Skip to content

Commit

Permalink
E2E tests for dataproc + cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
wiktorn committed Mar 8, 2024
1 parent 38cdce8 commit 1d2255a
Show file tree
Hide file tree
Showing 4 changed files with 138 additions and 84 deletions.
164 changes: 118 additions & 46 deletions modules/dataproc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ This module Manages a Google Cloud [Dataproc](https://cloud.google.com/dataproc)
- [Additive IAM](#additive-iam)
- [Variables](#variables)
- [Outputs](#outputs)
- [Fixtures](#fixtures)
<!-- END TOC -->

## TODO
Expand All @@ -25,95 +26,169 @@ This module Manages a Google Cloud [Dataproc](https://cloud.google.com/dataproc)
### Simple

```hcl
module "processing-dp-cluster-2" {
module "dataproc-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
project_id = var.project_id
name = "my-cluster"
region = "europe-west1"
region = var.region
}
# tftest modules=1 resources=1
```

### Cluster configuration on GCE

To set cluster configuration use the 'dataproc_config.cluster_config' variable.
To set cluster configuration use the 'dataproc_config.cluster_config' variable. If you don't want to use dedicated service account, remember to grant `roles/dataproc.worker` to Compute Default Service Account.

```hcl
module "dataproc-service-account" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "dataproc-worker"
iam_project_roles = {
(var.project_id) = ["roles/dataproc.worker"]
}
}
module "firewall" {
source = "./fabric/modules/net-vpc-firewall"
project_id = var.project_id
network = var.vpc.name
ingress_rules = {
allow-ingress-dataproc = {
description = "Allow all traffic between Dataproc nodes."
targets = ["dataproc"]
sources = ["dataproc"]
}
}
}
module "processing-dp-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
project_id = var.project_id
name = "my-cluster"
region = "europe-west1"
prefix = "prefix"
region = var.region
dataproc_config = {
cluster_config = {
gce_cluster_config = {
subnetwork = "https://www.googleapis.com/compute/v1/projects/PROJECT/regions/europe-west1/subnetworks/SUBNET"
zone = "europe-west1-b"
service_account = ""
service_account_scopes = ["cloud-platform"]
internal_ip_only = true
service_account = module.dataproc-service-account.email
service_account_scopes = ["cloud-platform"]
subnetwork = var.subnet.self_link
tags = ["dataproc"]
zone = "${var.region}-b"
}
}
}
depends_on = [
module.dataproc-service-account, # ensure all grants are done before creating the cluster
]
}
# tftest modules=1 resources=1
# tftest modules=3 resources=7
```

### Cluster configuration on GCE with CMEK encryption

To set cluster configuration use the Customer Managed Encryption key, set `dataproc_config.encryption_config.` variable. The Compute Engine service agent and the Cloud Storage service agent need to have `CryptoKey Encrypter/Decrypter` role on they configured KMS key ([Documentation](https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption)).

```hcl
module "dataproc-service-account" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "dataproc-worker"
iam_project_roles = {
(var.project_id) = ["roles/dataproc.worker", "roles/cloudkms.cryptoKeyEncrypterDecrypter"]
}
}
module "firewall" {
source = "./fabric/modules/net-vpc-firewall"
project_id = var.project_id
network = var.vpc.name
ingress_rules = {
allow-ingress-dataproc = {
description = "Allow all traffic between Dataproc nodes."
targets = ["dataproc"]
sources = ["dataproc"]
}
}
}
module "processing-dp-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
project_id = var.project_id
name = "my-cluster"
region = "europe-west1"
prefix = "prefix"
region = var.region
dataproc_config = {
cluster_config = {
gce_cluster_config = {
subnetwork = "https://www.googleapis.com/compute/v1/projects/PROJECT/regions/europe-west1/subnetworks/SUBNET"
zone = "europe-west1-b"
service_account = ""
service_account_scopes = ["cloud-platform"]
internal_ip_only = true
service_account = module.dataproc-service-account.email
service_account_scopes = ["cloud-platform"]
subnetwork = var.subnet.self_link
tags = ["dataproc"]
zone = "${var.region}-b"
}
}
encryption_config = {
kms_key_name = "projects/project-id/locations/region/keyRings/key-ring-name/cryptoKeys/key-name"
kms_key_name = var.kms_key.id
}
}
depends_on = [
module.dataproc-service-account, # ensure all grants are done before creating the cluster
]
}
# tftest modules=1 resources=1
# tftest modules=3 resources=8
```

