ci: run acceptance tests against an external Postgres sidecar#370
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b6e827afff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bc2032abdc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 82b36d9b81
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
2219c80 to
293eac1
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. More of your lovely PRs please. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
293eac1 to
a3b1745
Compare
johnstcn
left a comment
There was a problem hiding this comment.
Nice! I wonder if we should be using github.com/testcontainers/testcontainers-go instead though?
|
ah testcontainers looks good... Will switch to that later. |
Port the acceptance-test infrastructure fixes developed on the AI provider resource branch: - Bake the embedded PostgreSQL binary into a derived Coder image (integration/Dockerfile.embedded-pg) so the harness never downloads it from Maven at runtime. Shared CI egress IPs get rate-limited by Cloudflare (which fronts repo.maven.apache.org), and a single non-200 response reds the whole lane with "coder failed to become ready in time". The test job builds this image and points the harness at it via CODER_IMAGE/CODER_VERSION. - Only override the default image/version from env, never an explicit per-test version pin, so back-compat tests keep using the upstream registry image at their requested version. - Fall back to a locally-built image when the registry pull fails. - Dump the Coder container logs on test failure so startup output is visible in CI. - Use a generous readiness budget and run the matrix across Terraform 1.5-1.14.
a3b1745 to
936dab2
Compare
Merge activity
|
> **Stack** — builds on #370 (external Postgres sidecar for acceptance tests); review/merge that first. ## Summary Adds `coderd_ai_provider` for managing Coder AI Gateway providers from Terraform — OpenAI-style API-key providers and AWS Bedrock providers — with full CRUD + import, generated docs/examples, and acceptance/unit tests. The resource is marked experimental via a warning callout in its docs. ## Approach - **Write-only secrets.** Plaintext API keys and AWS credentials use Terraform 1.11+ write-only arguments (`*_wo`), so secrets reach Coder but never land in state. Each secret is paired with a `*_version` field; bumping the version rotates the secret. A null version means "unmanaged/preserve" rather than "clear", so removing it never silently wipes server-side secrets. - **Split validation.** Schema validators handle the simple shape (required-together, non-empty); resource-level `ValidateConfig` handles type-dependent combinations (e.g. `api_key_wo` is rejected for `bedrock`/`copilot` or any `settings.bedrock` config, mirroring the server) and Bedrock's region-or-credentials requirement. Validation defers while values are unknown during the validate/plan walk. - **Bedrock region.** When `region` is omitted it derives from a canonical Bedrock `base_url` (`bedrock-runtime.<region>.amazonaws.com`), so it re-derives correctly when `base_url` changes regions. ## Schema ```hcl resource "coderd_ai_provider" "openai" { type = "openai" name = "openai" base_url = "https://api.openai.com" api_key_wo = var.openai_api_key api_key_wo_version = 1 } resource "coderd_ai_provider" "bedrock" { type = "bedrock" name = "aws-bedrock" base_url = "https://bedrock-runtime.us-east-1.amazonaws.com" settings = { bedrock = { model = "anthropic.claude-3-5-sonnet-20241022-v2:0" access_key_wo = var.bedrock_access_key access_key_secret_wo = var.bedrock_access_key_secret credentials_wo_version = 1 } } } ``` Computed: `id`, `display_name`, `enabled`, `api_key_masked`, `created_at`, `updated_at`, and `settings.bedrock.region` (derived from `base_url`). ## Notes Requires Terraform 1.11+ when configured (write-only arguments); acceptance cases skip earlier versions. An integration test combining this with the model resource is planned. Relates to CODAGT-607

Problem
The Terraform acceptance matrix was failing intermittently across all lanes with
coder failed to become ready in time.integration.StartCoderbootsghcr.io/coder/coderwithoutCODER_PG_CONNECTION_URL, so Coder falls back to its embedded PostgreSQL. The image doesn't bundle the Postgres binary, so each startup downloads the embedded-postgres jar from Maven Central. GitHub runners' shared egress IPs get rate-limited by Cloudflare, and a single non-200 crashes Coder before it binds — reddening the lane.Fix
Give Coder a real PostgreSQL instead of the embedded one. Setting
CODER_PG_CONNECTION_URLbypasses the Maven download entirely. Per test,integration.StartCodernow starts a Postgres sidecar on a user-defined Docker network (aliasedpostgres), wires Coder onto it, and pointsCODER_PG_CONNECTION_URLat it. No readiness wait needed — Coder retries its DB connection for ~30s, covering sidecar boot.The image is
us-docker.pkg.dev/coder-v2-images-public/public/postgres:17, the public mirror coder/coder uses in its own tests, which avoids Docker Hub's anonymous pull rate limit.This is environment-level, so it also covers the version-pinned back-compat tests. CI wall time is essentially unchanged (~206s/lane): the Postgres pull and boot costs about what the Maven download it replaces did.
Also: raise the Terraform support floor to 1.5
Terraform 1.0–1.4 are EOL. This drops them from the CI matrix (now
1.5.*–1.14.*, so we also test the latest releases), sets the README floor to>= 1.5, and removes thetemplate_resource_test.goskip guard for a Terraform 1.0 panic.