Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[infra] Make CI an admin of the artifact registry #14266

Merged
merged 7 commits into from
Feb 8, 2024
Merged

[infra] Make CI an admin of the artifact registry #14266

merged 7 commits into from
Feb 8, 2024

Conversation

daniel-goldstein
Copy link
Contributor

@daniel-goldstein daniel-goldstein commented Feb 7, 2024
edited
Loading

If CI jobs are to apply cleanup policies to the Artifact Registry, CI needs to have the permissions on the AR to do so. Prior to this change, CI only had viewer on the AR and used a different service account named gcr-push to push images to the registry. I don't see the point in having this second service account and think that CI should have these permissions (because it basically does already if it can submit jobs with the gcr-push service account). So the main point of this PR is to give CI admin on the AR, and then we can follow up by deleting the gcr-push service account.

Separately:

Not sure how this ever worked, but I needed to update the google terraform provider to get cleanup_policy_dry_run = false. That upgrade now made the DNS zone description mandatory so I added one. I thin the DNS zone is no longer used, but removing it is for another time. There was also for some reason a duplicate resource for CI's viewer role on the AR repo, so I changed one to admin and deleted the other.

cc @ehigham

@daniel-goldstein
Copy link
Contributor Author

I've already applied these changes.

jigold
jigold previously requested changes Feb 7, 2024
View reviewed changes
infra/gcp-broad/main.tf
@@ -527,15 +527,6 @@ module "ci_gsa_secret" {
]
}

resource "google_artifact_registry_repository_iam_member" "artifact_registry_viewer" {
provider = google-beta
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this just duplicated and not used?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ya, I checked that it's the same as the other block. I guess terraform didn't have a problem with two role assignments that are the same and just treated it like a no-op.

@danking danking merged commit ac0ec53 into hail-is:main Feb 8, 2024
3 checks passed
This was referenced Feb 8, 2024
Closed
Closed
Closed
Merged
danking pushed a commit that referenced this pull request Feb 15, 2024
@daniel-goldstein
[infra] Apply same CI admin role as gcp-broad in normal gcp terraform (
5475705 
…#14295)

#14266 only added these changes to `gcp-broad`, I neglected to make them
to our generic terraform as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jigold jigold jigold approved these changes

Assignees

@jigold jigold

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daniel-goldstein @jigold @danking