chore: Enables AWS encryption_at_rest acceptance tests to run in CI #3000
Conversation
maastha
changed the title
|
|
||
| encryption: | ||
| needs: [ change-detection, get-provider-version ] | ||
| concurrency: |
There was a problem hiding this comment.
Each test run for encryption takes about ~8min to complete. Since the tests use shared resources, I want to prevent multiple simultaneous runs.
I'm thinking as a follow-up I can separate out AWS and Azure tests in separate jobs using ACCTEST_REGEX_RUN to reduce the test run time more.
Will wait to see if any other suggestions.
There was a problem hiding this comment.
I see tests are using resource.Test instead of resource.ParallelTest, so I understand it's in case this is running in multiple PRs / test suites.
The main issue I see, as cancel-in-progress=false, is that there can be some pile-up of jobs, and for example some PR checks are blocked until older ones finish, if some gets stucks, it can be a long time until they time out. This could also block Test Suite.
but we can go ahead and see if this happens
There was a problem hiding this comment.
The main issue I see, as cancel-in-progress=false, is that there can be some pile-up of jobs, and for example some PR checks are blocked until older ones finish, if some gets stucks, it can be a long time until they time out.
Right. I don't think it should block the test suite given the cadence but yes PR checks could take longer. we can't use cancel-inprogress=true because that may leave resources in an inconsistent state.
but we can go ahead and see if this happens
yes sounds good.
| AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }} | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }} | ||
| AWS_CUSTOMER_MASTER_KEY_ID: ${{ secrets.aws_customer_master_key_id }} | ||
| MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID: ${{ inputs.mongodb_atlas_project_ear_pe_aws_id }} |
There was a problem hiding this comment.
n00b question: what does PE stand for?
There was a problem hiding this comment.
Private Endpoint. Happy to rename if this isn't readable, lmk in case of any suggestions
| os.Getenv("AWS_SECRET_ACCESS_KEY") == "" || | ||
| os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID") == "" || | ||
| os.Getenv("MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID") == "" || | ||
| os.Getenv("AWS_PRIVATE_ENDPOINT_REGION") == "" { |
There was a problem hiding this comment.
just checking is this change correct? what is the diff between the two EV?
There was a problem hiding this comment.
yes. AWS_PRIVATE_ENDPOINT_REGION was added in a previous PR and currently is only in the CLOUDP-262752-ear-aws-kms-dev dev branch, not in master. I just decided to reuse another existing env AWS_REGION instead of adding this (AWS_PRIVATE_ENDPOINT_REGION ) new one
| Config: testAccMongoDBAtlasEncryptionAtRestConfigAwsKmsWithRole(projectID, awsIAMRoleName, awsIAMRolePolicyName, awsKeyName, &awsKms), | ||
| Check: resource.ComposeAggregateTestCheckFunc( | ||
| acc.CheckEARExists(resourceName), | ||
| resource.TestCheckResourceAttr(resourceName, "project_id", projectID), |
There was a problem hiding this comment.
being a TPF resource, consider checking only computed values
| encryption: | ||
| needs: [ change-detection, get-provider-version ] | ||
| concurrency: | ||
| group: ${{ github.repository }}-global-ear-concurrency |
There was a problem hiding this comment.
why the ${{ github.repository}}?
There was a problem hiding this comment.
since these tests use same AWS and Azure resources (Atlas project, etc), we want all workflows across the repository to not run concurrently which could result in race conditions.
I have refactored the other TestMigEncryptionAtRest_withRole_basicAWS test though as per your comment. Hope that helps!
There was a problem hiding this comment.
I am under the impression that group simply is a key, as long as it is the same, it will not run concurrently, this means:
group: ${{ github.repository }}-global-ear-concurrencygroup: global-ear-concurrency
would be equivalent
| projectID = os.Getenv("MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID") // to use RequirePrivateNetworking, Atlas Project is required to have FF enabled | ||
|
|
||
| awsKms = admin.AWSKMSConfiguration{ | ||
| Enabled: conversion.Pointer(true), |
There was a problem hiding this comment.
Same comment as earlier PR 😅
Why we cannot refactor out the test case?
There was a problem hiding this comment.
so the acc test case checks update of RequirePrivateNetworking which is a required test case. Since this attr doesn't exist in previous versions, I'd like to keep these test cases separate
|
Any reason why |
Responded in above comment. Let's try to leave comments on specific lines as these are hard to respond to/have a conversation :) |
…terraform-provider-mongodbatlas into CLOUDP-293831-ear-aws-ci-enable
|
Required env vars and secrets have been added to repo for dev and QA. Added an item to ensure QA tests succeed once required changes are in prod and before merging this to master in this ticket: https://jira.mongodb.org/browse/CLOUDP-296239 Merging this PR to dev branch. |
maastha
merged commit fd0f885
into
CLOUDP-262752-ear-aws-kms-dev
Description
Enables AWS encryption_at_rest acceptance tests to run in CI
Link to any related issue(s): CLOUDP-293831
Type of change:
Required Checklist:
Further comments