Add App Engine Application support #1503
Conversation
This should have all the code, but who really knows if it works or not, tbh.
Add a test case that exercises the obvious path, and fix the some of the bugs it exposed.
IAP has no reasonable support policy, because PATCH is broken, and IAP must be configured with an OAuth2 client ID and secret that belongs to the project the app is associated with. There's no programmatic way to create Clients. But we create the project and the app at the same time, and we can't update because PATCH is broken. So this just drops IAP. It also forces all our updates to ForceNew, because we can't update. Also, adds more test coverage and docs, and fixes import by not relying on the config for setting app engine info in state.
google/appengine_operation.go
Outdated
| ) | ||
|
|
||
| var ( | ||
| appEngineOperationIdRE = regexp.MustCompile(fmt.Sprintf("apps/%s/operations/(.*)", ProjectRegex)) |
There was a problem hiding this comment.
I'm sorry this is such a nit to pick, but IdRE bugs me - can it be IdRegex or IdRegEx or IDReg or IdReg or something?
There was a problem hiding this comment.
It can be! I'll push an update for you to approve momentarily.
google/resource_google_project.go
Outdated
| "serving_status": &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| ForceNew: true, |
There was a problem hiding this comment.
I remember why this is set this way, and why that's not desirable, but if you could add a comment explaining, that would probably be best.
There was a problem hiding this comment.
Absolutely. I'll also look into just enabling update, because the issues I had with it seem to be gone now that I'm trying to reproduce them o.O
google/resource_google_project.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
| log.Printf("[DEBUG] Creating App Engine if %v is true", app != nil) |
There was a problem hiding this comment.
This one might be a little chatty - since we already have "Enabling App Engine", the lack of that tells us everything that this statement tells us.
There was a problem hiding this comment.
Oops, sorry! This was a debug message from when I was figuring out errors. I'll remove it.
|
Did the last commit fix the suggestions, @ndmckinley? |
| if app != nil { | ||
| log.Printf("[DEBUG] Enabling App Engine") | ||
| // enable the app engine APIs so we can create stuff | ||
| if err = enableService("appengine.googleapis.com", project.ProjectId, config); err != nil { |
There was a problem hiding this comment.
Won't this mess with people using google_project_services?
There was a problem hiding this comment.
It's a similar approach taken as for disabling the default network, and is documented similarly. I don't know that there's an alternative unless we don't allow people to create App Engine apps in the same apply they create projects :/
There was a problem hiding this comment.
But wouldn't they already need to enable the resourcemanager api in order to create the project? Couldn't they do that at the same time as the app engine api?
There was a problem hiding this comment.
APIs get enabled on a per-project basis. The project doesn't exist before the project resource's Create function is called, so we can't enable APIs on it beforehand. But by the time the project's Create function is finished, we need the App Engine Admin API enabled, because we're using it. This is the same rationale, I believe, for enabling the compute API when deleting the default network.
The workaround here, if they want to use google_project_services, is to just add the App Engine Admin API to the google_project_services resource, which should (I believe) leave things alone if the API is already enabled.
There was a problem hiding this comment.
Ohhh that makes sense. Thanks!
|
I'm personally not a big fan of embedding this inside the project creation block. For many organizations, projects are centrally created/managed in their own repo while the actual development teams manage what happens inside of them, including app engine. Could we consider separating this into its own resource, like how we have project services separately? |
|
@morgante my understanding is that the implementation you described was attempted, but due to limitations in how destroy would work on an app engine application, you have to destroy the project to destroy the application in the API unfortunately, so for now its coupled so the terraform lifecycle will work properly.
That being said, I believe this issue is being raised with Google to see if we can figure out some other way of addressing it. |
|
Hi @morgante! In this case, I feel like there's a strong case for considering App Engine apps and Google Cloud projects to be the same resource:
Both 1 and 2 of those are not currently possible with Terraform in an elegant way. If we were to make this a separate resource, Terraform would happily report it was deleted when it was, in fact, not, and we have no way of indicating otherwise, except a line in a log that users would mostly never see. And if the user added multiple Because of those reasons, I thought adding it as a sub-block within I do want to make the distinction that this is only for configuring the top-level settings of the App. Further App Engine resources are planned to manage things like versions, services, domain mappings, etc. that will all live as separate resources (or, at least, that's the plan at the moment, pending any implementation troubles). Keep in mind that this resource only allows the configuration of:
I'm also in the process of gathering up the information I obtained implementing this to file an issue with the App Engine team, which will hopefully allow us to offer a |
|
Hi @paddycarver, I missed the part that there's no way to delete the app without deleting the project - in that case, it makes sense to couple their lifecycles. Once you have the information or issue, please do ping me - I can help chase internally. |
|
The rollout of this feature is rather disrupting for existing GAE users: If you have existing TF-managed projects that predate this change (don't have an app_engine block) and have GAE enabled, TF will try to delete the project and recreate it w/o GAE. Is this expected? For our team, this would have meant a bunch of accidentally deleted projects if we hadn't enabled the prevent_destroy option. |
|
@stevewolter I filed a bug on your behalf: #1561 |
|
@danawillow Thanks! |
…engine_app Add App Engine Application support
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
This PR adds an
app_engineblock to thegoogle_projectresource. Adding the block creates an App Engine app associated with the project. App Engine apps cannot be deleted without deleting the project, so we tie the app's lifecycle to the project's. Removing theapp_engineblock from a config should force a project to be recreated, as there's no way to delete or disable it.For whatever reason, we're currently getting a bunch of errors any time we try to update an App Engine app through the API, so every change forces a new resource. This is sub-optimal, as projects can't reuse their IDs, which makes recreating them problematic. This can still be accomplished using the random provider, but isn't very nice. I'll be pursuing better support there, but we need some upstream support on that. I'll follow up on the relevant issues.
The
serving_statusfield is also less useful than it could be, as changing it will force new because of our problems updating. I figure it can at least be read now, and can be set at create, so I included it; when we get the update problems resolved, we can do some more with it, I think.