Skip to content

refactor: migrate building blocks to meshstack_building_block#215

Open
grubmeshi wants to merge 4 commits into
mainfrom
feature/migrate-to-building-block-v3
Open

refactor: migrate building blocks to meshstack_building_block#215
grubmeshi wants to merge 4 commits into
mainfrom
feature/migrate-to-building-block-v3

Conversation

@grubmeshi

@grubmeshi grubmeshi commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

What

Migrate the hub off the deprecated meshstack_building_block_v2 and meshstack_buildingblock
resources onto meshstack_building_block.

Why

meshstack_building_block is the recommended resource: it updates inputs, display name and the
definition version in place (PUT + trigger-run) instead of the meshstack_building_block_v2
destroy-and-recreate, and unifies inputs under a single value = jsonencode(...).

Changes

  • Starterkit building blocks (aks, azure-virtual-machine, ske): child blocks migrated
    with moved {} blocks so live blocks move in place — no destroy/recreate.
  • e2e harnesses (azure, meshstack, ske, stackit): resource + assertions switched over. No
    moved {} (ephemeral test state).
  • aws/agentic-coding-sandbox — see the breaking change below.
  • Provider constraint bumped to >= 0.23.0 on touched modules; READMEs regenerated; e2e-test
    skill updated to match.

⚠️ Breaking change: aws/agentic-coding-sandbox

This module used meshstack_buildingblock + meshstack_tenant, chosen because meshstack_tenant
targets a tenant by identifier string while meshstack_building_block targets by uuid. It is now
upgraded to meshstack_tenant_v4 + meshstack_building_block with no moved {} blocks
existing sandboxes are recreated on next apply (same breaking-upgrade approach used for the e2e
switches). meshstack_tenant_v4 exposes the tenant uuid/ref that target_ref requires, and the
BBD version uuid is resolved from the config's (definition_uuid, version number) via the
meshstack_building_block_definitions data source. Pairs with the provider deprecation of
meshstack_tenant (terraform-provider-meshstack#217).

Migration rules applied

  • Inputs: value_<type> = Xvalue = jsonencode(X); sensitive → sensitive = { secret_value = X }.
  • CODE inputs double-encode (jsonencode(jsonencode({...}))) per the terraform-runner contract.
  • Outputs: .value_<type>jsondecode(...value) (CODE/JSON outputs decode twice).

Validation

  • Pre-commit gate green on every commit (run inside nix develop to match CI's pinned
    terraform-docs): Terraform docs / fmt / Validate modules / trailing-whitespace.
  • Scorecard: no new violations.
  • e2e tofu test needs a live meshStack + published provider, so it is left to CI / the smoke-test runner.

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Scorecard Check

Scorecard run on commit 5b51dfed7950049396c0a996dd220498b588a9a6 relative to origin/main

📊 meshstack-hub Module Scorecard

Generated: 2026-07-02 | Modules scanned: 12 | Categories: 5

📋 Per-Module Category Summary

Score per category per building block. n/a = category does not apply to this module.

Module Overall Core Structure Integration Azure Backplane STACKIT Backplane Testing
aks/starterkit 🟢 86% 🟢 100% 🟢 100% n/a n/a 🔴 0%
aws/agentic-coding-sandbox 🟡 70% 🟢 86% n/a n/a n/a 🔴 33%
azure/azure-virtual-machine-starterkit 🔴 47% 🟡 57% n/a 🔴 44% n/a 🔴 33%
azure/budget-alert 🟢 100% 🟢 100% 🟢 100% 🟢 100% n/a 🟢 100%
azure/resource-group 🟢 100% 🟢 100% 🟢 100% 🟢 100% n/a 🟢 100%
azure/storage-account 🟢 100% 🟢 100% 🟢 100% 🟢 100% n/a 🟢 100%
meshstack/github-workflow 🟢 81% 🟡 50% 🟢 92% n/a n/a 🟢 100%
meshstack/manual 🟡 76% 🟡 50% 🟢 92% n/a n/a 🟡 67%
meshstack/noop 🟢 100% 🟢 100% 🟢 100% n/a n/a 🟢 100%
ske/ske-starterkit 🟢 95% 🟢 100% 🟢 100% n/a n/a 🟡 67%
stackit/git-repository 🟢 88% 🟢 100% 🟢 100% n/a 🔴 25% 🟢 100%
stackit/storage-bucket 🟢 96% 🟢 83% 🟢 100% n/a 🟢 100% 🟢 100%

⚠️ 8 modules have failing checks — failing categories are expanded below.

Core Structure — some checks failing

Basic module file structure and documentation — applies to 12 modules

Module Score 📦 🔗 📋 📝 🖼️ 📌 🔒
aks/starterkit 🟢 100%
aws/agentic-coding-sandbox 🟢 86%
azure/azure-virtual-machine-starterkit 🟡 57%
azure/budget-alert 🟢 100%
azure/resource-group 🟢 100%
azure/storage-account 🟢 100%
meshstack/github-workflow 🟡 50%
meshstack/manual 🟡 50%
meshstack/noop 🟢 100%
ske/ske-starterkit 🟢 100%
stackit/git-repository 🟢 100%
stackit/storage-bucket 🟢 83%

Core Structure — Summary

Emoji Criterion Coverage Status
📦 buildingblock/ directory exists 12/12 🟢 100%
🔗 meshstack_integration.tf present 10/12 🟢 83%
📋 buildingblock/APP_TEAM_README.md present (no-integration fallback) 1/2 🟡 50%
📝 buildingblock/README.md with YAML front-matter 12/12 🟢 100%
🖼️ buildingblock/logo.png included 9/12 🟡 75%
📌 buildingblock/versions.tf present 10/12 🟢 83%
🔒 Provider versions use minimum constraint (>=) 9/12 🟡 75%
Integration — some checks failing

meshstack_integration.tf conventions — applies to 10 modules

Module Score 🏷️ 🏢 📤 🔌 📎 🔀 📋 🏷️ 📖 📝 📊 🚫 🔄
aks/starterkit 🟢 100%
azure/budget-alert 🟢 100%
azure/resource-group 🟢 100%
azure/storage-account 🟢 100%
meshstack/github-workflow 🟢 92%
meshstack/manual 🟢 92%
meshstack/noop 🟢 100%
ske/ske-starterkit 🟢 100%
stackit/git-repository 🟢 100%
stackit/storage-bucket 🟢 100%

Integration — Summary

Emoji Criterion Coverage Status
🏷️ variable "hub" in integration 10/10 🟢 100%
🏢 variable "meshstack" in integration 10/10 🟢 100%
📤 building_block_definition output exposed 10/10 🟢 100%
🔌 meshcloud/meshstack in required_providers 10/10 🟢 100%
📎 backplane source uses var.hub.git_ref 10/10 🟢 100%
🔀 ref_name uses var.hub.git_ref 8/10 🟢 80%
📋 version_spec.draft uses var.hub.bbd_draft 10/10 🟢 100%
🏷️ BBD metadata.tags forwards var.meshstack.tags 10/10 🟢 100%
📖 BBD readme field present 10/10 🟢 100%
📝 BBD readme starts with plain-text description (no heading) 10/10 🟢 100%
📊 BBD readme has shared responsibility table (✅/❌) 10/10 🟢 100%
🚫 No documentation_md output in backplane 10/10 🟢 100%
🔄 meshstack_platform has lifecycle ignore_changes = [availability] n/a
Azure Backplane — some checks failing

Azure UAMI-based automation principal conventions — applies to 4 modules

Module Score 🪪 🚫 🚫 🔑 🔗 🧹 📤 📍
azure/azure-virtual-machine-starterkit 🔴 44%
azure/budget-alert 🟢 100%
azure/resource-group 🟢 100%
azure/storage-account 🟢 100%

Azure Backplane — Summary

Emoji Criterion Coverage Status
🪪 Uses azurerm_user_assigned_identity 3/4 🟡 75%
🚫 No azuread_application resources 4/4 🟢 100%
🚫 No azuread_service_principal resources 4/4 🟢 100%
🔑 No azuread_application_password resources 4/4 🟢 100%
🔗 Uses azurerm_federated_identity_credential 3/4 🟡 75%
workload_identity_federation is non-nullable 3/4 🟡 75%
🧹 No create_service_principal_name toggle 4/4 🟢 100%
📤 Outputs identity (client_id, principal_id, tenant_id) 3/4 🟡 75%
📍 Integration has azure_location 3/4 🟡 75%
STACKIT Backplane — some checks failing

