Merge branch '52-tweak-ingress-var' into 'master'

Allow ingress override when using load balancer Closes #52 See merge request !66

Merge branch '52-tweak-ingress-var' into 'master'
Allow ingress override when using load balancer Closes #52 See merge request !66
6d3702f8 · Ryan Kowalewski · 1625c75c · 64adc94c · 6d3702f8 · 6d3702f8
Commit 6d3702f8 authored 9 months ago by Ryan Kowalewski
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 include:
  - project: "uis/devops/continuous-delivery/ci-templates"
    file: "/terraform-module.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
  - project: "uis/devops/continuous-delivery/ci-templates"
    file: "/pre-commit.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
  - project: "uis/devops/continuous-delivery/ci-templates"
    file: "/auto-devops/release-it.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
  - project: "uis/devops/continuous-delivery/ci-templates"
    file: "/commitlint.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"

 variables:
  LOGAN_IMAGE: registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/logan-terraform:1.6

--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ For more information on how the pre-deploy Cloud Run job works see the
 | <a name="input_encryption_key"></a> [encryption\_key](#input\_encryption\_key) | The ID of a customer managed encryption key (CMEK) to use to encrypt this<br>container image. | `string` | `null` | no |
 | <a name="input_execution_environment"></a> [execution\_environment](#input\_execution\_environment) | The sandbox environment to host this revision. Possible values are<br>EXECUTION\_ENVIRONMENT\_GEN1, and EXECUTION\_ENVIRONMENT\_GEN2. | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no |
 | <a name="input_grant_sql_client_role_to_webapp_sa"></a> [grant\_sql\_client\_role\_to\_webapp\_sa](#input\_grant\_sql\_client\_role\_to\_webapp\_sa) | When set to true the roles/cloudsql.client role will be granted to the webapp<br>service account at the project level to allow it to connect to Cloud SQL. | `bool` | `false` | no |
-| <a name="input_ingress"></a> [ingress](#input\_ingress) | The ingress setting for the Cloud Run service. Possible values are<br>INGRESS\_TRAFFIC\_ALL, INGRESS\_TRAFFIC\_INTERNAL\_ONLY, and<br>INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER.<br><br>If var.use\_load\_balancer == true, the provided var.ingress will be ignored and<br>the ingress will be set automatically to<br>"INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER". | `string` | `"INGRESS_TRAFFIC_ALL"` | no |
+| <a name="input_ingress"></a> [ingress](#input\_ingress) | The ingress setting for the Cloud Run service. Possible values are<br>INGRESS\_TRAFFIC\_ALL, INGRESS\_TRAFFIC\_INTERNAL\_ONLY, and<br>INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER. | `string` | `null` | no |
 | <a name="input_launch_stage"></a> [launch\_stage](#input\_launch\_stage) | The launch stage for the Cloud Run service. Possible values are UNIMPLEMENTED,<br>PRELAUNCH, EARLY\_ACCESS, ALPHA, BETA, GA, and DEPRECATED. | `string` | `"GA"` | no |
 | <a name="input_max_instance_request_concurrency"></a> [max\_instance\_request\_concurrency](#input\_max\_instance\_request\_concurrency) | Sets the maximum number of requests that each serving instance can receive. | `number` | `null` | no |
 | <a name="input_min_ports_per_vm"></a> [min\_ports\_per\_vm](#input\_min\_ports\_per\_vm) | When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per<br>VM can be configured to determine how many concurrent connections can be<br>established to the same destination IP address and port. | `number` | `64` | no |

--- a/locals.tf
+++ b/locals.tf
@@ -4,7 +4,9 @@ locals {
  # Project containing existing Cloud SQL instance.
  sql_instance_project = coalesce(var.sql_instance_project, var.project)

-  ingress = var.enable_load_balancer ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : var.ingress
+  ingress = var.enable_load_balancer && var.ingress == null ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : (
+    var.ingress == null ? "INGRESS_TRAFFIC_ALL" : var.ingress
+  )

  # Whether we should monitor the custom domain - only possible if there are a dns names set and unauthenticated
  # invocation is enabled.

--- a/tests/load_balancer.tftest.hcl
+++ b/tests/load_balancer.tftest.hcl
@@ -101,3 +101,24 @@ run "test_service_with_default_variable_values_and_load_balancer_enabled" {
    error_message = "A https proxy resource should be created by the load balancer module."
  }
 }
+
+run "test_service_with_load_balancer_enabled_and_ingress_set_to_allow_all" {
+  variables {
+    name                 = run.setup.random_name
+    enable_load_balancer = true
+    ingress              = "INGRESS_TRAFFIC_ALL"
+    dns_names = {
+      webapp = "${run.setup.random_name}.test.example.gcp.uis.cam.ac.uk"
+    }
+    containers = {
+      webapp = {
+        image = "us-docker.pkg.dev/cloudrun/container/hello"
+      }
+    }
+  }
+
+  assert {
+    condition     = google_cloud_run_v2_service.webapp.ingress == "INGRESS_TRAFFIC_ALL"
+    error_message = "Ingress should be 'INGRESS_TRAFFIC_ALL'."
+  }
+}
--- a/variables.tf
+++ b/variables.tf
@@ -48,13 +48,9 @@ variable "ingress" {
 The ingress setting for the Cloud Run service. Possible values are
 INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY, and
 INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
-
-If var.use_load_balancer == true, the provided var.ingress will be ignored and
-the ingress will be set automatically to
-"INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER".
 EOI
  type        = string
-  default     = "INGRESS_TRAFFIC_ALL"
+  default     = null
 }

 variable "launch_stage" {