Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs on setting up a new project #340

Merged
merged 4 commits into from
Apr 9, 2021
Merged

Add docs on setting up a new project #340

merged 4 commits into from
Apr 9, 2021

Conversation

yuvipanda
Copy link
Member

Ref #335

@yuvipanda
Copy link
Member Author

We can test this out on #207

@yuvipanda
Copy link
Member Author

Thanks @damianavila! Fixed :)

Copy link
Member

@GeorgianaElena GeorgianaElena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Thank you for writing these instructions @yuvipanda!

your user account.

4. Commit the change, make a PR to the repo with it, and merge it. This is
preferable to pushing to the repo directly. You can self-merge your PR.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure you want to allow self-merge when the PR has the potential to destroy things? (the second point you wrote above)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The danger is in the terraform apply step, which is why it doesn't run automatically. Merging doesn't actually trigger anything.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thanks for the clarification, so how do we make sure others can see/review that "state" before being applied?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question! What kinda workflow do you think would work here? I don't want to run terraform apply in CI, so not sure how to approach review.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not worked with the terraform stuff yet (although I have some experience with AWS Cloudformation), but looking quickly at the terraform docs, it seems you have a terraform plan command. That should surface any problem (or deletion you are trying to prevent), right? Then, you could run that command by the CI and detect any "bad" message. And others can review that plan.
Additionally, it seems you can run that command with a -out parameter and get some file that you can eventually run manually later with terraform apply command (modulo you still do not want to run apply within the CI which could be an event happening on the merge event after a successful CI run and approval from others, but I totally get it is frightening to give the CI such destructive power): https://www.terraform.io/docs/cli/commands/plan.html
Finally, I may be saying stupids things (as I did in the other PR) because I do not know yet the deep stuff, so be patient with me 😉

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little bit confused now as step 3 is "Check the project has been created and you have access to it" and step 4 is "open the PR" which implies terraform apply was run before opening the PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, my brain just caught up with me! Yes, I think we should approve/merge the PR before running terraform apply - always good to have a second pair of eyes on code/configs before actioning anything I think.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Someone else approves PR

This is where terrraform plan (with sensitive on to prevent leaking info/secret) plays a role, IMHO.
Otherwise, the person reviewing the PR does not have any info about how the plan looks like.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@damianavila @sgibson91 I updated the instructions based on the conversations here. LMK what you think? I wanna balance code review with appropriate load on our small team.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good!

2. Run terraform (with instructions in the org-ops repo README). This will give you a
detailed plan on what exactly terraform will do. [prevent_destroy](https://www.terraform.io/docs/language/meta-arguments/lifecycle.html#prevent_destroy)
is set to most sensitive resources to prevent accidental destruction - however,
you should still scrutinize the plan produced by `terraform apply` carefully before applying it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
you should still scrutinize the plan produced by `terraform apply` carefully before applying it.
you should still scrutinize the plan produced by `terraform plan` carefully before applying it.

Is this supposed to be terraform plan or do you mean before accepting the Continue with apply? prompt?

Copy link
Contributor

@damianavila damianavila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the only remaining thing would be to mark the secrets as sensitive... but looking at https://github.com/2i2c-org/org-ops/blob/main/projects.tfvars, you already have "visible" data there, so I think this is ready as-is.

@yuvipanda
Copy link
Member Author

Thanks, @damianavila! Wanna hit merge? :D

@damianavila damianavila merged commit 352f4de into master Apr 9, 2021
@damianavila damianavila deleted the ops-docs branch April 9, 2021 15:36
@damianavila
Copy link
Contributor

Done 🎉 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants