We define as much infrastructure as possible in the form of code, using:
The infrastructure-as-code is stored in the following directories:
-
terraform/— Infrastructure administered by Infra Maintainers, except for resources inside Kubernetes. Most of the infrastructure is defined here. -
terraform-hisec/— Infrastructure administered by Infra Owners. This covers for example resources in thefullstaq-ruby-hisecGoogle Cloud project.Because we don't expect the infrastructure in this directory to change very often, we've chosen — for security reasons — not to run Terraform in a CI/CD pipeline. This way we don't have to worry about the security of the CI/CD pipeline's service account. Instead, an Infra Owner runs Terraform manually, using that person's personal Google Cloud credentials.
-
kubernetes/— Kubernetes resources administered by Infra Maintainers. -
.github/workflows/apiserver.yml— Deploys the API server.
Note that not all infrastructure can, or (for security reasons) should, be managed via code. Learn more at Infrastructure bootstrapping.