Terrform custom registry generator & promotion script #457
Conversation
There was a problem hiding this comment.
Go code LGTM.
I may have missed this in the RFD, but I think it might be good to "shift left" the zip repacking and signing from promote to tag. For instance, this is what the current workflow looks like:
- tag -> publish to
dronestorage - promote -> copy tar from
dronestoragetoclientbuilds, repack from tar to zip and sign, generate new index, write to release bucket
Ignoring the fact that dronestorage and clientbuilds need to die, I'd propose:
- tag -> publish tar to
dronestorage, repack from tar to zip and sign, publish to internal staging repo/bucket, generate new staging index - promote -> copy tar from
dronestoragetoclientbuilds, copy signed zip from internal staging repo to release bucket, generate new release index
The benefit here is we can test changes to the zip -> tar conversion, signing, and index generation without actually publishing to customers. This is pretty valuable, especially during the next month where we'll be iterating on this quite a bit.
An alternative is to have a mirror infra (e.g. buckets in teleport-dev where publishing can be tested safely), but my gut says that wiring up to Drone will be a pain.
I think it's possible in Drone to daisy-chain a new pipeline onto the existing If not, my alternative was (similarly to yours, I think) to use Drone's notion of promotion environments to:
Although, this may be a bit more dangerous, as we'd have to make sure to pick the right env every time we promote.
I'll listen to your gut for now, at least in matters of Drone. |
tcsc
changed the title
tcsc
requested review from
klizhentas,
russjones,
r0mant and
Joerger
as code owners
tcsc
changed the title
tcsc
changed the title
.drone.yml
Outdated
|
|
||
| steps: | ||
| - name: Upload terraform provider to staging registry | ||
| image: golang:1.17.5 |
There was a problem hiding this comment.
I think, we could parameterise the required Go version as it seems equal for the whole suite (if Drone allows it).
| @echo Testing plugins against Teleport $(TELEPORT_GET_VERSION) | ||
| go test -race -count 1 ./... | ||
| go test -race -count 1 $(shell go list ./...) |
There was a problem hiding this comment.
Not sure if my comment is applicable here, but looks like. Terraform provider tests need env var TF_ENV=true to be specified (Terraform framework requirement). Terraform must be available as well.
There was a problem hiding this comment.
This is change is to avoid go test picking up the tooling module here. For some reason, in my testing, ./... included the tooling package and failed, where $(shell go list ./...) correctly treated it as a separate module.
Just tested it again now an all seems fine.
| files = append(files, versionsFilePath) | ||
|
|
||
| // Finally, push the new index files to the production bucket | ||
| err = uploadRegistry(ctx, s3client, prodBucket.bucketName, workspace.productionDir, files) |
There was a problem hiding this comment.
Is there anything we can do on the tool side to make sure that the index file hasn't changed between when we downloaded it above and saving it here? In case we get simultaneous builds running somehow. I don't suppose S3 has something like compare-and-swap?
There was a problem hiding this comment.
Oh how I tried to do this :-)
Short answer is that there is no way to do this in S3 alone, although we might be able to implement it with some other AWS services.
Here's what I looked into:
- Definitely no CAS on S3
- Creating a lockfile, even with s3 now having strong consistency, won't work as S3 has no atomic "put only if the there is nothing there already" primitive
- S3 object locking exists, but is not really applicable to this problem. It works at a whole-bucket level and is designed to protect objects from accidental or malicious erasure, rather than locking out concurrent changes and just won't do what we want.
To use an all-AWS solution we would have to look at implementing locking with a DynamoDB table or somesuch, which is certainbly do-able, but is probably not a lot better than relying on Drone to serialize these jobs at the pipeline level.
Co-authored-by: Roman Tkachenko <[email protected]>
…ional/teleport-plugins into tcsc/terraform-promotion-script
| event: | ||
| - promote | ||
| target: | ||
| - production |
There was a problem hiding this comment.
I like to add both production and a pipeline specific production-terraform as triggers on promotion steps. This allows rerunning only the production-terraform step if something goes wrong with it without needing to rerun the entire pipeline -- good for speed and also not re-uploading other artifacts unnecessarily.
There was a problem hiding this comment.
Excellent idea. Added an explicit staging build as well for this same reason
tcsc
force-pushed
the
tcsc/terraform-promotion-script
branch
from
7f46d17 to
b2a75d7
Compare
This script is intended to maintain a custom terraform registry that will be used to distribute the Teleport terraform provider.
The basic promotion steps are:
versionsindex file (if present)The promotion code runs in response to two events:
terraformtag build. The promotion is dairy-chained onto the terraform provider builds using Drone'sdepends_onpipeline config, and the resulting package is uploaded to a staging repository, andThe Drone YAML is configured to execute the same code in both cases, with different values supplied via the Drone environment.