### Cluster configuration on GKE

To set cluster configuration GKE use the 'dataproc_config.virtual_cluster_config' variable.
To set cluster configuration GKE use the 'dataproc_config.virtual_cluster_config' variable. This example shows usage of [dedicated Service Account](https://cloud.google.com/dataproc/docs/guides/dpgke/dataproc-gke-iam#custom_iam_configuration).

```hcl
locals {
dataproc_namespace = "foobar"
}
module "dataproc-service-account" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "dataproc-worker"
iam = {
"roles/iam.workloadIdentityUser" = [
"serviceAccount:${var.project_id}.svc.id.goog[${local.dataproc_namespace}/agent]",
"serviceAccount:${var.project_id}.svc.id.goog[${local.dataproc_namespace}/spark-driver]",
"serviceAccount:${var.project_id}.svc.id.goog[${local.dataproc_namespace}/spark-executor]"
]
}
iam_project_roles = {
(var.project_id) = ["roles/dataproc.worker"]
}
depends_on = [
module.gke-cluster-standard, # granting workloadIdentityUser requires cluster/pool to be created first
]
}
module "processing-dp-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
name = "my-gke-cluster"
region = "europe-west1"
prefix = "prefix"
project_id = var.project_id
name = "my-dataproc-cluster"
region = var.region
dataproc_config = {
virtual_cluster_config = {
kubernetes_cluster_config = {
kubernetes_namespace = "foobar"
kubernetes_namespace = local.dataproc_namespace
kubernetes_software_config = {
component_version = {
"SPARK" : "3.1-dataproc-7"
"SPARK" : "3.1-dataproc-14"
}
properties = {
"spark:spark.kubernetes.container.image" : "us-east4-docker.pkg.dev/cloud-dataproc/dpgke/sparkengine:dataproc-14"
"dataproc:dataproc.gke.agent.google-service-account" = module.dataproc-service-account.email
"dataproc:dataproc.gke.spark.driver.google-service-account" = module.dataproc-service-account.email
"dataproc:dataproc.gke.spark.executor.google-service-account" = module.dataproc-service-account.email
}
}
gke_cluster_config = {
gke_cluster_target = "projects/my-project/locations/my-location/clusters/gke-cluster-name"
gke_cluster_target = module.gke-cluster-standard.id
node_pool_target = {
node_pool = "node-pool-name"
roles = ["DEFAULT"]
Expand All @@ -123,7 +198,7 @@ module "processing-dp-cluster" {
}
}
}
# tftest modules=1 resources=1
# tftest modules=4 resources=6 fixtures=fixtures/gke-cluster-standard.tf e2e
```

