fix(gcptf): Fix provider versions and output issues

cloud/aws/deploytf/deploy.go

@@ -93,6 +93,10 @@ func (a *NitricAwsTerraformProvider) CdkTfModules() (string, fs.FS, error) {
 	return ".nitric/modules", modules, nil
 }
 
+func (a *NitricAwsTerraformProvider) RequiredProviders() map[string]interface{} {
+	return map[string]interface{}{}
+}
+
 func (a *NitricAwsTerraformProvider) Pre(stack cdktf.TerraformStack, resources []*deploymentspb.Resource) error {
 	tfRegion := cdktf.NewTerraformVariable(stack, jsii.String("region"), &cdktf.TerraformVariableConfig{
 		Type:        jsii.String("string"),

cloud/azure/deploy/deploy.go

@@ -170,6 +170,10 @@ func createStorageAccount(ctx *pulumi.Context, group *resources.ResourceGroup, t
 	return storageAccount, nil
 }
 
+func (a *NitricAzurePulumiProvider) RequiredProviders() map[string]interface{} {
+	return map[string]interface{}{}
+}
+
 func (a *NitricAzurePulumiProvider) createDatabaseServer(ctx *pulumi.Context, tags map[string]string) error {
 	var err error
 

cloud/common/deploy/provider/terraform.go

@@ -43,6 +43,9 @@ type NitricTerraformProvider interface {
 	// CdkTfModules - Return the relative parent directory (root golang packed) and embedded modules directory
 	CdkTfModules() (string, fs.FS, error)
 
+	// RequiredProviders - Return a list of required providers for this provider
+	RequiredProviders() map[string]interface{}
+
 	// Order - Return the order that resources should be deployed in.
 	// The order of resources is important as some resources depend on others.
 	// Changing the default order is not recommended unless you know what you are doing.
@@ -199,6 +202,8 @@ func createTerraformStackForNitricProvider(req *deploymentspb.DeploymentUpReques
 
 	stack := cdktf.NewTerraformStack(app, &fullStackName)
 
+	stack.AddOverride(jsii.String("terraform.required_providers"), nitricProvider.RequiredProviders())
+
 	// The code that defines your stack goes here
 	resources := nitricProvider.Order(req.Spec.Resources)
 

cloud/gcp/Makefile

@@ -89,7 +89,7 @@ generate-mocks:
 generate-sources: generate-mocks
 
 generate-terraform:
-	@cd deploytf && npx -y [email protected].8 get
+	@cd deploytf && npx -y [email protected].10 get
 
 tidy:
 	@go mod tidy

cloud/gcp/deploytf/.nitric/modules/service/main.tf

@@ -12,7 +12,7 @@ data "google_container_registry_repository" "repo" {
 }
 
 locals {
-  service_image_url = "${data.google_container_registry_repository.repo.repository_url}/${var.service_name}"
+  service_image_url = "${var.artifact_registry_repository}/${var.service_name}"
 }
 
 # Tag the provided docker image with the repository url
@@ -64,57 +64,63 @@ resource "google_cloud_run_v2_service" "service" {
   location = var.region
   project  = var.project_id
   # set launch_stage to BETA if gpus set otherwise GA
-  launch_stage = var.gpus > 0 ? "BETA" : "GA"
+  # launch_stage        = var.gpus > 0 ? "BETA" : "GA"
+  launch_stage        = "GA"
   deletion_protection = false
 
   template {
     scaling {
-      max_instance_count = var.min_instances
-      min_instance_count = var.max_instances
+      min_instance_count = var.min_instances
+      max_instance_count = var.max_instances
     }
+
+    # dynamic "node_selector" {
+    #   for_each = var.gpus > 0 ? [1] : []
+    #   content {
+    #     accelerator = "nvidia-l4"
+    #   }
+    # }
     containers {
       image = "${local.service_image_url}@${docker_registry_image.push.sha256_digest}"
       resources {
-        limits = merge({
-          cpu    = "${var.cpus}"
+        limits = {
+          cpu    = var.cpus
           memory = "${var.memory_mb}Mi"
-        }, var.gpus > 0 ? { "nvidia.com/gpu" = var.gpus } : {})
-      }
-
-      dynamic "node_selector" {
-        for_each = var.gpus > 0 ? [1] : []
-        content {
-          accelerator = "nvidia-l4"
         }
+
+        # limits = merge({
+        #   cpu    = "${var.cpus}"
+        #   memory = "${var.memory_mb}Mi"
+        # }, var.gpus > 0 ? { "nvidia.com/gpu" = var.gpus } : {})
       }
 
