
Pull Request Overview
This PR adds Terraform configurations to provision resources needed for SSM (Secure Source Manager) testing in the e2e test infrastructure. The changes refactor the service account module to support multiple roles and add the necessary SSM resources and permissions.
- Refactored service account module to accept multiple roles instead of a single role
- Added SSM API enablement and created dedicated service account with SSM permissions
- Updated Google provider version from 4.36.0 to 6.43.0
- Added SSM instance resource with lifecycle protection
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| e2e/testinfra/terraform/modules/service_account/variables.tf | Changed role variable to roles to accept list of strings |
| e2e/testinfra/terraform/modules/service_account/service_account.tf | Updated IAM binding to iterate over multiple roles using for_each |
| e2e/testinfra/terraform/main.tf | Upgraded Google provider version to 6.43.0 |
| e2e/testinfra/terraform/common/services.tf | Added securesourcemanager.googleapis.com API |
| e2e/testinfra/terraform/common/service_accounts.tf | Updated existing service accounts to use roles array and added new SSM service account |
| e2e/testinfra/terraform/common/registries.tf | Added SSM instance resource with lifecycle protection |
|
|
||
| # Prevent accidental deletions. | ||
| lifecycle { | ||
| prevent_destroy = "true" |
There was a problem hiding this comment.
The prevent_destroy value should be a boolean (true) rather than a string ("true"). Terraform lifecycle prevent_destroy expects a boolean value.
| prevent_destroy = "true" | |
| prevent_destroy = true |
Copilot uses AI. Check for mistakes.
This PR adds the TF configs that are needed to provision the resources needed to test SSM