Skip to content

Commit df677ad

Browse files
anth-volkanth-volk
authored
Merge pull request #367 from PolicyEngine/chore/bill
Automatically untag all but the 40 newest deployed simulation API versions (including at least 1 each of UK and US)
2 parents fc9a020 + 5eba750 commit df677ad

File tree

16 files changed

+1873
-27
lines changed

16 files changed

+1873
-27
lines changed

.github/workflows/gcp-deploy.reusable.yml

Lines changed: 58 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ jobs:
2424
outputs:
2525
full_api_url: ${{ steps.deploy_infra.outputs.full_api_url }}
2626
simulation_api_url: ${{ steps.deploy_infra.outputs.simulation_api_url }}
27+
tagger_api_url: ${{ steps.deploy_infra.outputs.tagger_api_url }}
2728
us_model_version: ${{ steps.deploy_infra.outputs.us_model_version }}
2829
uk_model_version: ${{ steps.deploy_infra.outputs.uk_model_version }}
2930
environment: ${{ inputs.environment }}
@@ -112,29 +113,34 @@ jobs:
112113
terraform output -json > terraform_output.json
113114
FULL_API_URL=$(cat terraform_output.json | jq -r '.full_api_url.value // empty')
114115
SIMULATION_API_URL=$(cat terraform_output.json | jq -r '.simulation_api_url.value // empty')
115-
116+
TAGGER_API_URL=$(cat terraform_output.json | jq -r '.tagger_api_url.value // empty')
117+
116118
# Extract model versions from release_metadata
117119
US_MODEL_VERSION=$(cat terraform_output.json | jq -r '.release_metadata.value.models.us // empty')
118120
UK_MODEL_VERSION=$(cat terraform_output.json | jq -r '.release_metadata.value.models.uk // empty')
119-
121+
120122
# If outputs are not available from terraform, construct them
121123
if [ -z "$FULL_API_URL" ]; then
122124
FULL_API_URL="https://full-api-${{ vars.REGION }}-uc.a.run.app"
123125
fi
124126
if [ -z "$SIMULATION_API_URL" ]; then
125127
SIMULATION_API_URL="https://api-simulation-${{ vars.REGION }}-uc.a.run.app"
126128
fi
127-
129+
if [ -z "$TAGGER_API_URL" ]; then
130+
TAGGER_API_URL="https://tagger-api-${{ vars.REGION }}-uc.a.run.app"
131+
fi
132+
128133
# If model versions are not available from terraform, use the ones from package extraction
129134
if [ -z "$US_MODEL_VERSION" ]; then
130135
US_MODEL_VERSION="${{ steps.versions.outputs.us_version }}"
131136
fi
132137
if [ -z "$UK_MODEL_VERSION" ]; then
133138
UK_MODEL_VERSION="${{ steps.versions.outputs.uk_version }}"
134139
fi
135-
140+
136141
echo "full_api_url=${FULL_API_URL}" >> "$GITHUB_OUTPUT"
137142
echo "simulation_api_url=${SIMULATION_API_URL}" >> "$GITHUB_OUTPUT"
143+
echo "tagger_api_url=${TAGGER_API_URL}" >> "$GITHUB_OUTPUT"
138144
echo "us_model_version=${US_MODEL_VERSION}" >> "$GITHUB_OUTPUT"
139145
echo "uk_model_version=${UK_MODEL_VERSION}" >> "$GITHUB_OUTPUT"
140146
@@ -143,24 +149,44 @@ jobs:
143149
run: |
144150
# Get the metadata bucket name from terraform output
145151
METADATA_BUCKET=$(terraform output -raw metadata_bucket_name)
146-
152+
147153
# Get the release metadata JSON
148154
RELEASE_METADATA=$(terraform output -json release_metadata)
149-
155+
150156
# Upload metadata files to GCS bucket
151157
# Upload live.json
152158
echo "$RELEASE_METADATA" | gcloud storage cp - "gs://${METADATA_BUCKET}/live.json"
153-
159+
154160
# Upload version-tagged metadata for US model
155161
US_VERSION="${{ steps.versions.outputs.us_version }}"
156162
echo "$RELEASE_METADATA" | gcloud storage cp - "gs://${METADATA_BUCKET}/us.${US_VERSION}.json"
157-
163+
158164
# Upload version-tagged metadata for UK model
159165
UK_VERSION="${{ steps.versions.outputs.uk_version }}"
160166
echo "$RELEASE_METADATA" | gcloud storage cp - "gs://${METADATA_BUCKET}/uk.${UK_VERSION}.json"
161-
167+
162168
echo "Tagged API versions: US=${US_VERSION}, UK=${UK_VERSION}"
163169
170+
- name: Update deployments manifest
171+
working-directory: deployment/terraform/infra
172+
run: |
173+
METADATA_BUCKET=$(terraform output -raw metadata_bucket_name)
174+
REVISION=$(terraform output -json release_metadata | jq -r '.revision')
175+
US_VERSION="${{ steps.versions.outputs.us_version }}"
176+
UK_VERSION="${{ steps.versions.outputs.uk_version }}"
177+
178+
../../../scripts/update-deployments-manifest.sh \
179+
"$METADATA_BUCKET" \
180+
"$REVISION" \
181+
"$US_VERSION" \
182+
"$UK_VERSION"
183+
184+
- name: Cleanup old revisions
185+
working-directory: deployment/terraform/infra
186+
run: |
187+
TAGGER_URL=$(terraform output -raw tagger_api_url)
188+
../../../scripts/cleanup-old-revisions.sh "$TAGGER_URL" 40
189+
164190
integ_test:
165191
name: Run integration test
166192
needs: [deploy]
@@ -208,11 +234,22 @@ jobs:
208234
token_format: "id_token"
209235
id_token_audience: ${{ needs.deploy.outputs.simulation_api_url }}
210236
id_token_include_email: true
211-
237+
238+
- name: Auth as tester SA for tagger API
239+
id: get-tagger-id-token
240+
uses: "google-github-actions/auth@v2"
241+
with:
242+
workload_identity_provider: "${{ vars._GITHUB_IDENTITY_POOL_PROVIDER_NAME }}"
243+
service_account: "tester@${{ vars.PROJECT_ID }}.iam.gserviceaccount.com"
244+
token_format: "id_token"
245+
id_token_audience: ${{ needs.deploy.outputs.tagger_api_url }}
246+
id_token_include_email: true
247+
212248
- name: Mask ID tokens
213249
run: |
214250
echo "::add-mask::${{steps.get-full-id-token.outputs.id_token}}"
215251
echo "::add-mask::${{steps.get-simulation-id-token.outputs.id_token}}"
252+
echo "::add-mask::${{steps.get-tagger-id-token.outputs.id_token}}"
216253
217254
- name: Generate API clients
218255
run: |
@@ -222,11 +259,21 @@ jobs:
222259
run: |
223260
cd projects/policyengine-apis-integ
224261
uv sync --extra test
225-
uv run pytest tests/ -v
262+
# For beta: run all tests including beta_only
263+
# For prod: exclude beta_only tests
264+
if [ "${{ inputs.environment }}" = "beta" ]; then
265+
echo "Running all integration tests (including beta_only)"
266+
uv run pytest tests/ -v
267+
else
268+
echo "Running integration tests (excluding beta_only)"
269+
uv run pytest tests/ -v -m "not beta_only"
270+
fi
226271
env:
227272
full_integ_test_access_token: ${{ steps.get-full-id-token.outputs.id_token }}
228273
full_integ_test_base_url: ${{ needs.deploy.outputs.full_api_url }}
229274
simulation_integ_test_access_token: ${{ steps.get-simulation-id-token.outputs.id_token }}
230275
simulation_integ_test_base_url: ${{ needs.deploy.outputs.simulation_api_url }}
276+
tagger_integ_test_access_token: ${{ steps.get-tagger-id-token.outputs.id_token }}
277+
tagger_integ_test_base_url: ${{ needs.deploy.outputs.tagger_api_url }}
231278
workflow_integ_test_project_id: ${{ vars.PROJECT_ID }}
232279
workflow_integ_test_us_model_version: ${{ needs.deploy.outputs.us_model_version }}

