Conversation
- Replace kubernetes_deployment with a local Helm chart (charts/platform-code-test-app) - Chart exposes db.host, db.user, db.existingSecret values for Q3 (secrets question) - Add sensitive terraform outputs for db_host, db_user, db_password - Add management.tf data source for pre-existing kubernetes-cluster-admin role - Remove assume_role from kubernetes_admin provider to fix fresh-apply bootstrap issue Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Migrates the app workload deployment from a Terraform-managed Kubernetes Deployment to a local Helm chart, to make iterative changes (notably secrets/env injection) faster and more candidate-friendly, while also exposing DB connection details via Terraform outputs.
Changes:
- Replaced
kubernetes_deploymentwith ahelm_releasepointing at a local chart (charts/platform-code-test-app). - Added Terraform outputs for DB host/user/password (password marked sensitive).
- Removed
assume_roleusage from theaws.kubernetes_adminprovider alias and added a new IAM role data lookup.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| terraform/providers.tf | Removes assume_role from the k8s-admin AWS provider alias; leaves token-selection logic in place. |
| terraform/outputs.tf | Adds DB connection outputs (including sensitive password output). |
| terraform/management.tf | Adds a data lookup for the kubernetes-cluster-admin IAM role. |
| terraform/app_deployment.tf | Switches app deployment to a Helm release using the local chart and sets name/image values. |
| charts/platform-code-test-app/Chart.yaml | Introduces Helm chart metadata for the app. |
| charts/platform-code-test-app/values.yaml | Defines configurable image/resources and DB env/secret values. |
| charts/platform-code-test-app/templates/deployment.yaml | Creates the Kubernetes Deployment and conditionally injects DB env vars/secret. |
| charts/platform-code-test-app/templates/_helpers.tpl | Adds a helper for generating the app name. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
terraform/management.tf
Outdated
| data "aws_iam_role" "kubernetes_cluster_admin" { | ||
| name = "kubernetes-cluster-admin" | ||
| } |
There was a problem hiding this comment.
This data source is currently unused anywhere in the Terraform config, so it adds maintenance overhead without affecting behavior. Either wire it into the places that need the cluster-admin role ARN (e.g., access entry / role assumption logic) or remove it until it’s needed.
| data "aws_iam_role" "kubernetes_cluster_admin" { | |
| name = "kubernetes-cluster-admin" | |
| } |
terraform/providers.tf
Outdated
| # assume_role is omitted — interviewers always take the @deliveroo.co.uk | ||
| # bootstrap path. Candidates are given credentials with a direct EKS access entry. | ||
| provider "aws" { | ||
| region = var.region | ||
| alias = "kubernetes_admin" |
There was a problem hiding this comment.
With assume_role removed, the aws.kubernetes_admin provider alias no longer differs from the default aws provider. That makes the extra aws_eks_cluster_auth.admin path / token branching redundant; consider collapsing to a single AWS provider + single aws_eks_cluster_auth to reduce configuration complexity.
| {{- if or .Values.db.host .Values.db.existingSecret }} | ||
| env: | ||
| {{- if .Values.db.host }} | ||
| - name: DB_HOST | ||
| value: {{ .Values.db.host | quote }} | ||
| {{- end }} | ||
| {{- if .Values.db.user }} | ||
| - name: DB_USER |
There was a problem hiding this comment.
The env: block is only rendered when db.host or db.existingSecret is set, but not when only db.user is set. This makes db.user a no-op unless another DB value is also provided. Consider gating env: on any of db.host, db.user, or db.existingSecret (or always rendering env: and conditionally including individual vars).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…de to name Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move kubernetes_ingress_v1 and kubernetes_service from Terraform to Helm chart templates
- Add ingress.yaml and service.yaml to charts/platform-code-test-app/templates/
- Replace set{} blocks with single yamlencode values block to avoid --set comma parsing issues
- Update app_dns.tf to use data source to read ingress hostname from Helm-managed ingress
- Add ingress values to charts/platform-code-test-app/values.yaml
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
kubernetes_deploymentTerraform resource with a local Helm chart (charts/platform-code-test-app), making Q3 (secrets injection) much easier to iterate on — candidates can reason about standard Helm values rather than deeply nested TF HCLdb_host,db_user, anddb_passwordso candidates have a clean way to retrieve DB credentials viaterraform outputdb.host,db.user, anddb.existingSecretvalues — theexistingSecretpattern naturally guides candidates toward creating akubernetes_secretresource rather than passing the password as plaintextmanagement.tfas a data source lookup for the pre-existingkubernetes-cluster-adminIAM roleassume_rolefrom thekubernetes_adminprovider — it was never exercised for interviewers (who always take the@deliveroo.co.ukbootstrap path) and caused fresh-apply failuresMotivation
Q3 was fiddly to test because:
tf applycycles through the slow Kubernetes providerWith this change candidates use
terraform outputto get credentials andhelm upgradesemantics viatf applyon thehelm_releaseresource.Test plan
make tf-applycompletes successfully (66 resources)/healthcheckreturns 200/connectreturns an error (no DB env vars — expected starting state for Q3)terraform output db_passwordreturns the RDS master passwordkubernetes_secret+ wiringdb.existingSecretin thehelm_release🤖 Generated with Claude Code