Skip to content

ci: run acceptance tests against an external Postgres sidecar#370

Merged
ethanndickson merged 1 commit into
mainfrom
ethan/ci-embedded-pg-fix
Jun 24, 2026
Merged

ci: run acceptance tests against an external Postgres sidecar#370
ethanndickson merged 1 commit into
mainfrom
ethan/ci-embedded-pg-fix

Conversation

@ethanndickson

@ethanndickson ethanndickson commented Jun 24, 2026

Copy link
Copy Markdown
Member

Stack — base PR; #368 (experimental AI provider resource) builds on this.

Problem

The Terraform acceptance matrix was failing intermittently across all lanes with coder failed to become ready in time.

integration.StartCoder boots ghcr.io/coder/coder without CODER_PG_CONNECTION_URL, so Coder falls back to its embedded PostgreSQL. The image doesn't bundle the Postgres binary, so each startup downloads the embedded-postgres jar from Maven Central. GitHub runners' shared egress IPs get rate-limited by Cloudflare, and a single non-200 crashes Coder before it binds — reddening the lane.

Fix

Give Coder a real PostgreSQL instead of the embedded one. Setting CODER_PG_CONNECTION_URL bypasses the Maven download entirely. Per test, integration.StartCoder now starts a Postgres sidecar on a user-defined Docker network (aliased postgres), wires Coder onto it, and points CODER_PG_CONNECTION_URL at it. No readiness wait needed — Coder retries its DB connection for ~30s, covering sidecar boot.

The image is us-docker.pkg.dev/coder-v2-images-public/public/postgres:17, the public mirror coder/coder uses in its own tests, which avoids Docker Hub's anonymous pull rate limit.

This is environment-level, so it also covers the version-pinned back-compat tests. CI wall time is essentially unchanged (~206s/lane): the Postgres pull and boot costs about what the Maven download it replaces did.

Also: raise the Terraform support floor to 1.5

Terraform 1.0–1.4 are EOL. This drops them from the CI matrix (now 1.5.*1.14.*, so we also test the latest releases), sets the README floor to >= 1.5, and removes the template_resource_test.go skip guard for a Terraform 1.0 panic.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b6e827afff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/test.yml
@ethanndickson

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc2032abdc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread integration/integration.go Outdated
@ethanndickson ethanndickson changed the title ci: stabilize Terraform acceptance tests ci: run acceptance tests against an external Postgres sidecar Jun 24, 2026
@ethanndickson

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 82b36d9b81

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread integration/integration.go
@ethanndickson

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. More of your lovely PRs please.

Reviewed commit: 293eac1f59

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@johnstcn johnstcn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I wonder if we should be using github.com/testcontainers/testcontainers-go instead though?

Comment thread integration/integration.go Outdated
@ethanndickson

Copy link
Copy Markdown
Member Author

ah testcontainers looks good... Will switch to that later.

Port the acceptance-test infrastructure fixes developed on the AI provider
resource branch:

- Bake the embedded PostgreSQL binary into a derived Coder image
  (integration/Dockerfile.embedded-pg) so the harness never downloads it
  from Maven at runtime. Shared CI egress IPs get rate-limited by Cloudflare
  (which fronts repo.maven.apache.org), and a single non-200 response reds
  the whole lane with "coder failed to become ready in time". The test job
  builds this image and points the harness at it via CODER_IMAGE/CODER_VERSION.
- Only override the default image/version from env, never an explicit
  per-test version pin, so back-compat tests keep using the upstream registry
  image at their requested version.
- Fall back to a locally-built image when the registry pull fails.
- Dump the Coder container logs on test failure so startup output is visible
  in CI.
- Use a generous readiness budget and run the matrix across Terraform 1.5-1.14.

ethanndickson commented Jun 24, 2026

Copy link
Copy Markdown
Member Author

Merge activity

  • Jun 24, 2:41 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Jun 24, 2:41 PM UTC: @ethanndickson merged this pull request with Graphite.

@ethanndickson ethanndickson merged commit 9fba23a into main Jun 24, 2026
14 checks passed
@ethanndickson ethanndickson deleted the ethan/ci-embedded-pg-fix branch June 24, 2026 14:41
ethanndickson added a commit that referenced this pull request Jul 1, 2026
> **Stack** — builds on #370 (external Postgres sidecar for acceptance tests); review/merge that first.

## Summary

Adds `coderd_ai_provider` for managing Coder AI Gateway providers from Terraform — OpenAI-style API-key providers and AWS Bedrock providers — with full CRUD + import, generated docs/examples, and acceptance/unit tests. The resource is marked experimental via a warning callout in its docs.

## Approach

- **Write-only secrets.** Plaintext API keys and AWS credentials use Terraform 1.11+ write-only arguments (`*_wo`), so secrets reach Coder but never land in state. Each secret is paired with a `*_version` field; bumping the version rotates the secret. A null version means "unmanaged/preserve" rather than "clear", so removing it never silently wipes server-side secrets.
- **Split validation.** Schema validators handle the simple shape (required-together, non-empty); resource-level `ValidateConfig` handles type-dependent combinations (e.g. `api_key_wo` is rejected for `bedrock`/`copilot` or any `settings.bedrock` config, mirroring the server) and Bedrock's region-or-credentials requirement. Validation defers while values are unknown during the validate/plan walk.
- **Bedrock region.** When `region` is omitted it derives from a canonical Bedrock `base_url` (`bedrock-runtime.<region>.amazonaws.com`), so it re-derives correctly when `base_url` changes regions.

## Schema

```hcl
resource "coderd_ai_provider" "openai" {
  type               = "openai"
  name               = "openai"
  base_url           = "https://api.openai.com"
  api_key_wo         = var.openai_api_key
  api_key_wo_version = 1
}

resource "coderd_ai_provider" "bedrock" {
  type     = "bedrock"
  name     = "aws-bedrock"
  base_url = "https://bedrock-runtime.us-east-1.amazonaws.com"

  settings = {
    bedrock = {
      model                  = "anthropic.claude-3-5-sonnet-20241022-v2:0"
      access_key_wo          = var.bedrock_access_key
      access_key_secret_wo   = var.bedrock_access_key_secret
      credentials_wo_version = 1
    }
  }
}
```

Computed: `id`, `display_name`, `enabled`, `api_key_masked`, `created_at`, `updated_at`, and `settings.bedrock.region` (derived from `base_url`).

## Notes

Requires Terraform 1.11+ when configured (write-only arguments); acceptance cases skip earlier versions.

An integration test combining this with the model resource is planned.

Relates to CODAGT-607
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants