cfae2d88f5
* fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert |
||
|---|---|---|
| .. | ||
| macos | ||
| modules/gcp_cdn_bucket | ||
| .gitignore | ||
| apply | ||
| bazel_cache.tf | ||
| binaries.tf | ||
| data_bucket.tf | ||
| dumps_bucket.tf | ||
| hoogle_server.tf | ||
| main.tf | ||
| nix_cache.tf | ||
| periodic_killer.tf | ||
| README.md | ||
| vsts_agent_ubuntu_20_04_startup.sh | ||
| vsts_agent_ubuntu_20_04.tf | ||
| vsts_agent_windows.tf | ||
| writer.tf | ||
Daml
This is the terraform code used by the Daml repository to deploy supporting infrastructure such as the Bazel caches, Nix caches and Azure Pipeline (VSTS) Agents.
Setup
To deploy the infrastructure changes, you will to get access to the
da-dev-gcp-daml-language Google project from DA IT. Then run
gcloud auth login to configure the local credentials.
Deployment
All the infrastructure is currently deployed using Terraform. For convenience we have a little wrapper script that you can run to apply the latest changes:
$ ./apply
Writer service-account key
To avoid holding the secret key into the store, creating the key has to be done through the UI.
This can be done here: https://console.cloud.google.com/iam-admin/serviceaccounts/details/104272946446260011088?project=da-dev-gcp-daml-language
Setting up credentials
In order to interact with these Terraform files, you will need security to give
you access to the relevant GCP project (da-dev-gcp-daml-language), and login
via gcloud by running:
gcloud auth application-default login --account your.name@gcloud-domain.com
Resetting build nodes
Permissions to reset build nodes are defined in periodic-killer.tf using
the killCiNodes role. CI nodes are managed so killed nodes will be
immediately replaced by a new one with the exact same configuration (but
starting its initialization from scratch); we can therefore see killing a
node and resetting a node as the same operation.
Nodes can be listed with
gcloud compute instances list --project=da-dev-gcp-daml-language
and individual nodes can be killed with
gcloud compute instances --project=da-dev-gcp-daml-language delete --zone=us-east4-a vsts-agent-linux-dhw4
where zone and name have to match.
As a reference, here are a couple zsh functions I have added to my shell to
make my life easier:
refresh_machines() {
machines=$(gcloud compute instances list --format=json --project=da-dev-gcp-daml-language | jq -c '[.[] | select (.name | startswith("vsts-")) | {key: .name, value: .zone | sub (".*/"; "")}] | from_entries')
}
kill_machine() {
if [ -z "$machines" ]; then
refresh_machines
fi
for machine in $@; do
gcloud -q compute instances --project=da-dev-gcp-daml-language delete --zone=$(echo $machines | jq -r ".[\"$machine\"]") $machine
done
}
_kill_machine() {
local machine_names
if [ -z "$machines" ]; then
refresh_machines
fi
machine_names=$(echo $machines | jq -r "keys - $(echo -n $words | jq -sRc 'split(" ")') | .[]")
_arguments "*: :($machine_names)"
}
compdef _kill_machine kill_machine