-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub configuration with OpenTofu #42
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
art-decisions/proposals/2023-10-09-github-configuration-as-code.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # GitHub Configuration as Code | ||
|
|
||
| Automate and manage GitHub configuration with [OPenTofu][1] | ||
|
|
||
| ## Voting Period | ||
|
|
||
| The voting period for this proposal will be open for 10 days from its submission. | ||
|
|
||
| ## Benefits | ||
|
|
||
| OpenTofu is typically not used to configure GitHub repositories directly; | ||
| instead, it is primarily used for infrastructure as code (IaC) to provision and | ||
| manage cloud resources and infrastructure components. However, there might be | ||
| scenarios where we would want to use it in conjunction with GitHub | ||
| repositories or GitHub Actions to automate and manage certain aspects of our | ||
| GitHub configuration. Here are some reasons why we might consider using | ||
| it for such tasks: | ||
|
|
||
| 1. Infrastructure as Code (IaC) Consistency: If the development workflow relies | ||
| heavily on GitHub repositories, using OpenTofu allows to define and maintain | ||
| GitHub configuration as code, ensuring consistency and reproducibility across | ||
| all current and future projects. | ||
|
|
||
| 2. Automated Repository Setup: OpenTofu can be used to automate the creation of | ||
| GitHub repositories, organizations, teams, and access controls. This can be | ||
| especially useful if we have a large number of repositories to manage or need to | ||
| set up repositories with a specific structure or permissions. | ||
|
|
||
| 3. Integration with Other Infrastructure: If our application's infrastructure is | ||
| defined and managed using OpenTofu, we can integrate our GitHub repository | ||
| setup into our broader infrastructure provisioning process. For example, we | ||
| might need to create a new repository as part of deploying a new application. | ||
|
|
||
| 4. Version Control and Collaboration: Just like with infrastructure code, | ||
| storing our GitHub configuration in version-controlled OpenTofu code enables | ||
| collaboration, code review, and change tracking. We can use Git to manage | ||
| changes to our GitHub configurations. | ||
|
|
||
| 5. Documentation and Compliance: By defining our GitHub configurations in | ||
| OpenTofu, we can create documentation that describes our organization's GitHub | ||
| policies, repository structures, and access controls. This documentation can be | ||
| versioned alongside the codebase. | ||
|
|
||
| 6. Cross-Cloud and Multi-Platform Environments: If our organization uses | ||
| multiple cloud providers or platforms and needs to manage GitHub repositories | ||
| across them, OpenTofu provides a unified way to define and manage these | ||
| resources. | ||
|
|
||
| 7. Scaling and Managing Growth: As the organization grows, we may need to create | ||
| and manage numerous repositories. OpenTofu allows to scale the GitHub | ||
| repository management processes efficiently. | ||
|
|
||
| 8. Change Management: With OpenTofu, we can easily make changes to our GitHub | ||
| configurations, such as adding or removing collaborators, updating team | ||
| permissions, or modifying repository settings, all while maintaining version | ||
| history and change tracking. | ||
|
|
||
| In summary, while OpenTofu is not the primary tool for configuring GitHub | ||
| repositories, it can be a valuable addition to our DevOps toolkit when we need | ||
| to automate, manage, and maintain GitHub configurations in a consistent and | ||
| reproducible manner, especially in the context of larger infrastructure and | ||
| development workflows. | ||
|
|
||
| [1]: https://github.com/platform-engineering-org/terraform-github-configuration-module | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace
PwithpinOPenTofu.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I may stick my nose into this issue as an outsider/OpenTofu core dev, OpenTofu is not the best choice for this, that would be GitHub Enterprise. AFAIK there are several security settings you can't enforce on repos unless you have enterprise. I wrote a tool a while ago to fill the gap, but haven't continued developing it. As a side note, joining the CNCF would get you access to GitHub Enterprise if I remember correctly.
As far as OpenTofu is concerned, you would need to have make sure no changes are made outside of OpenTofu and/or you'll have to deal with configuration drift.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your nose is always welcome. ;)
I'll check with Amye at the CNCF about the GitHub Enterprise question. If that is the case, and if we are ready to put ourselves on the CNCF sandbox track now, then perhaps that is the better approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems like a great idea