bump cdktf base 6.0 and refactor (#72)

* fix: add missing deletion_protection to validate plan
* feat: use er-base-cdktf 0.6.0
* refactor: move aws api to utils
* refactor: Dockerfile run test from builder
* chore: Bump base image to cdktf-0.20.11-tf-1.6.6-py-3.12-v0.6.0-2
* fix(konflux): remove taskRunSpecs overrides

---------

Signed-off-by: Di Wang <[email protected]>

Author: hemslo

.tekton/main-pull-request.yaml

@@ -30,27 +30,6 @@ spec:
     value: .
   - name: target-stage
     value: test
-  - name: build-platforms
-    value:
-    - linux/x86_64
-    # - linux-m2xlarge/arm64
-  taskRunSpecs:
-  - pipelineTaskName: build-container
-    stepSpecs:
-    - name: build
-      computeResources:
-        requests:
-          memory: 20Gi
-        limits:
-          memory: 20Gi
-  - pipelineTaskName: ecosystem-cert-preflight-checks
-    stepSpecs:
-    - name: check-container
-      computeResources:
-        requests:
-          memory: 4Gi
-        limits:
-          memory: 4Gi
   pipelineRef:
     resolver: git
     params:

.tekton/main-push.yaml

@@ -27,27 +27,6 @@ spec:
     value: .
   - name: target-stage
     value: prod
-  - name: build-platforms
-    value:
-    - linux/x86_64
-    # - linux-m2xlarge/arm64
-  taskRunSpecs:
-  - pipelineTaskName: build-container
-    stepSpecs:
-    - name: build
-      computeResources:
-        requests:
-          memory: 20Gi
-        limits:
-          memory: 20Gi
-  - pipelineTaskName: ecosystem-cert-preflight-checks
-    stepSpecs:
-    - name: check-container
-      computeResources:
-        requests:
-          memory: 4Gi
-        limits:
-          memory: 4Gi
   pipelineRef:
     resolver: git
     params:

Dockerfile

@@ -1,28 +1,27 @@
-FROM quay.io/redhat-services-prod/app-sre-tenant/er-base-cdktf-main/er-base-cdktf-main:cdktf-0.20.11-tf-1.6.6-py-3.11-v0.5.0-1@sha256:0c6f11a1a4057ceb6ea9fb9f5ec7eb0a5a2bdf7730416cbddda87b0f509e59a5  AS base
+FROM quay.io/redhat-services-prod/app-sre-tenant/er-base-cdktf-main/er-base-cdktf-main:cdktf-0.20.11-tf-1.6.6-py-3.12-v0.6.0-2 AS base
 # keep in sync with pyproject.toml
-LABEL konflux.additional-tags="0.3.0"
+LABEL konflux.additional-tags="0.3.1"
 
 FROM base AS builder
 COPY --from=ghcr.io/astral-sh/uv:0.5.25@sha256:a73176b27709bff700a1e3af498981f31a83f27552116f21ae8371445f0be710 /uv /bin/uv
 
-COPY cdktf.json ./
-# Download all necessary CDKTF providers and build the python cdktf modules.
-# The python modules must be stored in the .gen directory because cdktf needs them there.
-RUN cdktf-provider-sync .gen
-
 # Python and UV related variables
 ENV \
     # compile bytecode for faster startup
     UV_COMPILE_BYTECODE="true" \
     # disable uv cache. it doesn't make sense in a container
     UV_NO_CACHE=true \
-    UV_NO_PROGRESS=true
+    UV_NO_PROGRESS=true \
+    VIRTUAL_ENV="${APP}/.venv" \
+    PATH="${APP}/.venv/bin:${PATH}"
 
-COPY pyproject.toml uv.lock ./
+COPY cdktf.json pyproject.toml uv.lock ./
 # Test lock file is up to date
 RUN uv lock --locked
 # Install dependencies
 RUN uv sync --frozen --no-group dev --no-install-project --python /usr/bin/python3
+# Download all necessary terraform providers
+RUN cdktf-provider-sync
 
 # the source code
 COPY README.md  ./
@@ -31,29 +30,22 @@ COPY er_aws_rds ./er_aws_rds
 # Sync the project
 RUN uv sync --frozen --no-group dev
 
-FROM base AS prod
-# get cdktf providers
-COPY --from=builder ${TF_PLUGIN_CACHE_DIR} ${TF_PLUGIN_CACHE_DIR}
-# get our app with the dependencies
-COPY --from=builder ${APP} ${APP}
-
-ENV \
-    # Use the virtual environment
-    PATH="${APP}/.venv/bin:${PATH}" \
-    # cdktf python modules path
-    PYTHONPATH="$APP/.gen"
-
-FROM prod AS test
-COPY --from=ghcr.io/astral-sh/uv:0.5.25@sha256:a73176b27709bff700a1e3af498981f31a83f27552116f21ae8371445f0be710 /uv /bin/uv
-
+FROM builder as test
 # install test dependencies
 RUN uv sync --frozen
 
