New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub as code with Terraform #9
Conversation
terraform/main.tf
Outdated
@@ -0,0 +1,4 @@ | |||
provider "github" { | |||
token = "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we define a variable like variable "token" { description = "GitHub Token"}
we can change this to token = var.token
. By then setting the environment variable TF_VAR_token=$GH_TOKEN
within the GitHub action (or using the Terraform "-var" arguments) we will have this value specified.
@@ -0,0 +1,171 @@ | |||
resource "github_membership" "amenowanna" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can create a variable for this:
variable "admins" {
type = list(string)
value = [
"amenowanna",
"benr",
...
]
}
(I may have gotten the type wrong here, you probably don't need the type. Variables definitions should be kept in variables.tf
.)
And then:
resource "github_membership" "admin" {
count = len(var.admin)
username = var.admin[count.index]
role = "admin"
}
There is also a for/each way to do this, but I am not as familiar with that. (maybe we need to use a for each to avoid a rebuild when the list is modified from the beginning or middle)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, please! :D Do not ask me to make this dynamic now... it is already a pain to sync all the resources with the local state. I will leave the prettification of this for somebody else or at least for phase 2 when we will reorder all teams and members. Does it sound good?
Pleasee!!
An S3 bucket can also be used for storage. |
7a8f87f
to
ff31659
Compare
Signed-off-by: Gianluca Arbezzano <gianarb92@gmail.com>
1417c28
to
d2a3bf7
Compare
At the current time, we do not have an easy way to set up an infrastructure that is not managed by a team in Equinix Metal. And as part of CNCF now we should try to mitigate the dependencies with Equinix Metal as a team, not as a product because we know a lot of the compute power CNCF has come from Equinix Metal! At the current stage just to keep things going I set up a new organization in Terraform Cloud called Tinkerbell, and that's where the status gets stored. @rawkode is helping us to figure out how to have a way to declare infrastructure with Pulumi, and as soon as we onboard more services from CNCF I presume we will be able to move to AWS S3 in the right account, or to Minio in the Tinkerbell infrastructure as soon as we will have one. I also saw that 1Password has a provider for Terraform, not sure how it works but we have an account there as you know and as a follow up to this I would like to investigate if we can control users and access to 1Password from Terraform and also if we can remove secret drift out from GitHub secret (now that's how I store the Terraform Cloud Token) centralizing them to 1Password. |
a6fc5f1
to
b98faad
Compare
How about using https://probot.github.io/apps/settings/ ? Managing teams in tf has been a bit of a pain internally and I've been thinking about trying ^ out. Its pretty nice in that we can also extend parts of it in each repo pretty easily. |
will waste some time with probot |
After an evaluation The idea to use probot was also good because it didn't require infrastructure to manage, but with GitHub Actions and Terraform Cloud we do not really need a lot more. We will also need something to manage DNS or other services moving forward, so at some point, something like Terraform/Pulumi will come back. |
Ah yep, totally right that probot/settings won't create teams and either way we'll want to be able to manager other bits of infra outside of github too anyway. |
terraform/main.tf
Outdated
variable "github_token" { | ||
description = "GitHub token" | ||
type = string | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GITHUB_TOKEN is already looked for by the provider by default so we can just get rid of this variable all together
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that's the case, then we need to remove https://github.com/tinkerbell/.github/pull/9/files#diff-2e617c7870fa918457b1eee1c7d67ba82f19d043ae7b7918db26873e18793028R12 too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes. I thought I had added it to line-range when making my comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the original value token = ""
work? (does the provider use empty values as a signal to use the GITHUB_TOKEN variable?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No I fixed that few days ago when you left the comment :) it was a leftover from my side
b98faad
to
6a1eb6e
Compare
How will this run? I haven't made workflows in a |
c13d87b
to
ce12c98
Compare
.github/settings.yml
Outdated
@@ -1,14 +0,0 @@ | |||
branches: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we removing this file?
|
||
# .tfstate files | ||
*.tfstate | ||
*.tfstate.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
but this pr includes a .tfstate_back file (which doesn't match your patterns)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I renamed that when moving state to terraform cloud. we should be good now Thanks
ce12c98
to
079c78a
Compare
terraform/main.tf
Outdated
} | ||
|
||
provider "github" { | ||
token = var.github_token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this variable is no longer defined, so I expect this to fail
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.terraform.io/docs/providers/github/index.html#token - it is optional, we can remove it.
As @mmlb pointed out, GH Actions will provide the token we need with the environment variable that this TF provider expects.
8d96801
to
c2439f2
Compare
Signed-off-by: Gianluca Arbezzano <gianarb92@gmail.com>
c2439f2
to
e42b611
Compare
if: contains(github.event.pull_request.labels.*.name, 'ci-check/terraform') && steps.plan.outcome == 'failure' | ||
run: exit 1 | ||
# We will introduce it as soon as we validate a few PR and see what plan has to say! | ||
#- name: Terraform Apply |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this latest change, @gianarb! Starting with a terraform plan
-only approach is smart thinking.
Description
This PR kicks out the work required to manage the Tinkerbell GitHub organization as code.
For now I would like to start syncing and managing:
This PR needs CI/CD as well. The terraform state will be stored in Terraform Cloud, CI/CD will work via GitHub Aciton.
NB: I have the state file locally, and
terraform plan
is in sync. I will move it to terraform soon but I think I need some help @mmlb @displagueWhy is this needed
Managing the setting for this organization as code will decrease the chance for undocumented changes. Fewest people will have admin access and everything will have to happen as a pull request, with code review and so on.
As an open community and as members of CNCF we want to be as open as possible, and this is another step in that direction.