Bootstrapping PSA Roles for Healthcare #7376
Conversation
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 3 files changed, 80 insertions(+), 38 deletions(-)) |
Tests analyticsTotal tests: Action takenTriggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed testsTestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample|TestAccSqlDatabaseInstance_Timezone |
|
Tests passed during RECORDING mode: Tests failed during RECORDING mode: Please fix these to complete your PR |
| @@ -59,6 +59,24 @@ overrides: !ruby/object:Overrides::ResourceOverrides | |||
| fhir_store_name: "example-fhir-store" | |||
| pubsub_topic: "fhir-notifications" | |||
| bq_dataset_name: "bq_example_dataset" | |||
| test_vars_overrides: | |||
| psaRoles: 'BootstrapPSARoles(t, | |||
There was a problem hiding this comment.
I think we will end up needing this in quite a few places, and I'm a little concerned that this format will trip up other contributors. Is there a way would could simplify?
Two ideas that could shorten the call: 1) we probably shouldn't allow this for any other project, so we could omit projectID, and 2) while the *Options pattern is nice, I don't see us use it very often, and the more verbose call is less ideal in yaml
There was a problem hiding this comment.
Thanks for the review!
I've tried to make the calls as terse as possible to fit in the yaml.
| } | ||
|
|
||
| // Map each role to whether it was already in the policy | ||
| rolesFound := make(map[string]bool, len(opts.Roles)) |
There was a problem hiding this comment.
Did you consider some of the iam utility functions we have available, like mergeBindings, and compareBindings to detect changes? While probably slower technically, those functions have unit tests that might make them a bit safer. This bootstrap function will be modifying our root project policy, so any unexpected behavior could have wider impact.
There was a problem hiding this comment.
I did not realize we had those. I've refactored to make use of them.
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 4 files changed, 100 insertions(+), 38 deletions(-)) |
Tests analyticsTotal tests: Errors occurred during REPLAYING mode. Please fix them to complete your PR |
|
Hello, @trodge , you may need to rebase the main branch to make the PR pass the checks. |
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 4 files changed, 77 insertions(+), 38 deletions(-)) |
trodge
force-pushed
the
healthcare-fhir-vs-dicom
branch
from
e7e10c3 to
26a27a0
Compare
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 4 files changed, 94 insertions(+), 38 deletions(-)) |
Tests analyticsTotal tests: Errors occurred during REPLAYING mode. Please fix them to complete your PR |
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 4 files changed, 94 insertions(+), 38 deletions(-)) |
Tests analyticsTotal tests: Action takenTriggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed testsTestAccComposerEnvironment_withEncryptionConfigComposer1|TestAccComposerEnvironment_withEncryptionConfigComposer2|TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample|TestAccDataSourceGoogleServiceAccountJwt |
|
Tests passed during RECORDING mode: Tests failed during RECORDING mode: Please fix these to complete your PR |
| @@ -960,6 +962,21 @@ func TestAccComposerEnvironment_fixPyPiPackages(t *testing.T) { | |||
| }) | |||
| } | |||
|
|
|||
| // This bootstraps the IAM roles needed for the service agents when using encryption. | |||
| func grantEncrypterDecrypterRoleToServiceAgents(t *testing.T) { | |||
There was a problem hiding this comment.
It might make sense to move this piece of work out into a separate PR for 2 reasons (but defer to you if it makes sense to keep it):
- In case we experience any sort of issues with project permissions when these bootstrap functions are called in the nightly tests, it would make for a smaller rollback and smaller impact.
- Until we remove all of the places in our examples/tests where these bindings are created, I think they will still be subject to being occasionally deleted (perhaps these were already removed though).
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 3 files changed, 77 insertions(+), 38 deletions(-)) |
Tests analyticsTotal tests: Action takenTriggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed testsTestAccFirebaserulesRelease_BasicRelease|TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample |
* Add a new bootstrap function for assigning roles to service accounts. * Call the bootstrap function * Call the bootstrap function * Use an options struct, remove iam members * Bootstrap roles in the dicom store test * Grant roles in composer environment tests * Refactor bootstrap function * Delete unused options struct * Fix comments * Improve the interface * Remove extra newline * Fix variable names * Move composer environment test changes to separate PR
* Add a new bootstrap function for assigning roles to service accounts. * Call the bootstrap function * Call the bootstrap function * Use an options struct, remove iam members * Bootstrap roles in the dicom store test * Grant roles in composer environment tests * Refactor bootstrap function * Delete unused options struct * Fix comments * Improve the interface * Remove extra newline * Fix variable names * Move composer environment test changes to separate PR
fixes hashicorp/terraform-provider-google#13721
I can add bootstrap calls for the tests in hashicorp/terraform-provider-google#12908 if desired.
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintin the generated providers to ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)