 COPY Makefile ./
 COPY tests ./tests
+# Empty $JSII_RUNTIME_PACKAGE_CACHE_ROOT (/tmp/jsii-runtime-cache) again because the test stage created files there,
+# and we want to run this test image in the dev environment, requires files owned by a random uid
+RUN make test && rm -rf "$JSII_RUNTIME_PACKAGE_CACHE_ROOT"
 
-RUN make test
+FROM base AS prod
+# get cdktf providers
+COPY --from=builder ${TF_PLUGIN_CACHE_DIR} ${TF_PLUGIN_CACHE_DIR}
+# get our app with the dependencies
+COPY --from=builder ${APP} ${APP}
 
-# Empty /tmp again because the test stage might have created files there, e.g. JSII_RUNTIME_PACKAGE_CACHE_ROOT
-# and we want to run this test image in the dev environment
-RUN rm -rf /tmp/*
+ENV \
+    VIRTUAL_ENV="${APP}/.venv" \
+    PATH="${APP}/.venv/bin:${PATH}"

Makefile

@@ -1,4 +1,3 @@
-SITE_PACKAGES_DIR ?= $(shell .venv/bin/python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')
 CONTAINER_ENGINE ?= $(shell which podman >/dev/null 2>&1 && echo podman || echo docker)
 
 .PHONY: format
@@ -8,8 +7,8 @@ format:
 
 .PHONY: image_tests
 image_tests:
-	# test /tmp must be empty
-	[ -z "$(shell ls -A /tmp)" ]
+	# test /tmp/jsii-runtime-cache not created
+	[ ! -d "/tmp/jsii-runtime-cache" ]
 	# validate_plan.py must exist
 	[ -f "hooks/validate_plan.py" ]
 
@@ -20,23 +19,17 @@ code_tests:
 	uv run mypy
 	uv run pytest -vv --cov=er_aws_rds --cov-report=term-missing --cov-report xml
 
-.PHONY: dependency_tests
-dependency_tests:
-	python -c "import cdktf_cdktf_provider_random"
-	python -c "import cdktf_cdktf_provider_aws"
-
 .PHONY: test
-test: image_tests code_tests dependency_tests
+test: image_tests code_tests
+
+.PHONY: build_test
+build_test:
+	$(CONTAINER_ENGINE) build --progress plain --target test -t er-aws-rds:test .
 
 .PHONY: build
 build:
-	$(CONTAINER_ENGINE) build --progress plain -t er-aws-rds:test .
+	$(CONTAINER_ENGINE) build --progress plain --target prod -t er-aws-rds:prod .
 
 .PHONY: dev
 dev:
-	# Prepare local development environment
 	uv sync
-	# The CDKTF python module generation needs at least 12GB of memory!
-	mkdir -p .gen
-	$(CONTAINER_ENGINE) run --rm -it -v $(PWD)/:/home/app/src -v $(PWD)/.gen:/cdktf-providers:z --entrypoint cdktf-provider-sync quay.io/redhat-services-prod/app-sre-tenant/er-base-cdktf-main/er-base-cdktf-main:latest /cdktf-providers
-	cp sitecustomize.py $(SITE_PACKAGES_DIR)

cdktf.json

@@ -2,6 +2,6 @@
   "language": "python",
   "app": "er-aws-rds",
   "sendCrashReports": "false",
-  "terraformProviders": ["random@ = 3.6.3", "aws@ = 5.50.0"],
+  "terraformProviders": [],
   "projectId": "49778ce7-523f-482c-a0e7-bad21132b58c"
 }

hooks/__init__.py

@@ -0,0 +1,42 @@
+from collections.abc import Mapping
+from typing import TYPE_CHECKING, Any
+
+from boto3 import Session
+from botocore.config import Config
+from mypy_boto3_rds import RDSClient
+
+if TYPE_CHECKING:
+    from mypy_boto3_rds.type_defs import FilterTypeDef
+
+
+class AWSApi:
+    """AWS Api Class"""
+
+    def __init__(self, config_options: Mapping[str, Any]) -> None:
+        self.session = Session()
+        self.config = Config(**config_options)
+
+    def get_rds_client(self) -> RDSClient:
+        """Gets a boto RDS client"""
+        return self.session.client("rds", config=self.config)
+
+    def get_rds_valid_update_versions(self, engine: str, version: str) -> set[str]:
+        """Gets the valid update versions"""
+        data = self.get_rds_client().describe_db_engine_versions(
+            Engine=engine, EngineVersion=version, IncludeAll=True
+        )
+
+        if data["DBEngineVersions"] and len(data["DBEngineVersions"]) == 1:
+            return {
+                item.get("EngineVersion", "-1")
+                for item in data["DBEngineVersions"][0].get("ValidUpgradeTarget", [])
+            }
+        return set[str]()
+
+    def get_rds_parameter_groups(self, engine: str) -> set[str]:
+        """Gets the existing parameter groups by engine"""
+        filters: list[FilterTypeDef] = [
+            {"Name": "db-parameter-group-family", "Values": [engine]},
+        ]
+        resp = self.get_rds_client().describe_db_parameter_groups(Filters=filters)
+        return {group["DBParameterGroupName"] for group in resp["DBParameterGroups"]}