       ports {
         container_port = 9001
       }
       env {
-          name  = "EVENT_TOKEN"
-          value = random_password.event_token.result
-        }
-        env {
-          name  = "SERVICE_ACCOUNT_EMAIL"
-          value = google_service_account.service_account.email
-        }
-        env {
-          name  = "GCP_REGION"
-          value = var.region
-        }
+        name  = "EVENT_TOKEN"
+        value = random_password.event_token.result
+      }
+      env {
+        name  = "SERVICE_ACCOUNT_EMAIL"
+        value = google_service_account.service_account.email
+      }
+      env {
+        name  = "GCP_REGION"
+        value = var.region
+      }
 
-        dynamic "env" {
-          for_each = var.environment
-          content {
-            name  = env.key
-            value = env.value
-          }
+      dynamic "env" {
+        for_each = var.environment
+        content {
+          name  = env.key
+          value = env.value
         }
+      }
     }
-    
+
     service_account = google_service_account.service_account.email
-    timeout = var.timeout_seconds
+    timeout         = "${var.timeout_seconds}s"
   }
 
   depends_on = [docker_registry_image.push]
@@ -137,8 +143,8 @@ resource "google_service_account" "invoker_service_account" {
 
 # Give the above service account permissions to execute the CloudRun service
 resource "google_cloud_run_service_iam_member" "invoker" {
-  service  = google_cloud_run_service.service.name
-  location = google_cloud_run_service.service.location
+  service  = google_cloud_run_v2_service.service.name
+  location = google_cloud_run_v2_service.service.location
   role     = "roles/run.invoker"
   member   = "serviceAccount:${google_service_account.invoker_service_account.email}"
 }

cloud/gcp/deploytf/.nitric/modules/service/outputs.tf

@@ -1,5 +1,5 @@
 output "service_endpoint" { 
-  value = google_cloud_run_service.service.status[0].url
+  value = google_cloud_run_v2_service.service.uri
 }
 
 output "service_account_email" {
@@ -15,5 +15,5 @@ output "event_token" {
 }
 
 output "service_name" {
-  value = google_cloud_run_service.service.name
+  value = google_cloud_run_v2_service.service.name
 }

cloud/gcp/deploytf/.nitric/modules/service/variables.tf

@@ -75,4 +75,9 @@ variable "region" {
 variable "base_compute_role" {
     description = "The base compute role to use for the service"
     type        = string
+}
+
+variable "artifact_registry_repository" {
+    description = "The base URI for the artifact registry repository the push this services image to"
+    type        = string
 }

cloud/gcp/deploytf/.nitric/modules/stack/main.tf

@@ -96,4 +96,12 @@ resource "google_project_iam_custom_role" "base_role" {
   role_id      = "${replace(random_id.stack_id.hex, "-", "_")}_svc_base_role"
   title        = "${random_id.stack_id.hex} service base role"
   permissions = local.base_compute_permissions
+}
+
+# Deploy a artifact registry repository
+resource "google_artifact_registry_repository" "service-image-repo" {
+  location      = var.location
+  repository_id = "${var.stack_name}-services"
+  description   = "service images for nitric stack ${var.stack_name}"
+  format        = "DOCKER"
 }

cloud/gcp/deploytf/.nitric/modules/stack/outputs.tf

@@ -10,4 +10,9 @@ output "base_compute_role" {
 
 output "iam_roles" {
   value = module.iam_roles
+}
+
+output "container_registry_uri" {
+  value = "${var.location}-docker.pkg.dev/${data.google_project.project.project_id}/${google_artifact_registry_repository.service-image-repo.name}"
+  description = "The name of the container registry repository"
 }

cloud/gcp/deploytf/.nitric/modules/stack/variables.tf

@@ -1,4 +1,9 @@
 variable "stack_name" {
   description = "The name of the nitric stack"
   type        = string
+}
+
+variable "location" {
+  description = "The location to deploy the stack"
+  type        = string
 }