## IAM
Expand All @@ -143,10 +218,9 @@ Refer to the [project module](../project/README.md#iam) for examples of the IAM
```hcl
module "processing-dp-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
project_id = var.project_id
name = "my-cluster"
region = "europe-west1"
prefix = "prefix"
region = var.region
iam_by_principals = {
"group:[email protected]" = [
"roles/dataproc.viewer"
Expand All @@ -166,10 +240,9 @@ module "processing-dp-cluster" {
```hcl
module "processing-dp-cluster" {
source = "./fabric/modules/dataproc"
project_id = "my-project"
project_id = var.project_id
name = "my-cluster"
region = "europe-west1"
prefix = "prefix"
region = var.region
iam_bindings_additive = {
am1-viewer = {
member = "user:[email protected]"
Expand All @@ -185,24 +258,23 @@ module "processing-dp-cluster" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L191) | Cluster name. | <code>string</code> || |
| [project_id](variables.tf#L206) | Project ID. | <code>string</code> || |
| [region](variables.tf#L211) | Dataproc region. | <code>string</code> || |
| [project_id](variables.tf#L196) | Project ID. | <code>string</code> || |
| [region](variables.tf#L201) | Dataproc region. | <code>string</code> || |
| [dataproc_config](variables.tf#L17) | Dataproc cluster config. | <code title="object&#40;&#123;&#10; graceful_decommission_timeout &#61; optional&#40;string&#41;&#10; cluster_config &#61; optional&#40;object&#40;&#123;&#10; staging_bucket &#61; optional&#40;string&#41;&#10; temp_bucket &#61; optional&#40;string&#41;&#10; gce_cluster_config &#61; optional&#40;object&#40;&#123;&#10; zone &#61; optional&#40;string&#41;&#10; network &#61; optional&#40;string&#41;&#10; subnetwork &#61; optional&#40;string&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; service_account_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; internal_ip_only &#61; optional&#40;bool&#41;&#10; metadata &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; reservation_affinity &#61; optional&#40;object&#40;&#123;&#10; consume_reservation_type &#61; string&#10; key &#61; string&#10; values &#61; string&#10; &#125;&#41;&#41;&#10; node_group_affinity &#61; optional&#40;object&#40;&#123;&#10; node_group_uri &#61; string&#10; &#125;&#41;&#41;&#10;&#10;&#10; shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10; enable_secure_boot &#61; bool&#10; enable_vtpm &#61; bool&#10; enable_integrity_monitoring &#61; bool&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; master_config &#61; optional&#40;object&#40;&#123;&#10; num_instances &#61; number&#10; machine_type &#61; string&#10; min_cpu_platform &#61; string&#10; image_uri &#61; string&#10; disk_config &#61; optional&#40;object&#40;&#123;&#10; boot_disk_type &#61; string&#10; boot_disk_size_gb &#61; number&#10; num_local_ssds &#61; number&#10; &#125;&#41;&#41;&#10; accelerators &#61; optional&#40;object&#40;&#123;&#10; accelerator_type &#61; string&#10; accelerator_count &#61; number&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; worker_config &#61; optional&#40;object&#40;&#123;&#10; num_instances &#61; number&#10; machine_type &#61; string&#10; min_cpu_platform &#61; string&#10; disk_config &#61; optional&#40;object&#40;&#123;&#10; boot_disk_type &#61; string&#10; boot_disk_size_gb &#61; number&#10; num_local_ssds &#61; number&#10; &#125;&#41;&#41;&#10; image_uri &#61; string&#10; accelerators &#61; optional&#40;object&#40;&#123;&#10; accelerator_type &#61; string&#10; accelerator_count &#61; number&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; preemptible_worker_config &#61; optional&#40;object&#40;&#123;&#10; num_instances &#61; number&#10; preemptibility &#61; string&#10; disk_config &#61; optional&#40;object&#40;&#123;&#10; boot_disk_type &#61; string&#10; boot_disk_size_gb &#61; number&#10; num_local_ssds &#61; number&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; software_config &#61; optional&#40;object&#40;&#123;&#10; image_version &#61; optional&#40;string&#41;&#10; override_properties &#61; map&#40;string&#41;&#10; optional_components &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; security_config &#61; optional&#40;object&#40;&#123;&#10; kerberos_config &#61; object&#40;&#123;&#10; cross_realm_trust_admin_server &#61; optional&#40;string&#41;&#10; cross_realm_trust_kdc &#61; optional&#40;string&#41;&#10; cross_realm_trust_realm &#61; optional&#40;string&#41;&#10; cross_realm_trust_shared_password_uri &#61; optional&#40;string&#41;&#10; enable_kerberos &#61; optional&#40;string&#41;&#10; kdc_db_key_uri &#61; optional&#40;string&#41;&#10; key_password_uri &#61; optional&#40;string&#41;&#10; keystore_uri &#61; optional&#40;string&#41;&#10; keystore_password_uri &#61; optional&#40;string&#41;&#10; kms_key_uri &#61; string&#10; realm &#61; optional&#40;string&#41;&#10; root_principal_password_uri &#61; string&#10; tgt_lifetime_hours &#61; optional&#40;string&#41;&#10; truststore_password_uri &#61; optional&#40;string&#41;&#10; truststore_uri &#61; optional&#40;string&#41;&#10; &#125;&#41;&#10; &#125;&#41;&#41;&#10; autoscaling_config &#61; optional&#40;object&#40;&#123;&#10; policy_uri &#61; string&#10; &#125;&#41;&#41;&#10; initialization_action &#61; optional&#40;object&#40;&#123;&#10; script &#61; string&#10; timeout_sec &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; encryption_config &#61; optional&#40;object&#40;&#123;&#10; kms_key_name &#61; string&#10; &#125;&#41;&#41;&#10; lifecycle_config &#61; optional&#40;object&#40;&#123;&#10; idle_delete_ttl &#61; optional&#40;string&#41;&#10; auto_delete_time &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; endpoint_config &#61; optional&#40;object&#40;&#123;&#10; enable_http_port_access &#61; string&#10; &#125;&#41;&#41;&#10; dataproc_metric_config &#61; optional&#40;object&#40;&#123;&#10; metrics &#61; list&#40;object&#40;&#123;&#10; metric_source &#61; string&#10; metric_overrides &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; metastore_config &#61; optional&#40;object&#40;&#123;&#10; dataproc_metastore_service &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; virtual_cluster_config &#61; optional&#40;object&#40;&#123;&#10; staging_bucket &#61; optional&#40;string&#41;&#10; auxiliary_services_config &#61; optional&#40;object&#40;&#123;&#10; metastore_config &#61; optional&#40;object&#40;&#123;&#10; dataproc_metastore_service &#61; string&#10; &#125;&#41;&#41;&#10; spark_history_server_config &#61; optional&#40;object&#40;&#123;&#10; dataproc_cluster &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; kubernetes_cluster_config &#61; object&#40;&#123;&#10; kubernetes_namespace &#61; optional&#40;string&#41;&#10; kubernetes_software_config &#61; object&#40;&#123;&#10; component_version &#61; map&#40;string&#41;&#10; properties &#61; optional&#40;map&#40;string&#41;&#41;&#10; &#125;&#41;&#10;&#10;&#10; gke_cluster_config &#61; object&#40;&#123;&#10; gke_cluster_target &#61; optional&#40;string&#41;&#10; node_pool_target &#61; optional&#40;object&#40;&#123;&#10; node_pool &#61; string&#10; roles &#61; list&#40;string&#41;&#10; node_pool_config &#61; optional&#40;object&#40;&#123;&#10; autoscaling &#61; optional&#40;object&#40;&#123;&#10; min_node_count &#61; optional&#40;number&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; config &#61; object&#40;&#123;&#10; machine_type &#61; optional&#40;string&#41;&#10; preemptible &#61; optional&#40;bool&#41;&#10; local_ssd_count &#61; optional&#40;number&#41;&#10; min_cpu_platform &#61; optional&#40;string&#41;&#10; spot &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#10;&#10;&#10; locations &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; &#125;&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam](variables-iam.tf#L24) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings](variables-iam.tf#L31) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings_additive](variables-iam.tf#L46) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_by_principals](variables-iam.tf#L17) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [labels](variables.tf#L185) | The resource labels for instance to use to annotate any related underlying resources, such as Compute Engine VMs. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [prefix](variables.tf#L196) | Optional prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
| [service_account](variables.tf#L216) | Service account to set on the Dataproc cluster. | <code>string</code> | | <code>null</code> |

## Outputs

| name | description | sensitive |
|---|---|:---:|
| [bucket_names](outputs.tf#L19) | List of bucket names which have been assigned to the cluster. | |
| [http_ports](outputs.tf#L24) | The map of port descriptions to URLs. | |
| [id](outputs.tf#L29) | Fully qualified cluster id. | |
| [instance_names](outputs.tf#L34) | List of instance names which have been assigned to the cluster. | |
| [name](outputs.tf#L43) | The name of the cluster. | |
| [id](outputs.tf#L30) | Fully qualified cluster id. | |
| [name](outputs.tf#L45) | The name of the cluster. | |

## Fixtures

- [gke-cluster-standard.tf](../../tests/fixtures/gke-cluster-standard.tf)
<!-- END TFDOC -->
Loading

0 comments on commit 1d2255a

Please sign in to comment.