-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement SSL Mode Feature for Cloud SQL in v4 Terraform #1766
Implement SSL Mode Feature for Cloud SQL in v4 Terraform #1766
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the change, @tylerreidwaze !
Overall LGTM - have you tested and verified that the new field works? Cover this new field in the testdata is recommended.
...apiextensions.k8s.io_v1_customresourcedefinition_sqlinstances.sql.cnrm.cloud.google.com.yaml
Outdated
Show resolved
Hide resolved
Basic tests have been created, and ran to spin up an instance with these features. I confirmed that the resources are created expected with the expected fields I confirmed the requireSSL and sslmode features were set properly In the tests, The resources is 1) successfully created 2) successfully updated and 3) successfully deleted. However, the tests do return FAIL, but i cannot explain why. I have compared results between
|
@tylerreidwaze could you share your logs from running the dynamic tests? |
Yes |
...rp/terraform-provider-google-beta/google-beta/services/sql/resource_sql_database_instance.go
Outdated
Show resolved
Hide resolved
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/create.yaml
Outdated
Show resolved
Hide resolved
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/create.yaml
Outdated
Show resolved
Hide resolved
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/update.yaml
Outdated
Show resolved
Hide resolved
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/update.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll want to run make ready-pr
again to adopt the schema changes in the third_party folder
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also a couple of more testdata changes will be needed.
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/create.yaml
Outdated
Show resolved
Hide resolved
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/postgresinstance/update.yaml
Outdated
Show resolved
Hide resolved
According to the test log, this is the problem that caused the failure:
This means there was an update when we test no change - as in, there is a diff found while there shouldn't be. |
Is there any way to tell what change was there that it did not expect? Thanks for finding that! |
To help identify the issue, an easy starting point would be print out the diff result to understand what's in it. You can add the following code after https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/pkg/controller/tf/controller.go#L350:
|
Got the log message in there. Will continue investigation tomorrow
looks like it might be issues with disk_size and/or ssl_mode |
Nice finding! Yes, you can dig more details by printing out the content of |
Super helpful again. I was able to find the output, it seems that ssl_mode is not getting set
This is weird because 1) all the terraform tests pass and 2) the right settings were set on the resource when I looked at the test instance. Continuing to debug |
I think I may have just found something looking at the terraform v5 code Looks like the state of ssl_mode is dropped unless locally defined, so we can't verify it during state checks |
Ah, that makes sense. This basically means the field is unreadable. From the field schema, it looks like this field is also mutable. And for mutable but unreadable field, we need to add it to the |
Tests are passing after adding the field per your instructions! Thanks so much for the help. Let me know if there is anything else we want to change prior to merge :) |
Getting the below error in the fixture tests
I enabled this manually in my test project. I believe I will need to enable this in the dependencies to resolve this |
In this case, I suggest you use a new network (instead of the default one) instead. |
Good call, committed changes. Testing locally now |
Network is failing to delete because firewalls still exist
|
Is the firewall resource implicitly created? Can it be represented via a KCC resource so that we can do an explicit deletion? |
Yes, it seems to be creating it on its own. I am not sure if we can explicitly define them. Looks like there are a LOT being created https://screenshot.googleplex.com/9GiKRXoXM964fJp I might be able to rely on the default network. Trying that now |
It might work locally because for a default network, the test will abandon it instead of deleting it. However, we don't allow making changes to the default network because it is shared by multiple test cases - any little change will fail a bunch of other test cases. So I don't suggest that this test case reuses the default network. You might also find it working by simply marking this ComputeNetwork resource with What I'm curious about right now is: If you are not using Config Connector, what is the process you need to follow to clean up the network resource in GCP? That might give us the clue why you see this error. |
Roger that on the default network and the abandon policy. Seems reasonable to not want to cause issues there. There is a chance that some of these are being created by Waze's folder level policies. Can you re-approve the workflow? I actually think my tests will pass there. I believe this is an issue specific to how Waze is set up.
To delete the network, I just need to delete the firewall rules from the UI and then I can delete the network. |
0dde217
to
b164047
Compare
I think my postgres version is causing errors which eventually cause a timeout
Resolved in latest commit, awaiting test run. I am still blocked from running tests locally until I resolve some org policies creating my firewall rules |
I am able to run tests locally and they pass. However, they are longer running, so I added them to the regex per |
9143c70
to
6878766
Compare
Rebased to fix merge conflicts with the regex variable |
Not sure why the linter failed, after changing region. My fixture tests passed locally
|
2364982
to
6fc3dbe
Compare
/approve |
Hi @tylerreidwaze , looks like the latest 3 commits is not part of this PR? Did you add it by mistake or to deal with any presubmit failures? |
This was a suggestion from the KCC Self Service chat group to rebase as there were breaking changes for the linters in master |
I think if the PR is rebased properly, irrelevant commits won't show up. Let's discuss offline what's going on there. |
e0d3d24
to
6fc3dbe
Compare
my tests are based on the alloydb which is already in that regex
6fc3dbe
to
d33b084
Compare
resolved. Tests are passing now too! |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maqiuyujoyce, tylerreidwaze The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d3d3cdb
into
GoogleCloudPlatform:master
Followed this guide and implemented the feature. I mostly followed along with the v5 code as it was hyper similar.