cloud/gcp/deploytf/deploy.go

@@ -20,9 +20,9 @@ import (
 
 	"github.com/aws/jsii-runtime-go"
 	dockerprovider "github.com/cdktf/cdktf-provider-docker-go/docker/v11/provider"
-	"github.com/cdktf/cdktf-provider-google-go/google/v13/datagoogleclientconfig"
-	gcpprovider "github.com/cdktf/cdktf-provider-google-go/google/v13/provider"
-	gcpbetaprovider "github.com/cdktf/cdktf-provider-googlebeta-go/googlebeta/v13/provider"
+	"github.com/cdktf/cdktf-provider-google-go/google/v14/datagoogleclientconfig"
+	gcpprovider "github.com/cdktf/cdktf-provider-google-go/google/v14/provider"
+	gcpbetaprovider "github.com/cdktf/cdktf-provider-googlebeta-go/googlebeta/v14/provider"
 	"github.com/hashicorp/terraform-cdk-go/cdktf"
 	"github.com/nitrictech/nitric/cloud/common/deploy"
 	"github.com/nitrictech/nitric/cloud/common/deploy/provider"
@@ -56,6 +56,7 @@ type NitricGcpTerraformProvider struct {
 	Queues         map[string]queue.Queue
 	KeyValueStores map[string]keyvalue.Keyvalue
 	Websockets     map[string]websocket.Websocket
+	RawAttributes  map[string]interface{}
 
 	provider.NitricDefaultOrder
 }
@@ -75,6 +76,8 @@ func (a *NitricGcpTerraformProvider) Init(attributes map[string]interface{}) err
 		return status.Errorf(codes.InvalidArgument, "Bad stack configuration: %s", err)
 	}
 
+	a.RawAttributes = attributes
+
 	return nil
 }
 
@@ -83,32 +86,65 @@ func (a *NitricGcpTerraformProvider) Init(attributes map[string]interface{}) err
 //go:embed .nitric/modules/**/*
 var modules embed.FS
 
+func (a *NitricGcpTerraformProvider) RequiredProviders() map[string]interface{} {
+	return map[string]interface{}{
+		"google": map[string]string{
+			"source":  "hashicorp/google",
+			"version": "~> 6.12.0",
+		},
+		"google-beta": map[string]string{
+			"source":  "hashicorp/google-beta",
+			"version": "~> 6.12.0",
+		},
+	}
+}
+
 func (a *NitricGcpTerraformProvider) CdkTfModules() (string, fs.FS, error) {
 	return ".nitric/modules", modules, nil
 }
 
-func (a *NitricGcpTerraformProvider) Pre(stack cdktf.TerraformStack, resources []*deploymentspb.Resource) error {
+func (a *NitricGcpTerraformProvider) prepareGcpProviders(stack cdktf.TerraformStack) {
+	impersonateSa, impersonateOk := a.RawAttributes["impersonate"].(string)
+
 	tfRegion := cdktf.NewTerraformVariable(stack, jsii.String("region"), &cdktf.TerraformVariableConfig{
 		Type:        jsii.String("string"),
 		Default:     jsii.String(a.Region),
 		Description: jsii.String("The GCP region to deploy resources to"),
 	})
 
-	gcpprovider.NewGoogleProvider(stack, jsii.String("gcp"), &gcpprovider.GoogleProviderConfig{
-		Region:  tfRegion.StringValue(),
-		Project: jsii.String(a.GcpConfig.ProjectId),
-	})
+	if impersonateSa != "" && impersonateOk {
+		gcpprovider.NewGoogleProvider(stack, jsii.String("gcp"), &gcpprovider.GoogleProviderConfig{
+			Region:                    tfRegion.StringValue(),
+			Project:                   jsii.String(a.GcpConfig.ProjectId),
+			ImpersonateServiceAccount: jsii.String(impersonateSa),
+		})
+
+		gcpbetaprovider.NewGoogleBetaProvider(stack, jsii.String("gcp_beta"), &gcpbetaprovider.GoogleBetaProviderConfig{
+			Region:                    tfRegion.StringValue(),
+			Project:                   jsii.String(a.GcpConfig.ProjectId),
+			ImpersonateServiceAccount: jsii.String(impersonateSa),
+		})
+	} else {
+		gcpprovider.NewGoogleProvider(stack, jsii.String("gcp"), &gcpprovider.GoogleProviderConfig{
+			Region:  tfRegion.StringValue(),
+			Project: jsii.String(a.GcpConfig.ProjectId),
+		})
+
+		gcpbetaprovider.NewGoogleBetaProvider(stack, jsii.String("gcp_beta"), &gcpbetaprovider.GoogleBetaProviderConfig{
+			Region:  tfRegion.StringValue(),
+			Project: jsii.String(a.GcpConfig.ProjectId),
+		})
+	}
+}
 
