✨ AWS Elasticache ERv2 module (#1)

Initial release.

Ticket: https://issues.redhat.com/browse/APPSRE-11001

.gitignore

@@ -165,3 +165,9 @@ cython_debug/
 
 # MacOS
 .DS_Store
+
+cdktf.out
+input.json
+credentials*
+tmp/
+.gen

.python-version

@@ -0,0 +1 @@
+3.11

.tekton/main-pull-request.yaml

@@ -0,0 +1,75 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/er-aws-elasticache?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "20"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"
+  labels:
+    appstudio.openshift.io/application: er-aws-elasticache-main
+    appstudio.openshift.io/component: er-aws-elasticache-main
+    pipelines.appstudio.openshift.io/type: build
+  name: er-aws-elasticache-main-on-pull-request
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/er-aws-elasticache-main/er-aws-elasticache-main:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: dockerfile
+    value: Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: test
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    # - linux-m2xlarge/arm64
+  taskRunSpecs:
+  - pipelineTaskName: build-images
+    stepSpecs:
+    - name: build
+      computeResources:
+        requests:
+          memory: 20Gi
+        limits:
+          memory: 20Gi
+  - pipelineTaskName: ecosystem-cert-preflight-checks
+    stepSpecs:
+    - name: check-container
+      computeResources:
+        requests:
+          memory: 4Gi
+        limits:
+          memory: 4Gi
+  pipelineRef:
+    resolver: git
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+  taskRunTemplate: {}
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'

.tekton/main-push.yaml

@@ -0,0 +1,72 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/er-aws-elasticache?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "20"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"
+  labels:
+    appstudio.openshift.io/application: er-aws-elasticache-main
+    appstudio.openshift.io/component: er-aws-elasticache-main
+    pipelines.appstudio.openshift.io/type: build
+  name: er-aws-elasticache-main-on-push
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/er-aws-elasticache-main/er-aws-elasticache-main:{{revision}}
+  - name: dockerfile
+    value: Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: prod
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    # - linux-m2xlarge/arm64
+  taskRunSpecs:
+  - pipelineTaskName: build-images
+    stepSpecs:
+    - name: build
+      computeResources:
+        requests:
+          memory: 20Gi
+        limits:
+          memory: 20Gi
+  - pipelineTaskName: ecosystem-cert-preflight-checks
+    stepSpecs:
+    - name: check-container
+      computeResources:
+        requests:
+          memory: 4Gi
+        limits:
+          memory: 4Gi
+  pipelineRef:
+    resolver: git
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+  taskRunTemplate: {}
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'

Dockerfile

@@ -1,23 +1,58 @@
-FROM registry.access.redhat.com/ubi9/python-311
-ARG POETRY_VERSION
-RUN pip install --upgrade pip && \
-    pip install poetry==$POETRY_VERSION
+FROM quay.io/redhat-services-prod/app-sre-tenant/er-base-cdktf-main/er-base-cdktf-main:cdktf-0.20.9-tf-1.6.6-py-3.11-v0.3.0 AS base
+# keep in sync with pyproject.toml
+LABEL konflux.additional-tags="0.1.0"
 
-# venv configuration
-COPY pyproject.toml poetry.lock ./
-RUN poetry install --no-root
+FROM base AS builder
+COPY --from=ghcr.io/astral-sh/uv:0.5.0@sha256:0e0fb77970aceaa106c1fee7103ec3e4885f6c4289e32a596123af06d2e9db9d /uv /bin/uv
 
-# other project related files
-COPY README.md Makefile ./
+COPY cdktf.json ./
+# Download all necessary CDKTF providers and build the python cdktf modules.
+# The python modules must be stored in the .gen directory because cdktf needs them there.
+RUN cdktf-provider-sync .gen
+
+# Python and UV related variables
+ENV \
+    # compile bytecode for faster startup
+    UV_COMPILE_BYTECODE="true" \
+    # disable uv cache. it doesn't make sense in a container
+    UV_NO_CACHE=true \
+    UV_NO_PROGRESS=true
+
+COPY pyproject.toml uv.lock ./
+# Test lock file is up to date
+RUN uv lock --locked
+# Install dependencies
+RUN uv sync --frozen --no-group dev --no-install-project --python /usr/bin/python3
 