deployment/terraform/infra/main.tf

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -49,10 +49,16 @@ module "cloud_run_tagger_api" {
4949
description = "API used to tag revisions for simulation api given a specific country package version"
5050
docker_repo = "policyengine-api-tagger"
5151
container_tag = var.tagger_container_tag
52-
members_can_invoke = ["serviceAccount:tester@${var.project_id}.iam.gserviceaccount.com"]
52+
members_can_invoke = [
53+
"serviceAccount:tester@${var.project_id}.iam.gserviceaccount.com",
54+
"serviceAccount:deploy@${var.project_id}.iam.gserviceaccount.com"
55+
]
5356

5457
env = {
55-
metadata_bucket_name = google_storage_bucket.metadata.name
58+
metadata_bucket_name = google_storage_bucket.metadata.name
59+
simulation_service_name = "api-simulation"
60+
project_id = var.project_id
61+
region = var.region
5662
}
5763

5864
limits = {
@@ -76,15 +82,14 @@ module "cloud_run_tagger_api" {
7682
enable_uptime_check = var.is_prod ? true : false
7783
}
7884

79-
#give the tagger api access to the bucket
85+
# Give the tagger api read/write/delete access to the bucket for metadata management
8086
resource "google_storage_bucket_iam_member" "bucket_iam_tagger_member" {
8187
bucket = google_storage_bucket.metadata.name
82-
role = "roles/storage.objectViewer" # Example: Grant object viewer role
83-
member = "serviceAccount:${module.cloud_run_tagger_api.sa_email}" # Example: Grant access to a user
88+
role = "roles/storage.objectAdmin"
89+
member = "serviceAccount:${module.cloud_run_tagger_api.sa_email}"
8490
}
8591

86-
#give permission to get and update cloudrun services (for tagging revisions)
87-
#if you don't define your own permissions the closest role is run.developer which seems a bit expansive.
92+
# Give permission to get/update cloudrun services (for tagging and cleanup)
8893
resource "google_project_iam_custom_role" "cloudrun_service_updater" {
8994
role_id = "cloudRunServiceUpdater"
9095
title = "Cloud Run Service Updater"

0 commit comments

Comments
 (0)