search

privacysandbox / aggregation-service

This repository contains instructions and scripts to set up and test the Privacy Sandbox Aggregation Service
Apache License 2.0
60 stars 30 forks source link

Terraform plan always shows changes #66

Open sebastianrtb opened 1 month ago

sebastianrtb commented 1 month ago

When running Plan and Apply on terraform from https://github.com/privacysandbox/aggregation-service/blob/main/docs/gcp-aggregation-service.md#set-up-your-deployment-environment, Aggregation Service is deployed successfully. But when terraform plan is executed again it is not empty (and should be).

Most probably the issue is with module.job_service.module.autoscaling.google_cloudfunctions2_function.worker_scale_in_cloudfunction. Two fields are missing there: docker_repository and environment_variables.LOG_EXECUTION_ID

as a result terraform updates worker_scale_in_cloudfunction wach time when it is run

nlrussell commented 1 month ago

Hi @sebastianrtb, thanks for the feedback. There's a known issue with the GCP Terraform provider, and once that's resolved, you won't see docker_repository changing in place each time terraform apply is run. For the LOG_EXECUTION_ID, we're still investigating how to prevent this from changing for each apply so I'll have to follow up with you on that.

sebastianrtb commented 1 month ago

thank you

nlrussell commented 1 month ago

Hi @sebastianrtb, I have an update on LOG_EXECUTION_ID. We're going to roll out a fix for this in one of our upcoming releases, but in the meantime, you can prevent LOG_EXECUTION_ID from popping up in each terraform plan by adding LOG_EXECUTION_ID = true to two of the terraform modules:

  1. autoscaling/workerscalein.tf in service_config > environment_variables (example below) 
    ...
service_config {
# Only one instance should run to control instance group scale-in
max_instance_count            = 1
timeout_seconds               = 180
available_memory              = "${var.autoscaling_cloudfunction_memory_mb}M"
service_account_email         = var.worker_service_account
ingress_settings              = "ALLOW_ALL" # Otherwise, it cannot be triggered by Cloud Scheduler.
vpc_connector                 = var.vpc_connector_id
vpc_connector_egress_settings = var.vpc_connector_id == null ? null : "ALL_TRAFFIC"
environment_variables = {
  PROJECT_ID                  = var.project_id
  REGION                      = var.region
  SPANNER_INSTANCE_ID         = var.metadatadb_instance_name
  SPANNER_DATABASE_ID         = var.metadatadb_name
  MANAGED_INSTANCE_GROUP_NAME = google_compute_region_instance_group_manager.worker_instance_group.name
  TERMINATION_WAIT_TIMEOUT    = var.termination_wait_timeout_sec
  ASG_INSTANCES_TTL           = var.asg_instances_table_ttl_days
  LOG_EXECUTION_ID            = true
}
}
...
  2. frontend/main.tf in service_config > environment_variables (example below) 
    ...
service_config {
min_instance_count            = var.frontend_service_cloudfunction_min_instances
max_instance_count            = var.frontend_service_cloudfunction_max_instances
timeout_seconds               = var.frontend_service_cloudfunction_timeout_sec
available_memory              = "${var.frontend_service_cloudfunction_memory_mb}M"
service_account_email         = google_service_account.frontend_service_account.email
vpc_connector                 = var.vpc_connector_id
vpc_connector_egress_settings = var.vpc_connector_id == null ? null : "ALL_TRAFFIC"
environment_variables = {
  PROJECT_ID             = var.project_id
  INSTANCE_ID            = var.spanner_instance_name
  DATABASE_ID            = var.spanner_database_name
  PUBSUB_TOPIC_ID        = var.job_queue_topic
  PUBSUB_SUBSCRIPTION_ID = var.job_queue_sub
  JOB_METADATA_TTL       = var.job_metadata_table_ttl_days
  JOB_VERSION            = var.job_version
  LOG_EXECUTION_ID       = true
}
}
...
sebastianrtb commented 1 month ago

thank you for quick fix ;)