-	gcpbetaprovider.NewGoogleBetaProvider(stack, jsii.String("gcp_beta"), &gcpbetaprovider.GoogleBetaProviderConfig{
-		Region:  tfRegion.StringValue(),
-		Project: jsii.String(a.GcpConfig.ProjectId),
-	})
+func (a *NitricGcpTerraformProvider) Pre(stack cdktf.TerraformStack, resources []*deploymentspb.Resource) error {
+	a.prepareGcpProviders(stack)
 
 	googleConf := datagoogleclientconfig.NewDataGoogleClientConfig(stack, jsii.String("gcp_client_config"), &datagoogleclientconfig.DataGoogleClientConfigConfig{})
 
 	var registryAuths []dockerprovider.DockerProviderRegistryAuth = []dockerprovider.DockerProviderRegistryAuth{
 		{
-			Address:  jsii.String("https://gcr.io"),
+			Address:  jsii.Sprintf("%s-docker.pkg.dev", a.Region),
 			Username: jsii.String("oauth2accesstoken"),
 			Password: googleConf.AccessToken(),
 		},
@@ -119,6 +155,7 @@ func (a *NitricGcpTerraformProvider) Pre(stack cdktf.TerraformStack, resources [
 	})
 
 	a.Stack = tfstack.NewStack(stack, jsii.String("stack"), &tfstack.StackConfig{
+		Location:  jsii.String(a.Region),
 		StackName: jsii.String(a.StackName),
 	})
 

cloud/gcp/deploytf/generated/constraints.json

@@ -1,4 +1,4 @@
 {
-  "cdktf": "0.20.8",
+  "cdktf": "0.20.10",
   "providers": {}
 }

cloud/gcp/deploytf/generated/service/Service.go

@@ -14,6 +14,8 @@ import (
 // Source at ./.nitric/modules/service
 type Service interface {
 	cdktf.TerraformModule
+	ArtifactRegistryRepository() *string
+	SetArtifactRegistryRepository(val *string)
 	BaseComputeRole() *string
 	SetBaseComputeRole(val *string)
 	// Experimental.
@@ -106,6 +108,16 @@ type jsiiProxy_Service struct {
 	internal.Type__cdktfTerraformModule
 }
 
+func (j *jsiiProxy_Service) ArtifactRegistryRepository() *string {
+	var returns *string
+	_jsii_.Get(
+		j,
+		"artifactRegistryRepository",
+		&returns,
+	)
+	return returns
+}
+
 func (j *jsiiProxy_Service) BaseComputeRole() *string {
 	var returns *string
 	_jsii_.Get(
@@ -444,6 +456,17 @@ func NewService_Override(s Service, scope constructs.Construct, id *string, conf
 	)
 }
 
+func (j *jsiiProxy_Service)SetArtifactRegistryRepository(val *string) {
+	if err := j.validateSetArtifactRegistryRepositoryParameters(val); err != nil {
+		panic(err)
+	}
+	_jsii_.Set(
+		j,
+		"artifactRegistryRepository",
+		val,
+	)
+}
+
 func (j *jsiiProxy_Service)SetBaseComputeRole(val *string) {
 	if err := j.validateSetBaseComputeRoleParameters(val); err != nil {
 		panic(err)

cloud/gcp/deploytf/generated/service/ServiceConfig.go

@@ -13,6 +13,8 @@ type ServiceConfig struct {
 	Providers *[]interface{} `field:"optional" json:"providers" yaml:"providers"`
 	// Experimental.
 	SkipAssetCreationFromLocalModules *bool `field:"optional" json:"skipAssetCreationFromLocalModules" yaml:"skipAssetCreationFromLocalModules"`
+	// The base URI for the artifact registry repository the push this services image to.
+	ArtifactRegistryRepository *string `field:"required" json:"artifactRegistryRepository" yaml:"artifactRegistryRepository"`
 	// The base compute role to use for the service.
 	BaseComputeRole *string `field:"required" json:"baseComputeRole" yaml:"baseComputeRole"`
 	// Environment variables to set on the lambda function The property type contains a map, they have special handling, please see {@link cdk.tf /module-map-inputs the docs}.