Summary
The AWS aws_rds_iam deploy path is now validated live (#201 closed — green run, passwordless snapshot against an IAM-auth RDS). The Azure (azure_entra) and GCP (gcp_cloudsql_iam) deploy paths have the same template + runbook (#205) but no live-smoke automation yet.
Port the AWS operator-gated live smoke (.github/workflows/aws-rds-iam-live-smoke.yml) to Azure and GCP:
- Swap the cloud auth:
azure/login (Azure OIDC federated credential) / google-github-actions/auth (GCP Workload Identity Federation) instead of aws-actions/configure-aws-credentials.
- Swap the verify path: reach the loopback-only API on the VM — Azure via
az vm run-command, GCP via gcloud compute ssh/IAP or the OS-login equivalent — instead of SSM.
- Same shape otherwise: apply → force a collection → assert a passwordless snapshot → always destroy.
Prereqs mirror #201: an IAM-auth-enabled DB (Azure Entra auth on Flexible Server / Cloud SQL IAM auth), the one-time DB principal/grant, and a federated CI identity.
Acceptance criteria
- A green
workflow_dispatch live smoke for each of Azure and GCP, producing a passwordless snapshot and tearing down, with the run attached here.
Post-RC1 (AWS is the RC blocker and is done). Reference: AWS harness in .github/workflows/aws-rds-iam-live-smoke.yml + deploy/aws/LIVE-SMOKE.md.
Summary
The AWS
aws_rds_iamdeploy path is now validated live (#201 closed — green run, passwordless snapshot against an IAM-auth RDS). The Azure (azure_entra) and GCP (gcp_cloudsql_iam) deploy paths have the same template + runbook (#205) but no live-smoke automation yet.Port the AWS operator-gated live smoke (
.github/workflows/aws-rds-iam-live-smoke.yml) to Azure and GCP:azure/login(Azure OIDC federated credential) /google-github-actions/auth(GCP Workload Identity Federation) instead ofaws-actions/configure-aws-credentials.az vm run-command, GCP viagcloud compute ssh/IAP or the OS-login equivalent — instead of SSM.Prereqs mirror #201: an IAM-auth-enabled DB (Azure Entra auth on Flexible Server / Cloud SQL IAM auth), the one-time DB principal/grant, and a federated CI identity.
Acceptance criteria
workflow_dispatchlive smoke for each of Azure and GCP, producing a passwordless snapshot and tearing down, with the run attached here.Post-RC1 (AWS is the RC blocker and is done). Reference: AWS harness in
.github/workflows/aws-rds-iam-live-smoke.yml+deploy/aws/LIVE-SMOKE.md.