feat: Deprecating infrastructure-pipelines architecture docs
#1683
Conversation
✅ Deploy Preview for pensive-meitner-faaeee ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
…t this can be shared earlier
There was a problem hiding this comment.
Went through most of this, made one slight change. Really great work here Yousif! I think there's more we can clarify about how access control works, future Pipelines actions, highlighting the enterprise delegated-repo feature etc., but none of that IMO should be blocking for a day 1 launch of these docs.
…m:gruntwork-io/docs into feat/deprecating-infrastructure-pipelines
yhakbar
changed the title
infrastructure-pipelines architecture docsinfrastructure-pipelines architecture docs
…m:gruntwork-io/docs into feat/deprecating-infrastructure-pipelines
There was a problem hiding this comment.
Yousif, this is great! I left a bunch of comments, but to be clear, feel free to merge whenever you'd like, as we'll wind up iterating on these docs several times.
Overall, the docs do a great job of discovering how Pipelines works under the hood, though, there's very limited info on:
- How to install it as a user or a new team (or whether you can install it outside of DF)
- How to use and configure it as an end user
- What the actual UX is like (it might be worth showing a screenshot so users can imagine the flow without having to set it all up)
For next steps, perhaps you could include what you can from the above, and in a follow-up docs update we can fill in the gaps around usability, configuration and UX.
|
|
||
| Gruntwork Pipelines runs as a binary and series of steps in GitHub Actions, determining what _actions_ need to be taken, in which _environments_, based on the [_infrastructure changes_](#infrastructure-change) that occurred. | ||
| Gruntwork Pipelines runs as a combination of a [binary](https://github.com/gruntwork-io/pipelines-cli) and a [GitHub Workflow](https://github.com/gruntwork-io/pipelines-workflows) composed of [GitHub Actions](https://github.com/search?q=topic%3Aaction+topic%3Apipelines+org%3Agruntwork-io&type=repositories), determining what _actions_ need to be taken, in which _environments_, based on the [_infrastructure changes_](#infrastructure-change) that occurred. |
There was a problem hiding this comment.
Nit: The GitHub workflow link is public, but the docs site pops up a "this is a private" dialog box. I'm not sure if we have any way to annotate that a link is public.
|
|
||
| ### Infrastructure change set | ||
|
|
||
| Sometimes users create a pull request that changes more than one file at a time. And sometimes a change to a single file affects how multiple other files will be "applied" to your live cloud account. For example, many users of Terragrunt use a pattern known as "envcommon" as a way to specify a default set of values for modules. | ||
|
|
||
| When more than one infra-change is made at a time, we call this an _infrastructure-change set._ We sometimes call this an "infra-change set" for short. | ||
| When more than one infra-change is made at a time, we call this an _infrastructure-change set._ | ||
|
|
||
| ### Pipelines actions | ||
|
|
There was a problem hiding this comment.
Gruntwork is responsible for adding support for a growing library of Pipelines Actions and we will continue to add more over time.
Should we clarify that Gruntwork will add some, but customers can add their own?
|
|
||
| ## Executor | ||
|
|
||
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to AccountAdded events on merge, the executor will create a pull request in the `infrastructure-live` repository with additional IaC code to provision additional resources. | ||
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to `AccountsAdded` events on merge, the executor will create a subsequent pull request in the `infrastructure-live-root` repository with additional IaC code to baseline the account(s) that were just added. |
There was a problem hiding this comment.
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to `AccountsAdded` events on merge, the executor will create a subsequent pull request in the `infrastructure-live-root` repository with additional IaC code to baseline the account(s) that were just added. | |
| The executor takes a pipeline action and infra change as input, and then performs the action on the infra change. In some cases, like responding to `AccountsAdded` events on merge, the executor will create a subsequent pull request in the `infrastructure-live-root` repository with additional IaC code to baseline the account(s) that were just added. |
|
|
||
| The orchestrator identifies each infrastructure change in the pull request or git commit, classifies the type of infrastructure change it is (e.g. AccountAdded, ModuleChanged, EnvCommonChanged), and determines the right pipelines actions (e.g., `terragrunt plan`, `apply`, or `destroy`) to run based on that infrastructure change. For each infrastructure change, it calls the dispatcher. | ||
| There are two major components in pipelines - the orchestrator and the executor. The orchestrator determines the jobs to be executed and the executor actually executes the jobs and makes any necessary updates in AWS. |
There was a problem hiding this comment.
Can we create a top-level heading like "Components" and then make "Orchestrator" and "Executor" sub-headings under that?
