App Engine Service Split Traffic resource

[khanali21]

• Added custom_create in custom_code.
• Added appengine service resource

Release Note for Downstream PRs (will be copied)

`google_app_engine_service_split_traffic`

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review. They will authorize it to run through our CI pipeline, which will generate downstream PRs.

Thanks for your contribution! A human will be with you soon.

@emilymye, please review this PR or find an appropriate assignee.

[khanali21]

@rileykarson I noticed that there is no option for the custom_create code in the generator. I thought it fitting to add this. This helps in Appengine Service Resource which does not have Create method.

If custom_create was not deliberately added, then I can move the resource under third_party as the custom resource.

Thanks
Ali

[khanali21]

Example template to follow.

[rileykarson]

For Terraform, I think we want to expose this under another name than Service. Since a service can't be (directly) created, I think it would be confusing to have a google_app_engine_service resource defined that depended on a version creating the service.

As a user, I'd expect my config to look like:

resource "google_app_engine_service" "frontend" {
  id = "my-frontend-service"
  
} 

resource "google_app_engine_standard_app_version" "frontend_v2" {
  version_id = "v2"
  service = google_app_engine_service.frontend.id

  ...
}

When in reality, it's more likely to be like this, because the dependency is flipped:

resource "google_app_engine_standard_app_version" "frontend_v2" {
  version_id = "v2"
  service = "my-frontend-service"

  ...
}

resource "google_app_engine_service" "frontend" {
  id = google_app_engine_standard_version.frontend_v2.service
  
} 

Instead, I'd lean towards exposing the resource as google_app_engine_service_traffic_split. I believe we can override the name value in terraform.yaml to accomplish that, but if not we'll need to add a duplicate entry in api.yaml.

[rileykarson]

Like StandardVersion, this is going to end up a bit of an atypical resource. Per my comment above, I think we should focus on the traffic splitting scenario since it's the only configurable portion of a service, and we should make this resource apply the specified traffic split on Create as well as Update.

[rileykarson]

Suggested change

	required: false
	required: true

Since the resource doesn't do anything else, I'm incline to make the traffic split required: true

[rileykarson]

Suggested change

	update_url: 'apps/{{project}}/services/{{service_id}}?migrateTraffic=False&updateMask=split'
	update_url: 'apps/{{project}}/services/{{service_id}}?migrateTraffic={{migrateTraffic}}'

We can expose migrateTraffic as configurable. If you add it to parameters: (instead of properties:), and make it url_param_only: true in terraform.yaml, this should work as intended.

The update mask should be appended automatically by setting update_mask: true.

[rileykarson]

To answer your question, this not existing was just a matter of not needing it yet.

[rileykarson]

Instead of doing nothing on update, what if we set the traffic split on create as well? This would mirror the IAM Policy resources that immediately set their values on create.

Setting immediately on singleton resources like this is a little unfortunate- Terraform won't show the old values in plan. On the other hand, it means that creating the resource actually does something, and the resource won't effectively always permadiff. IMO that matches to our expectations better, especially given the precedent in IAM.

To accomplish this, you can set the create_url to the same value as the update_url and create_verb to PATCH in api.yaml.

[rileykarson]

Doing this may require using a custom encoder to add an update mask on create, since we haven't added a resource doing an HTTP PATCH on Terraform Create action before.

[khanali21]

Not sure whether I need to add create_encoder in this case. So there are two things:

1. Having updateMask in the create_url, I think this can be handled by just adding the constant like:

    create_url: 'apps/{{project}}/services/{{service_id}}?{{migrateTraffic}}&updateMask=split'

2. Identifying if we need to add shardBy also in the updateMask (I am looking into it)

[rileykarson]

Is one of these values automatically selected by the API? Or does it actually return UNSPECIFIED?

[khanali21]

I am going to test it shortly

[rileykarson]

Did you get a chance to test?

[rileykarson]

This feels required: true. Did you find it wasn't the case?

[khanali21]

@rileykarson Struggling with few things:

1. The create_verb can only be PUT and POST. Do you think I should modify ruby code to allow PATCH as the create_verb too.
2. The update_mask true includes the id field as well, however I want only one field "split" to be part of the updateMask, i.e. updateMask=split
3. I don't see the need for overriding name, as I changed the name of the resource and then also updated the resourceref for the Version resource. Let me know if there is any other need for name override. BTW I could not find how override the name, I did find legacy_name but could not make it work as intended. Can you tell me if that is the right one.

thanks

[khanali21]

@rileykarson Kindly review this. I have made all the required changes, One question is still open.
Q. Should I just override the delete with no op as there is no deletion applicable in this resource.

