Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check in role manager dependencies #493

Merged
merged 3 commits into from
Jul 15, 2024
Merged

Check in role manager dependencies #493

merged 3 commits into from
Jul 15, 2024

Conversation

lorenyu
Copy link
Contributor

@lorenyu lorenyu commented Dec 5, 2023

Ticket

n/a

Changes

  • Check in role manager python dependencies
  • Remove local exec pip3 install step for database module

Context for reviewers

A number of people were confused by the fact that the terraform plan is never clean due to the triggers_replace = timestamp(). There were also concerns about the dependency on pip3. This change adds the role manager dependency to the source code, which eliminates the need for the local-exec provisioner step and also removes the dependency on pip3. The cost is that there is now some vendor code in the /modules/database/role_manager/vendor folder.

Testing

Developed and tested in navapbc/platform-test#71

rocketnova
rocketnova approved these changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@rocketnova rocketnova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

In the long term, I think this is less ideal because we're checking in specific versions of these packages. Do we already have a process for updating these?

I still have it on my radar to investigate alternative approaches to handling the role manager. In the meantime, I think this is a good move.

@lorenyu
Copy link
Contributor Author

lorenyu commented Dec 5, 2023

@rocketnova good point. some quick ideas:

  • github action workflow that installs pg8000 once a week to check for updates. it could even put up a PR on its own
  • CI check that installs pg8000 and checks to see if there are any diffs
  • add a template-only-docs/ instruction on how to role manager dependencies works and how to update it

thoughts on any of those?

@lorenyu
Copy link
Contributor Author

lorenyu commented Dec 6, 2023

@jamesbursa also had the idea to use one of the pre-existing lambda layers that seems to have pg8000 installed already by default

@charles-nava charles-nava removed their request for review February 13, 2024 20:12
@lorenyu
Copy link
Contributor Author

lorenyu commented Jul 8, 2024

@rocketnova I forgot this PR existed. It looks like we decided back in December to check in role manager dependencies, but I never merged this. That would allow us to:

  • Get rid of the local-exec and associated complexities
  • Add the database to the check infra deploy status workflow

Thoughts?

@rocketnova
Copy link
Contributor

@lorenyu I also forgot that we already made a decision on this. Let's move forward with this as the short-term solution and keep our eye on a long-term solution that will allow us to remove this.

@lorenyu lorenyu merged commit 30c2062 into main Jul 15, 2024
7 checks passed
@lorenyu lorenyu deleted the lorenyu/dbcheckindeps branch July 15, 2024 23:50
This was referenced Jul 15, 2024
Merged
Closed
Merged
lorenyu added a commit that referenced this pull request Jul 18, 2024
@lorenyu
Check in role manager archive (#695)
dd4f11f 
- Remove role manager dependencies from source control
- Add role manager archive to source control
- Add make command for building role manager archive
- Add documentation on how to update role manager

## Context

The “check in role manager dependencies” change in [PR
493](#493) does not
function as desired. The role manager lambda still shows a diff on the
source_code_hash on a clean checkout of the repo. This change removes
the archive_file data source altogether, and checks in the zip archive
directly into the codebase. Benefits include:
- We no longer need to check in the python dependencies into source
control, which is a ton of files including binary files
- There’s nothing nondeterministic for project teams, the archive file
is exactly the zip package that gets deployed to lambda

The downside is that updating the role manager is more manual. So this
change also adds a `make infra-module-database-role-manager-archive` to
rebuild the role manager package and adds instructions for doing that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rocketnova rocketnova rocketnova approved these changes

@jamesbursa jamesbursa Awaiting requested review from jamesbursa

@shawnvanderjagt shawnvanderjagt Awaiting requested review from shawnvanderjagt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lorenyu @rocketnova