Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically apply changes #4

Closed
vito opened this issue Mar 9, 2021 · 1 comment
Closed

Automatically apply changes #4

vito opened this issue Mar 9, 2021 · 1 comment

Comments

@vito
Copy link
Member

vito commented Mar 9, 2021

  • run terraform apply
  • run go test to verify the integrity of the state in GitHub

Will need to securely configure a GitHub token with effectively org admin permissions.

Though there is an obvious temptation to use Concourse for this, it's probably worth considering GitHub Actions just to keep the scope of this narrow.
vito added a commit that referenced this issue Mar 10, 2021
@vito
add Actions automation for running Terraform
78e1e8e 
* does not store terraform state anywhere; just imports it on every run
  * would be nice if there was a bulk import feature! the internal API
    seems to support it. hashicorp/terraform#22219
* doesn't run apply yet - pushing this for a dry run first.

part of #4

Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
@vito
Copy link
Member Author

vito commented Mar 10, 2021

All done! GitHub actions ended up working pretty well for this. It keeps the credential somewhere that it can't even be read, and I was even able to (ab)use actions/cache so that I don't need to store the terraform.tfstate anywhere. This should be fine because all state is on GitHub and can just be imported in the even that the cache is lost.

There is one caveat: if something (e.g. a repo) is removed and the cache is lost, the Import step won't import it, so it won't be destroyed. I have mitigated this by configuring the workflow to run daily, which should keep the cache from expiring, or at least narrow the window of the cache not existing. Running periodically is a good thing to do anyway - it's how we can detect drift and make sure things are staying in sync with the source of truth (this repo).

Another workaround could be to have Import work based on the actual state (e.g. all repos in the org) instead of the desired state (all repos in the repo), but that's a little hardcore; it would mean anything not created through this repo would be destroyed or archived.

For posterity:

@vito vito closed this as completed Mar 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vito