devops-terraform

DevOps Challenges

Cloud Presence

• Organizational bootstrapping.
  • initial setup of tfstate buckets and accounts/access patterns. DIY versus Terraform Enterprise / Spacelift
• Account Foundations
  • RBAC. How to safely empower build-run teams as an org grows.
  • Progressive workflow requirements (sandbox [free for all] -> production [formal processes])
  • Costs, e.g. weekly nuke of sandbox resources, per-tier resource sizing/retention/configuration
  • Flexible, intuitive permissions and account structure
• Network Foundations and Reference Platforms
  • Building blocks for consistently using the provider
• Strategies for automation in CI/CD Pipelines
  • OIDC roles

Order of Operations

To get started in AWS, first read over management/aws/README.md. It contains an initial setup guide detailing the steps below.

1. Create a Org Management account and enable IAM Identity Center. Name the account aws-org-management.
2. Terraform the management state bucket.
3. Terraform organization accounts, users, and permissions.
4. Terraform project state buckets.

1. Terraform networks.
2. Terraform DNS.
3. Terraform namespaces.

Enjoy a namespace-aware module ecosystem.

Development Guidelines

• When it makes sense, breakout subdirectories into their own repository. This will have maintainership and CI benefits.
  • Use git subtree to preserve history.
• Google's Terraform Best Practices

Named Profiles

Currently named profiles are used to access particular accounts. Copy the contents from tools/aws/config into your ~/.aws/config file and be sure to keep it up to date.

TODO: revisit tooling

TODO

• rename namespaces to deploy-zones
• rename notprod tier to sandbox?