Investigate how to run OpenTofu to manage Cloud VPS admin-only resources
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	taavi
	May 23 2024, 12:11 PM

Description

We want to use OpenTofu to manage some of the admin-only resources we need to define on OpenStack. Right now the use case is defining our flavors since we need to replace those, but this could as well expand to other uses (e.g. networks, DNS) in the future. To me the big question is where to run it:

Options

Run on cloudcontrol/cloudcumin nodes

The simplest option in my mind is to install OpenTofu on either the per-deployment cloudcontrol nodes or the new cloudcumin nodes. This would involve mirroring the Tofu packages to our apt repository, installing those packages, and then using Puppet provisioning credentials either for the current novaadmin user or a dedicated service account with full admin access.

Run on GitLab CI

The other option at least worth exploring in my mind is to have GitLab CI apply any Tofu changes automatically instead of manually running it somewhere. This would require some special care about how to handle the admin credentials (and should use a dedicated service account and definitely not novaadmin), but could unlock interesting use cases like showing a diff (tofu plan) before merging a MR.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
O:openstack: Install OpenTofu in eqiad1	operations/puppet	production	+15 -0
P:openstack: opentofu: Add a variable for region	operations/puppet	production	+7 -6
P:openstack: opentofu: Do not log changes to the env file	operations/puppet	production	+6 -5
P:openstack: opentofu: Allow everyone to enter the directory	operations/puppet	production	+1 -1
P:openstack: New profile for running OpenTofu for Cloud VPS	operations/puppet	production	+128 -15
Add fake opentofu admin passwords and tokens	labs/private	master	+4 -0
aptrepo: Add mirror for OpenTofu packages	operations/puppet	production	+75 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T270694 CloudVPS: introduce tenant networks
Resolved	• aborrero	T364725 Migrate Cloud VPS instances to VXLAN based networks
Resolved	Andrew	T326373 Migrate Cloud VPS to Neutron Open vSwitch agent
Resolved	Andrew	T364457 Migrate eqiad1 hypervisors to Neutron OVS agent
Resolved	taavi	T364458 Create new g4 flavors to support hypervisor migration from Linuxbridge to OVS Neutron agents
Resolved	taavi	T365696 Investigate how to run OpenTofu to manage Cloud VPS admin-only resources

Event Timeline

taavi created this task.May 23 2024, 12:11 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2024, 12:11 PM

I think we could do both: being able to manually run Tofu from a shared server is nice, and I would want to have it for debugging/emergency purposes even if we had CI integration. I think we could start from implementing this part, I vote for using cloudcontrols but cloudcumins are also fine.

If the state is stored in Object Storage, we can then also explore running some or all the Tofu workflows from CI. Initially, I would probably rather only run tofu plan in the CI, but once we trust it to be reliable we could also automatically tofu apply after merge. A potential issue: if we store the state in Object Storage, I don't think we get state locking. Maybe we could explore using the Postgres backend.

Another additional idea: we could run tofu plan every X hours (could be a systemd timer in cloudcontrols or somewhere else), and alert if the plan is not clean. I imagine a workflow where I create a patch/MR, the CI shows me the plan, somebody merges the patch, and we forget to manually run tofu apply (or if the CI fails) after the patch is merged, we get an alert after X hours.