[khanali21]

resource "google_storage_bucket" "bucket" {
	name = "<%= ctx[:vars]['bucket_name'] %>"
}

resource "google_storage_bucket_object" "object" {
	name   = "hello-world.zip"
	bucket = "${google_storage_bucket.bucket.name}"
	source = "./test-fixtures/appengine/hello-world.zip"
}

resource "google_app_engine_standard_app_version" "myapp_v1" {
  version_id = "v1"
  service = "myapp2"
  runtime = "nodejs10"
  noop_on_destroy = true
  entrypoint {
    shell = "node ./app.js"
  }
  deployment {
    zip {
      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
    }  
  }
  env_variables = {
    port = "8080"
  } 

}
resource "google_app_engine_standard_app_version" "myapp_v2" {
  version_id = "v2"
  service = "myapp2"
  runtime = "nodejs10"
  noop_on_destroy = true
  entrypoint {
    shell = "node ./app.js"
  }
  deployment {
    zip {
      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
    }  
  }
  env_variables = {
    port = "8080"
  } 

}

resource "google_app_engine_service_split_traffic" "myapp2" {
  service_id = "${google_app_engine_standard_app_version.myapp_v2.service}"
  migrate_traffic = false
  split {
    shard_by = "IP"
    allocations = {
      v1 = 0.75
      v2 = 0.25
    }
  }
}

[rileykarson]

Sorry! I had some other work to get done yesterday and didn't have time to make a review pass.

Per your questions;

1. Yep, adding it was correct. I'm not sure why we restrict the list of verbs allowed.
2. If you make the id / service (renamed based on my comment below) field url_param_only, it will be excluded from the update_mask.
3. Sorry! I changed my mind a little since before, do you actually mind defining it as an entirely separate resource in api.yaml?
4. Sounds good to me- I don't think there's a meaningful deletion state for a service's traffic, so deletion doing nothing makes the most sense.

[rileykarson]

Instead of renaming Service, would you mind duplicating this into a separate resource definition? It feels a little silly, but it's the best way to represent fine-grained resources right now.

[rileykarson]

This will also require exclusions in Ansible / InSpec for the Magician to work.

[rileykarson]

We have some liberty in terms of what we can call this field because it doesn't actually correspond to any fields we care about in the API. What do you think of service instead of id/service_id?

[rileykarson]

wdyt here?

[khanali21]

@rileykarson Please review now.

Also here is my loud thinking on this:

Use case 1:
a) Enable appengine using google_app_engine_application resource
b) Create a new service named e.g. "myapp" and upload the code as v1 using google_app_engine_standard_app_version resource. (Please note that the service is automatically created if it is not existing). Use the noop_on_destroy to ensure that this version does not get deleted.
c) Create another version v2 for service myapp using google_app_engine_standard_app_version resource.
d) Split the traffic using the google_app_engine_service_split_traffic resource.

Problem: In this use case terraform destroy will leave the service myapp and version v1 when destroying all the resources.

Solution: Use the google_app_engine_service resource to delete the final version. For this we shall need the google_app_engine_service resource as I did in the first iteration which will ignore the create but allow deletion.

[khanali21]

@rileykarson Can you please review this. And give your comments.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
This PR seems not to have generated downstream PRs before, as of b044582.

Pull request statuses

No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#1135
depends: GoogleCloudPlatform/terraform-google-conversion#199
depends: hashicorp/terraform-provider-google#4451

[rileykarson]

Instead of an approach that requires adding a google_app_engine_service resource that's only really used for deletion, I'd prefer we add delete_service_on_destroy to google_app_engine_standard_app_version. That boolean would be mutually exclusive with noop_on_destroy, and would delete the service at the same time as that version.

Terraform will process deletion of versions in parallel for most configs; that means that the version that deletes the parent may delete it before the other version is "deleted" by Terraform. That'll be fine, though, deletion succeeds if the parent / resource isn't found.

[rileykarson]

wdyt here?

[rileykarson]

Did you get a chance to test?

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, b044582.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[rileykarson]

As long as we're not using this, do you mind removing it + the changes in resource.erb? I'd rather not add unused code.

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 20 files changed, 697 insertions(+), 94 deletions(-))
Terraform Beta: Diff ( 22 files changed, 705 insertions(+), 113 deletions(-))
TF Conversion: Diff ( 1 file changed, 101 insertions(+))

[khanali21]

@rileykarson DONE :) Had a bad time with this one.... even the changes from resource.erb were not going away git acting up with resolving merge conflict.

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 5 files changed, 647 insertions(+), 2 deletions(-))
Terraform Beta: Diff ( 5 files changed, 647 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 1 file changed, 101 insertions(+))

[rileykarson]

LGTM. Thanks for working through me on the drawn out process to get this resource added! Since AppEngine is one of GCP's oldest APIs, it doesn't tend to fit the model of API behaviour we built MM with, or the model of declarative resources that's evolved since AppEngine's creation.