 # the source code
-ARG CODE_ROOT
-COPY $CODE_ROOT ./$CODE_ROOT
+COPY README.md validate_plan.py ./
+COPY er_aws_elasticache ./er_aws_elasticache
+# Sync the project
+RUN uv sync --frozen --no-group dev
+
+FROM base AS prod
+# get cdktf providers
+COPY --from=builder ${TF_PLUGIN_CACHE_DIR} ${TF_PLUGIN_CACHE_DIR}
+# get our app with the dependencies
+COPY --from=builder ${APP} ${APP}
+
+ENV \
+    # Use the virtual environment
+    PATH="${APP}/.venv/bin:${PATH}" \
+    # cdktf python modules path
+    PYTHONPATH="$APP/.gen"
+
+FROM prod AS test
+COPY --from=ghcr.io/astral-sh/uv:0.5.0@sha256:0e0fb77970aceaa106c1fee7103ec3e4885f6c4289e32a596123af06d2e9db9d /uv /bin/uv
+
+# install test dependencies
+RUN uv sync --frozen
+
+COPY Makefile ./
 COPY tests ./tests
-RUN poetry install --only-root
 
-# run the Makefile target
-ARG MAKE_TARGET
-ARG TWINE_USERNAME
-ARG TWINE_PASSWORD
-RUN make $MAKE_TARGET
+RUN make test
+
+# Empty /tmp again because the test stage might have created files there, e.g. JSII_RUNTIME_PACKAGE_CACHE_ROOT
+# and we want to run this test image in the dev environment
+RUN rm -rf /tmp/*

Makefile

@@ -1,32 +1,41 @@
-CODE_ROOT := python_project_template
-# TWINE_USERNAME & TWINE_PASSWORD are available in the Jenkins job
-BUILD_ARGS := CODE_ROOT=$(CODE_ROOT) POETRY_VERSION=1.8.3 TWINE_USERNAME TWINE_PASSWORD
+SITE_PACKAGES_DIR ?= $(shell .venv/bin/python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')
 CONTAINER_ENGINE ?= $(shell which podman >/dev/null 2>&1 && echo podman || echo docker)
 
-.EXPORT_ALL_VARIABLES:
-POETRY_HTTP_BASIC_PYPI_USERNAME = $(TWINE_USERNAME)
-POETRY_HTTP_BASIC_PYPI_PASSWORD = $(TWINE_PASSWORD)
-
-format:
-	poetry run ruff check
-	poetry run ruff format
 .PHONY: format
+format:
+	uv run ruff check
+	uv run ruff format
+
+.PHONY: image_tests
+image_tests:
+	# test /tmp must be empty
+	[ -z "$(shell ls -A /tmp)" ]
+	# validate_plan.py must exist
+	[ -f "validate_plan.py" ]
+
+.PHONY: code_tests
+code_tests:
+	uv run ruff check --no-fix
+	uv run ruff format --check
+	uv run mypy
+	uv run pytest -vv --cov=er_aws_elasticache --cov-report=term-missing --cov-report xml
 
-pr-check:
-	$(CONTAINER_ENGINE) build --build-arg MAKE_TARGET=test $(foreach arg,$(BUILD_ARGS),--build-arg $(arg)) .
-.PHONY: pr-check
+.PHONY: dependency_tests
+dependency_tests:
+	python -c "import cdktf_cdktf_provider_random"
+	python -c "import cdktf_cdktf_provider_aws"
 
-test:
-	poetry run ruff check --no-fix
-	poetry run ruff format --check
-	poetry run mypy
-	poetry run pytest -vv --cov=$(CODE_ROOT) --cov-report=term-missing --cov-report xml
 .PHONY: test
+test: image_tests code_tests dependency_tests
 
-build-deploy:
-	$(CONTAINER_ENGINE) build --build-arg MAKE_TARGET=pypi $(foreach arg,$(BUILD_ARGS),--build-arg $(arg)) .
-.PHONY: build-deploy
+.PHONY: build
+build:
+	$(CONTAINER_ENGINE) build --progress plain -t er-aws-elasticache:test .
 
-pypi:
-	poetry publish --build --skip-existing
-.PHONY: pypi
+.PHONY: dev
+dev:
+	# Prepare local development environment
+	uv sync
+	# The CDKTF python module generation needs at least 12GB of memory!
+	$(CONTAINER_ENGINE) run --rm -it -v $(PWD)/:/home/app/src -v $(PWD)/.gen:/cdktf-providers:z --entrypoint cdktf-provider-sync quay.io/redhat-services-prod/app-sre-tenant/er-base-cdktf-main/er-base-cdktf-main:latest /cdktf-providers
+	cp sitecustomize.py $(SITE_PACKAGES_DIR)