GitHub as code with Terraform

[gianarb]

Description

This PR kicks out the work required to manage the Tinkerbell GitHub organization as code.
For now I would like to start syncing and managing:

• membership
• team
• repository permissions

This PR needs CI/CD as well. The terraform state will be stored in Terraform Cloud, CI/CD will work via GitHub Aciton.

• Setup CI/CD

NB: I have the state file locally, and terraform plan is in sync. I will move it to terraform soon but I think I need some help @mmlb @displague

Why is this needed

Managing the setting for this organization as code will decrease the chance for undocumented changes. Fewest people will have admin access and everything will have to happen as a pull request, with code review and so on.

As an open community and as members of CNCF we want to be as open as possible, and this is another step in that direction.

[displague]

If we define a variable like variable "token" { description = "GitHub Token"} we can change this to token = var.token. By then setting the environment variable TF_VAR_token=$GH_TOKEN within the GitHub action (or using the Terraform "-var" arguments) we will have this value specified.

[displague]

We can create a variable for this:

variable "admins" {
  type = list(string)
  value = [
    "amenowanna",
    "benr", 
     ...
  ]
}

(I may have gotten the type wrong here, you probably don't need the type. Variables definitions should be kept in variables.tf.)

And then:

resource "github_membership" "admin" {
    count = len(var.admin)
    username = var.admin[count.index]
    role = "admin"
}

There is also a for/each way to do this, but I am not as familiar with that. (maybe we need to use a for each to avoid a rebuild when the list is modified from the beginning or middle)

[gianarb]

No, please! :D Do not ask me to make this dynamic now... it is already a pain to sync all the resources with the local state. I will leave the prettification of this for somebody else or at least for phase 2 when we will reorder all teams and members. Does it sound good?

Pleasee!!

[displague]

This PR needs CI/CD as well. The terraform state will be stored in Terraform Cloud, CI/CD will work via GitHub Aciton.

An S3 bucket can also be used for storage.
https://www.terraform.io/docs/backends/types/s3.html

[gianarb]

An S3 bucket can also be used for storage.
https://www.terraform.io/docs/backends/types/s3.html

At the current time, we do not have an easy way to set up an infrastructure that is not managed by a team in Equinix Metal. And as part of CNCF now we should try to mitigate the dependencies with Equinix Metal as a team, not as a product because we know a lot of the compute power CNCF has come from Equinix Metal!

At the current stage just to keep things going I set up a new organization in Terraform Cloud called Tinkerbell, and that's where the status gets stored.

@rawkode is helping us to figure out how to have a way to declare infrastructure with Pulumi, and as soon as we onboard more services from CNCF I presume we will be able to move to AWS S3 in the right account, or to Minio in the Tinkerbell infrastructure as soon as we will have one.

I also saw that 1Password has a provider for Terraform, not sure how it works but we have an account there as you know and as a follow up to this I would like to investigate if we can control users and access to 1Password from Terraform and also if we can remove secret drift out from GitHub secret (now that's how I store the Terraform Cloud Token) centralizing them to 1Password.

[mmlb]

How about using https://probot.github.io/apps/settings/ ? Managing teams in tf has been a bit of a pain internally and I've been thinking about trying ^ out. Its pretty nice in that we can also extend parts of it in each repo pretty easily.

[gianarb]

will waste some time with probot

[gianarb]

After an evaluation settings is cool but it has the repository as its scope. I don't need that. I want something that helps us to manage openly the entire organisation. You can not create teams or manage users. And I want to do just that.

The idea to use probot was also good because it didn't require infrastructure to manage, but with GitHub Actions and Terraform Cloud we do not really need a lot more. We will also need something to manage DNS or other services moving forward, so at some point, something like Terraform/Pulumi will come back.

[mmlb]

Ah yep, totally right that probot/settings won't create teams and either way we'll want to be able to manager other bits of infra outside of github too anyway.

[mmlb]

GITHUB_TOKEN is already looked for by the provider by default so we can just get rid of this variable all together

[displague]

If that's the case, then we need to remove https://github.com/tinkerbell/.github/pull/9/files#diff-2e617c7870fa918457b1eee1c7d67ba82f19d043ae7b7918db26873e18793028R12 too

[mmlb]

ah yes. I thought I had added it to line-range when making my comment.

[displague]

Does the original value token = "" work? (does the provider use empty values as a signal to use the GITHUB_TOKEN variable?)

[gianarb]

No I fixed that few days ago when you left the comment :) it was a leftover from my side

[displague]

How will this run?

I haven't made workflows in a .github directory before, but I would expect tinkerbell/.github/.github/workflows/terraform.yml, rather than tinkerbell/.github/terraform/.github/workflows/terraform.yml

[displague]

why are we removing this file?

[displague]

nice!

but this pr includes a .tfstate_back file (which doesn't match your patterns)

[gianarb]

yeah I renamed that when moving state to terraform cloud. we should be good now Thanks

[displague]

this variable is no longer defined, so I expect this to fail

[displague]

https://www.terraform.io/docs/providers/github/index.html#token - it is optional, we can remove it.

As @mmlb pointed out, GH Actions will provide the token we need with the environment variable that this TF provider expects.

[displague]

Thanks for this latest change, @gianarb! Starting with a terraform plan-only approach is smart thinking.