Merge remote-tracking branch 'origin/main' into danielpanzella/autosc…

…aling # Conflicts: # README.md
wandb · Oct 1, 2024 · f7038ce · f7038ce
2 parents 96451b3 + efe55f1
commit f7038ce
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file.
 
+### [5.4.2](https://github.com/wandb/terraform-google-wandb/compare/v5.4.1...v5.4.2) (2024-10-01)
+
+
+### Bug Fixes
+
+* Use variables for operator helm release ([#173](https://github.com/wandb/terraform-google-wandb/issues/173)) ([0964e71](https://github.com/wandb/terraform-google-wandb/commit/0964e7133786cfdfc863bca6e04c607da0b5e782))
+
+### [5.4.1](https://github.com/wandb/terraform-google-wandb/compare/v5.4.0...v5.4.1) (2024-09-16)
+
+
+### Bug Fixes
+
+* Allow skipping the modification of the bucket to add our service account's permissions ([#171](https://github.com/wandb/terraform-google-wandb/issues/171)) ([7c949be](https://github.com/wandb/terraform-google-wandb/commit/7c949bee52388b338e837f80a7ca9584fb5105ed))
+
 ## [5.4.0](https://github.com/wandb/terraform-google-wandb/compare/v5.3.4...v5.4.0) (2024-09-12)
 
 

diff --git a/README.md b/README.md
@@ -120,7 +120,7 @@ resources that lack official modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_inbound_cidrs"></a> [allowed\_inbound\_cidrs](#input\_allowed\_inbound\_cidrs) | Which IPv4 addresses/ranges to allow access. This must be explicitly provided, and by default is set to ["*"] | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
+| <a name="input_allowed_inbound_cidrs"></a> [allowed\_inbound\_cidrs](#input\_allowed\_inbound\_cidrs) | Which IPv4 addresses/ranges to allow access. This must be explicitly provided, and by default is set to ["*"] | `list(string)` | <pre>[<br/>  "*"<br/>]</pre> | no |
 | <a name="input_allowed_project_names"></a> [allowed\_project\_names](#input\_allowed\_project\_names) | A map of allowed projects where each key is a project number and the value is the connection limit. | `map(number)` | `{}` | no |
 | <a name="input_app_wandb_env"></a> [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_bucket_default_encryption"></a> [bucket\_default\_encryption](#input\_bucket\_default\_encryption) | Boolean to determine if a default bucket encryption key should be used. If true, a default key will be created. Takes precedence over `bucket_kms_key_id`. | `bool` | `false` | no |
@@ -131,6 +131,7 @@ resources that lack official modules.
 | <a name="input_clickhouse_private_endpoint_service_name"></a> [clickhouse\_private\_endpoint\_service\_name](#input\_clickhouse\_private\_endpoint\_service\_name) | ClickHouse private endpoint 'Service name' (ends in -clickhouse-cloud). | `string` | `""` | no |
 | <a name="input_clickhouse_region"></a> [clickhouse\_region](#input\_clickhouse\_region) | ClickHouse region (us-east1, us-central1, etc). | `string` | `""` | no |
 | <a name="input_clickhouse_subnetwork_cidr"></a> [clickhouse\_subnetwork\_cidr](#input\_clickhouse\_subnetwork\_cidr) | ClickHouse private service connect subnetwork | `string` | `"10.50.0.0/24"` | no |
+| <a name="input_controller_image_tag"></a> [controller\_image\_tag](#input\_controller\_image\_tag) | Tag of the controller image to deploy | `string` | `"1.14.0"` | no |
 | <a name="input_create_private_link"></a> [create\_private\_link](#input\_create\_private\_link) | Whether to create a private link service. | `bool` | `false` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Boolean indicating whether to provision an redis instance (true) or not (false). | `bool` | `false` | no |
 | <a name="input_create_workload_identity"></a> [create\_workload\_identity](#input\_create\_workload\_identity) | Flag to indicate whether to create a workload identity for the service account. | `bool` | `false` | no |
@@ -156,6 +157,7 @@ resources that lack official modules.
 | <a name="input_oidc_client_id"></a> [oidc\_client\_id](#input\_oidc\_client\_id) | The Client ID of application in your identity provider | `string` | `""` | no |
 | <a name="input_oidc_issuer"></a> [oidc\_issuer](#input\_oidc\_issuer) | A url to your Open ID Connect identity provider, i.e. https://cognito-idp.us-east-1.amazonaws.com/us-east-1_uiIFNdacd | `string` | `""` | no |
 | <a name="input_oidc_secret"></a> [oidc\_secret](#input\_oidc\_secret) | The Client secret of application in your identity provider | `string` | `""` | no |
+| <a name="input_operator_chart_version"></a> [operator\_chart\_version](#input\_operator\_chart\_version) | Version of the operator chart to deploy | `string` | `"1.3.4"` | no |
 | <a name="input_other_wandb_env"></a> [other\_wandb\_env](#input\_other\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_parquet_wandb_env"></a> [parquet\_wandb\_env](#input\_parquet\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_psc_subnetwork_cidr"></a> [psc\_subnetwork\_cidr](#input\_psc\_subnetwork\_cidr) | Private link service reserved subnetwork | `string` | `"192.168.0.0/24"` | no |
@@ -166,6 +168,7 @@ resources that lack official modules.
 | <a name="input_resource_limits"></a> [resource\_limits](#input\_resource\_limits) | Specifies the resource limits for the wandb deployment | `map(string)` | <pre>{<br>  "cpu": null,<br>  "memory": null<br>}</pre> | no |
 | <a name="input_resource_requests"></a> [resource\_requests](#input\_resource\_requests) | Specifies the resource requests for the wandb deployment | `map(string)` | <pre>{<br>  "cpu": "2000m",<br>  "memory": "2G"<br>}</pre> | no |
 | <a name="input_size"></a> [size](#input\_size) | Deployment size for the instance | `string` | `"small"` | no |
+| <a name="input_skip_bucket_admin_role"></a> [skip\_bucket\_admin\_role](#input\_skip\_bucket\_admin\_role) | Flag to indicate whether to skip the bucket policy creation. | `bool` | `false` | no |
 | <a name="input_sql_default_encryption"></a> [sql\_default\_encryption](#input\_sql\_default\_encryption) | Boolean to determine if a default SQL encryption key should be used. If true, a default key will be created. Takes precedence over `db_kms_key_id`. | `bool` | `false` | no |
 | <a name="input_ssl"></a> [ssl](#input\_ssl) | Enable SSL certificate | `bool` | `true` | no |
 | <a name="input_stackdriver_sa_name"></a> [stackdriver\_sa\_name](#input\_stackdriver\_sa\_name) | n/a | `string` | `"wandb-stackdriver"` | no |