This way each of the following are on the same hierarchy level:
- Components
- Execution flow
- Trust boundaries
|
|
||
| ## Executor | ||
|
|
||
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to AccountAdded events on merge, the executor will create a pull request in the `infrastructure-live` repository with additional IaC code to provision additional resources. | ||
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to `AccountsAdded` events on merge, the executor will create a subsequent pull request in the `infrastructure-live-root` repository with additional IaC code to baseline the account(s) that were just added. |
There was a problem hiding this comment.
| The executor takes a pipeline action and infra change as input then performs the action on the infra change. In some cases, like responding to `AccountsAdded` events on merge, the executor will create a subsequent pull request in the `infrastructure-live-root` repository with additional IaC code to baseline the account(s) that were just added. | |
| The executor takes a pipeline action and infra change as input from the orchestrator, and then performs the specified pipelines actions on the specified infra change. | |
| For example, the orchestrator might specify that there was a `ModuleChanged` infra-change on `/dev/us-west-2/database` and that the executor should execute a `terragrunt apply`. The executor will then run `terragrunt apply` on `/dev/us-west-2/database`. | |
| In some cases, the executor will create a new pull request in a different git repo after the original pull request is merged. For example, when Pipelines detects an `AccountsAdded` infra-change, once the pull request is merged, Pipelines will open a new pull request in the `infrastructure-live-root` repository with additional IaC code to add a configuration baseline to the AWS account(s) that were just added. |
| @@ -1,9 +1,45 @@ | |||
| # Repository Access | |||
There was a problem hiding this comment.
This page is great, but it assumes prior knowledge of what each of the three repos is. I argued in an earlier comment that we should describe those repos in the architecture page. Perhaps it's worth including an info callout that points back to that here?
|
|
||
| The diagram below visually illustrates the above teams: | ||
| Gruntwork recommends that you grant permissions to GitHub repositories by defining three [GitHub Teams](https://docs.github.com/en/organizations/organizing-members-into-teams/about-teams), which should map to three separate personas in your organization. Each team and its permissions are designed to apply the [_principle of least privilege_](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to each individual (or machine user) in your organization for them to be able to perform changes to your infrastructure. |
There was a problem hiding this comment.
| Gruntwork recommends that you grant permissions to GitHub repositories by defining three [GitHub Teams](https://docs.github.com/en/organizations/organizing-members-into-teams/about-teams), which should map to three separate personas in your organization. Each team and its permissions are designed to apply the [_principle of least privilege_](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to each individual (or machine user) in your organization for them to be able to perform changes to your infrastructure. | |
| ## Recommended roles and GitHub teams | |
| Gruntwork recommends that you grant permissions to GitHub repositories by defining three [GitHub Teams](https://docs.github.com/en/organizations/organizing-members-into-teams/about-teams), which should map to three separate personas in your organization. Each team and its permissions are designed to apply the [_principle of least privilege_](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to each individual (or machine user) in your organization for them to be able to perform changes to your infrastructure. |
There was a problem hiding this comment.
I found the team names a little confusing and hard to follow. Perhaps we could identify and describe the roles and then recommend team names associated with those roles?
For example, I see the following roles based on your write-up:
- Root
- Infrastructure collaborators
- Infrastructure observers
| This documentation pertains to an old version of Gruntwork Pipelines which used the `infrastructure-pipelines` repository. [Click here](../../pipelines/overview/) to view documentation for the most recent version. | ||
| ::: | ||
|
|
||
| Gruntwork Pipelines is designed to be used with a PR based workflow. |
There was a problem hiding this comment.
| Gruntwork Pipelines is designed to be used with a PR based workflow. | |
| Gruntwork Pipelines is designed to be used with a pull-request (PR) based workflow. |
Some users may not be familiar with that acronym. That being said, I think we only need to define it once per page.
| @@ -3,7 +3,13 @@ import TabItem from '@theme/TabItem'; | |||
|
|
|||
| # Machine users | |||
There was a problem hiding this comment.
This content is excellent, but it seems like the closest thing we have to "installation" instructions. Perhaps we should create a new sidebar section called "Initial setup" and list this there? Also, could you clarify when a user would need to do this? Or perhaps we should clarify explicitly that Gruntwork Pipelines is only available with DF, but will be available for standalone installation soon?
| @@ -103,16 +81,27 @@ const sidebar = [ | |||
| collapsible: false, | |||
| items: [ | |||
| { | |||
| label: "Upgrading from ECS Deploy Runner", | |||
| label: "Infrastructure Pipelines", | |||
There was a problem hiding this comment.
Hm, we're adopting the terms "Infrastructure Pipelines" and "Gruntwork Pipelines" but that seems awfully subtle. Not sure what else to use, though...
Given that nothing seems to require stopping the show, I will merge this, then circle back to your feedback! |
Deprecating the legacy documentation for Gruntwork Pipelines that leveraged the
infrastructure-pipelinesrepository.