hooks/utils/__init__.py

@@ -2,65 +2,24 @@
 
 import logging
 import sys
-from collections.abc import Mapping
-from typing import TYPE_CHECKING, Any
 
 import semver
-from boto3 import Session
-from botocore.config import Config
 from external_resources_io.input import parse_model, read_input_from_file
 from external_resources_io.terraform import (
     Action,
     Plan,
     ResourceChange,
     TerraformJsonPlanParser,
 )
-from mypy_boto3_rds import RDSClient
-
-if TYPE_CHECKING:
-    from mypy_boto3_rds.type_defs import FilterTypeDef
-
 
 from er_aws_rds.input import AppInterfaceInput
+from hooks.utils.aws_api import AWSApi
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger("botocore")
 logger.setLevel(logging.ERROR)
 
 
-class AWSApi:
-    """AWS Api Class"""
-
-    def __init__(self, config_options: Mapping[str, Any]) -> None:
-        self.session = Session()
-        self.config = Config(**config_options)
-
-    def get_rds_client(self) -> RDSClient:
-        """Gets a boto RDS client"""
-        return self.session.client("rds", config=self.config)
-
-    def get_rds_valid_update_versions(self, engine: str, version: str) -> set[str]:
-        """Gets the valid update versions"""
-        data = self.get_rds_client().describe_db_engine_versions(
-            Engine=engine, EngineVersion=version, IncludeAll=True
-        )
-
-        if data["DBEngineVersions"] and len(data["DBEngineVersions"]) == 1:
-            return {
-                item.get("EngineVersion", "-1")
-                for item in data["DBEngineVersions"][0].get("ValidUpgradeTarget", [])
-            }
-        return set[str]()
-
-    def get_rds_parameter_groups(self, engine: str) -> set[str]:
-        """Gets the existing parameter groups by engine"""
-        filters: list[FilterTypeDef] = [
-            {"Name": "db-parameter-group-family", "Values": [engine]},
-        ]
-        resp = self.get_rds_client().describe_db_parameter_groups(Filters=filters)
-        return {group["DBParameterGroupName"] for group in resp["DBParameterGroups"]}
-
-
 class RDSPlanValidator:
     """The plan validator class"""
 
@@ -139,6 +98,7 @@ def _validate_deletion_protection_not_enabled_on_destroy(self) -> None:
     def validate(self) -> bool:
         """Validate method"""
         self._validate_major_version_upgrade()
+        self._validate_deletion_protection_not_enabled_on_destroy()
         return not self.errors
 
 

hooks/utils/aws_api.py

@@ -5,14 +5,16 @@ description = "ERv2 module for managing AWS rds instances"
 authors = [{ name = "AppSRE", email = "[email protected]" }]
 license = { text = "Apache 2.0" }
 readme = "README.md"
-requires-python = "~= 3.11.0"
+requires-python = "~= 3.12.0"
 dependencies = [
     "boto3 ~=1.35.47",
     "cdktf ==0.20.10",
+    "cdktf-cdktf-provider-aws==19.19.0",
+    "cdktf-cdktf-provider-random==11.0.3",
     "external-resources-io ~=0.4.0",
-    "pydantic ~=2.10.0",
-    # the cdktf provider are generated by cdktf-provider-sync. See Makefile and Dockerfile
     "mypy_boto3_rds ~=1.35.72",
+    "pip>=25.0",
+    "pydantic ~=2.10.0",
     "semver>=3.0.2",
 ]
 

hooks/validate_plan.py

@@ -1,4 +1,5 @@
 import json
+import tempfile
 from typing import Any
 
 import pytest
@@ -16,12 +17,13 @@
 
 def build_synth(additional_data: dict[str, Any] | None = None) -> str:
     """Create Synth"""
-    stack = Stack(
-        Testing.app(),
-        "CDKTF",
-        input_object(additional_data=additional_data),
-    )
-    return Testing.synth(stack)
+    with tempfile.TemporaryDirectory() as outdir:
+        stack = Stack(
+            Testing.app(outdir=outdir),
+            "CDKTF",
+            input_object(additional_data=additional_data),
+        )
+        return Testing.synth(stack)
 
 
 def test_should_contain_rds_instance() -> None:

pyproject.toml

@@ -1,7 +1,3 @@
-import sys
-from pathlib import Path
-
-sys.path.append(str(Path(__file__).parent.parent))
 from external_resources_io.terraform import Action, Plan
 from hooks.validate_plan import RDSPlanValidator
 
@@ -29,7 +25,7 @@ def test_validate_deletion_protection_not_enabled_on_destroy() -> None:
     })
 
     validator = RDSPlanValidator(plan, input_object())
-    validator._validate_deletion_protection_not_enabled_on_destroy()  # noqa: SLF001
+    validator.validate()
     assert validator.errors == [
         "Deletion protection cannot be enabled on destroy. Disable deletion_protection first to remove the instance"
     ]