diff --git a/main.tf b/main.tf
@@ -49,6 +49,7 @@ module "service_accounts" {
   stackdriver_sa_name      = var.stackdriver_sa_name
   enable_stackdriver       = var.enable_stackdriver
   depends_on               = [module.project_factory_project_services]
+  skip_bucket_admin_role   = var.skip_bucket_admin_role
 }
 
 module "kms" {
@@ -167,10 +168,10 @@ module "redis" {
 }
 
 module "clickhouse" {
-  count      = var.clickhouse_private_endpoint_service_name != "" ? 1 : 0
-  source     = "./modules/clickhouse"
-  network    = local.network.id
-  namespace  = var.namespace
+  count     = var.clickhouse_private_endpoint_service_name != "" ? 1 : 0
+  source    = "./modules/clickhouse"
+  network   = local.network.id
+  namespace = var.namespace
 
   clickhouse_reserved_ip_range             = var.clickhouse_subnetwork_cidr
   clickhouse_private_endpoint_service_name = var.clickhouse_private_endpoint_service_name
@@ -398,8 +399,8 @@ module "wandb" {
     }
   }
 
-  controller_image_tag   = "1.13.0"
-  operator_chart_version = "1.3.1"
+  controller_image_tag   = var.controller_image_tag
+  operator_chart_version = var.operator_chart_version
 
   # Added `depends_on` to ensure old infrastructure is provisioned first. This addresses a critical scheduling challenge
   # where the Datadog DaemonSet could fail to provision due to CPU constraints. Ensuring the old infrastructure has priority

diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -49,7 +49,7 @@ resource "google_project_iam_member" "log_writer" {
 
 # If the bucket already exists, grant this new service account permission
 resource "google_storage_bucket_iam_member" "object_admin" {
-  count  = var.bucket_name != "" ? 1 : 0
+  count  = (var.bucket_name != "" && var.skip_bucket_admin_role == false) ? 1 : 0
   bucket = var.bucket_name
   member = local.sa_member
   role   = "roles/storage.objectAdmin"

diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf
@@ -27,3 +27,8 @@ variable "enable_stackdriver" {
   description = "Flag to indicate whether to enable workload identity for the service account."
   type        = bool
 }
+
+variable "skip_bucket_admin_role" {
+  description = "Flag to indicate whether to skip the bucket policy creation."
+  type        = bool
+}
diff --git a/variables.tf b/variables.tf
@@ -94,6 +94,21 @@ variable "resource_requests" {
   }
 }
 
+##########################################
+# Operator                               #
+##########################################
+variable "operator_chart_version" {
+  type        = string
+  description = "Version of the operator chart to deploy"
+  default     = "1.3.4"
+}
+
+variable "controller_image_tag" {
+  type        = string
+  description = "Tag of the controller image to deploy"
+  default     = "1.14.0"
+}
+
 ##########################################
 # Networking                             #
 ##########################################
@@ -210,6 +225,11 @@ variable "bucket_location" {
   default     = "US"
 }
 
+variable "skip_bucket_admin_role" {
+  type        = bool
+  description = "Flag to indicate whether to skip the bucket policy creation."
+  default     = false
+}
 ##########################################
 # Bucket Subpath                         #
 ##########################################