STACKIT WIF-based automation principal conventions — applies to 2 modules

Module Score 🔐 🚫 📤
stackit/git-repository 🔴 25%
stackit/storage-bucket 🟢 100%

STACKIT Backplane — Summary

Emoji Criterion Coverage Status
🔐 Uses stackit_service_account_federated_identity_provider 1/2 🟡 50%
🚫 No stackit_service_account_key resource 2/2 🟢 100%
📤 Outputs service_account_email (not key) 1/2 🟡 50%
Buildingblock provider uses use_oidc = true 1/2 🟡 50%
Testing — some checks failing

End-to-end test coverage — applies to 12 modules

Module Score ⚙️ 🧪
aks/starterkit 🔴 0%
aws/agentic-coding-sandbox 🔴 33%
azure/azure-virtual-machine-starterkit 🔴 33%
azure/budget-alert 🟢 100%
azure/resource-group 🟢 100%
azure/storage-account 🟢 100%
meshstack/github-workflow 🟢 100%
meshstack/manual 🟡 67%
meshstack/noop 🟢 100%
ske/ske-starterkit 🟡 67%
stackit/git-repository 🟢 100%
stackit/storage-bucket 🟢 100%

Testing — Summary

Emoji Criterion Coverage Status
⚙️ backplane/ directory (optional tier) 9/12 🟡 75%
🧪 e2e/ test directory exists 9/12 🟡 75%
e2e/ contains .tftest.hcl files 9/12 🟡 75%

📈 Overall Summary

Overall Average Score: 87%

Score Distribution

  • 🟢 High maturity (≥80%): 9 modules
  • 🟡 Medium maturity (50–79%): 2 modules
  • 🔴 Low maturity (<50%): 1 modules

@aws-amplify-eu-central-1

Copy link
Copy Markdown

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-215.d1o16zfeoh2slu.amplifyapp.com

@grubmeshi grubmeshi force-pushed the feature/migrate-to-building-block-v3 branch from a687810 to 2ab2787 Compare July 2, 2026 13:26
@grubmeshi grubmeshi changed the title refactor: migrate building blocks to meshstack_building_block (v3) refactor: migrate building blocks to meshstack_building_block Jul 2, 2026
grubmeshi and others added 4 commits July 2, 2026 20:21
Migrate the app-team-managed child building blocks in the aks, azure-vm and ske
starterkits from the deprecated meshstack_building_block_v2 to meshstack_building_block.

- Convert per-type inputs (value_string/value_int/value_bool/...) to the unified
  value = jsonencode(...) shape; CODE inputs are double-encoded per the terraform
  runner contract (jsonencode(jsonencode({...}))).
- Read status.outputs via jsondecode(...value).
- Add moved{} blocks so the live blocks migrate in place (no destroy/recreate).
- Bump the meshstack provider constraint to >= 0.23.0 and regenerate READMEs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Switch every e2e smoke-test building block from meshstack_building_block_v2 to
meshstack_building_block, converting inputs to value = jsonencode(...) / sensitive
blocks and rewriting the .tftest.hcl assertions to read outputs via jsondecode(...value)
(CODE/JSON outputs decode twice). No moved{} blocks — e2e runs in ephemeral test state.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…put shape

Update the e2e-test skill to use meshstack_building_block, the value = jsonencode(...) /
sensitive input shape, and jsondecode(...value) output reads.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…shstack_building_block

BREAKING CHANGE: replace the deprecated meshstack_tenant + meshstack_buildingblock
resources with meshstack_tenant_v4 and meshstack_building_block. No moved{} blocks are
provided, so existing sandboxes are recreated on next apply — same breaking-upgrade
approach used for the other modules.

- meshstack_tenant -> meshstack_tenant_v4 (platform_identifier moves from metadata to spec;
  tenant_v4 exposes the tenant uuid/ref that target_ref requires).
- meshstack_buildingblock -> meshstack_building_block: target_ref points at
  meshstack_tenant_v4.sandbox.ref; inputs use value = jsonencode(...).
- Resolve the definition version uuid from the config's (definition_uuid, version number)
  via the meshstack_building_block_definitions data source.
- Bump the meshstack provider constraint to >= 0.23.0; regenerate README.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@grubmeshi grubmeshi force-pushed the feature/migrate-to-building-block-v3 branch from 113d8b8 to 888f66c Compare July 2, 2026 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant