Page MenuHomePhabricator
Create Task
Maniphest T370037

Cloud VPS: extend tofu-infra coverage
Open, MediumPublic
Actions

Description

The tofu integration was developed in T365696: Investigate how to run OpenTofu to manage Cloud VPS admin-only resources. As of this writing, the Cloud VPS tofu-infra project mostly covers flavors.

This task is to consider and track work to extend the coverage to pretty much everything admin-defined:

  • projects (i.e, tenant definitions)
  • quotas
  • glance images
  • neutron network settings
  • DNS zones and related configuration

Otherwise they are just manually coded in the database.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
openstack: opentofu: init modules before runnig planoperations/puppetproduction+1 -0
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
routers: consolidate router_interfaces into the same modulerepos/cloud/cloud-vps/tofu-infra!27aborreroarturo-220-routers-consolidatemain
data/: add routers for eqiad1repos/cloud/cloud-vps/tofu-infra!26aborreroarturo-220-data-add-routers-fomain
tofu-infra: refactor importsrepos/cloud/cloud-vps/tofu-infra!25aborreroarturo-244-tofu-infra-refactormain
Draft: tofu-infra: put all networking data in the same yaml filerepos/cloud/cloud-vps/tofu-infra!24aborreroarturo-314-tofu-infra-put-allmain
tofu-infra: define neutron routersrepos/cloud/cloud-vps/tofu-infra!23aborreroarturo-252-tofu-infra-define-nmain
tofu-infra: refactor providers into its own filerepos/cloud/cloud-vps/tofu-infra!22aborreroarturo-172-tofu-infra-refactormain
data/: introduce eqiad1-r network and subnet informationrepos/cloud/cloud-vps/tofu-infra!21aborreroarturo-175-data-introduce-eqiamain
tofu-infra: import codfw1dev subnetsrepos/cloud/cloud-vps/tofu-infra!17aborreroarturo-269-tofu-infra-import-cmain
networks: refactor to remove _set indirection and cloudvps keywordrepos/cloud/cloud-vps/tofu-infra!16aborreroarturo-158-networks-refactor-tmain
tofu-infra: introduce Cloud VPS networks for codfw1devrepos/cloud/cloud-vps/tofu-infra!13aborreroarturo-689-tofu-infra-introducmain
Customize query in GitLab

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT370037 Cloud VPS: extend tofu-infra coverage
 InvalidNoneT370038 tofu-infra: enable for codfw1dev
 Resolved aborreroT370414 tofu-infra: create a cookbook automation to run tofu
 DeclinedNoneT370652 tofu-infra: introduce additional gitlab-ci automation
 ResolvedfnegriT391467 gitlab ci: validate secrets settings in pipeline for tofu integration
 DuplicateNoneT370660 tofu-infra: investigate S3 spurious endpoint errors
 OpenNoneT371391 Cloud VPS: extend tofu-infra to cover quotas
 Resolved aborreroT371393 Cloud VPS: extend tofu-infra to cover projects, users and roles
 DeclinedNoneT375720 tofu-infra: migrate default zone creation from the keystone hook
 Declined aborreroT379231 tofu-infra: check for leaked resources when deleting projects
 Resolved aborreroT374022 tofu-infra: the cookbook should use a different git tree copy than the main one
 OpenNoneT373815 Puppet fails on cloudcontrol when updating /srv/tofu-infra
 Resolved aborreroT374338 tofu-infra: extend coverage to Designate DNS data
 ResolvedfnegriT374953 Move some DNS records from wmcs-wikireplica-dns.py to tofu-infra
 ResolvedfnegriT380484 [designate] migrate DNS records in noauth-project to cloudinfra project
 ResolvedfnegriT380488 Migrate "eqiad.wmflabs." DNS zone to cloudinfra project
 ResolvedfnegriT380490 Migrate "svc.eqiad.wmflabs." DNS zone to cloudinfra project
 ResolvedfnegriT380491 Migrate "db.svc.eqiad.wmflabs." DNS zone to cloudinfra project
 ResolvedfnegriT380493 Migrate web.db.svc.eqiad.wmflabs. and analytics.db.svc.eqiad.wmflabs. to cloudinfra project
 ResolvedfnegriT380495 Migrate "16.172.in-addr.arpa." DNS zone to cloudinfra project
 ResolvedfnegriT391486 Update scripts that are referencing "noauth-project" for Designate
 Resolved aborreroT374835 cloud: tofu-infra: support neutron security groups
 Resolved aborreroT375111 openstack: clarify default security group semantics
 Resolved aborreroT375283 tofu-infra: refactor repo structure
 Resolved aborreroT392799 tofu-infra: re-implement security group rules as a map instead of array
 ResolvedfnegriT376704 tofu-infra: update to opentofu 1.8.x
 Resolved aborreroT376705 tofu-infra: update to openstack provider 3.x
 InvalidNoneT379141 tofu-infra: conflict with tf-infra-test
 OpenNoneT380981 tofu-infra: consider extending to support nova hosts aggregates
 StalledAndrewT385604 Decision Request - How openstack projects relate to tofu-infra
 OpenNoneT376110 tofu-infra: add support for DNS zones created by wmfkeystonehook
 OpenAndrewT410659 Standardize on opentofu management of all projects in the default keystone domain
 OpenNoneT389964 tofu-infra: implement some state backup mechanism
 OpenNoneT391252 tofu-infra: opentofu-created flavors may be disabled by default
 OpenNoneT410148 tofu-infra: add cinder volume types
 ResolvedfnegriT411090 [tofu-infra] [wmcs-cookbooks] Allow running "tofu apply" on a single cluster
 OpenNoneT411193 SystemdUnitDown and SystemdUnitDownForLong

Event Timeline

aborrero created this task.Jul 15 2024, 11:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2024, 11:23 AM
aborrero updated the task description. (Show Details)Jul 15 2024, 11:30 AM
aborrero closed subtask T370038: tofu-infra: enable for codfw1dev as Invalid.Jul 15 2024, 11:37 AM
CodeReviewBot added a project: Patch-For-Review.Jul 15 2024, 12:31 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/13

tofu-infra: introduce Cloud VPS networks for codfw1dev

aborrero moved this task from Backlog to Next on the User-aborrero board.Jul 15 2024, 3:12 PM
aborrero changed the task status from Open to In Progress.Jul 17 2024, 1:31 PM
aborrero claimed this task.
aborrero triaged this task as Medium priority.
aborrero moved this task from Next to Doing on the User-aborrero board.
fnegri added a project: Cloud-VPS.Jul 17 2024, 2:48 PM
CodeReviewBot added a comment.Jul 18 2024, 10:57 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/13

tofu-infra: introduce Cloud VPS networks for codfw1dev

Maintenance_bot removed a project: Patch-For-Review.Jul 18 2024, 11:31 AM
CodeReviewBot added a project: Patch-For-Review.Jul 18 2024, 11:38 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/16

networks: refactor to remove _set indirection and cloudvps keyword

CodeReviewBot added a comment.Jul 18 2024, 12:13 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/16

networks: refactor to remove _set indirection and cloudvps keyword

CodeReviewBot added a comment.Jul 18 2024, 12:16 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/17

tofu-infra: import codfw1dev subnets

fnegri renamed this task from Cloud VPS: consider extending tofu-infra coverage to Cloud VPS: extend tofu-infra coverage.Jul 18 2024, 1:23 PM
aborrero added a parent task: T364725: Migrate Cloud VPS instances to VXLAN based networks.Jul 18 2024, 3:09 PM
aborrero changed the status of subtask T370414: tofu-infra: create a cookbook automation to run tofu from Open to In Progress.Jul 19 2024, 8:44 AM
CodeReviewBot added a comment.Jul 22 2024, 3:50 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/17

tofu-infra: import codfw1dev subnets

CodeReviewBot added a comment.Jul 22 2024, 4:05 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/21

data/: introduce eqiad1-r network and subnet information

gerritbot added a comment.Jul 23 2024, 8:20 AM

Change #1056117 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] openstack: opentofu: init modules before runnig plan

https://gerrit.wikimedia.org/r/1056117

gerritbot added a comment.Jul 23 2024, 9:34 AM

Change #1056117 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] openstack: opentofu: init modules before runnig plan

https://gerrit.wikimedia.org/r/1056117

CodeReviewBot added a comment.Jul 23 2024, 10:08 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/21

data/: introduce eqiad1-r network and subnet information

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2024, 10:30 AM
CodeReviewBot added a project: Patch-For-Review.Jul 23 2024, 10:47 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/22

tofu-infra: refactor providers into its own file

CodeReviewBot added a comment.Jul 23 2024, 1:02 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/22

tofu-infra: refactor providers into its own file

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2024, 1:31 PM
CodeReviewBot added a project: Patch-For-Review.Jul 23 2024, 4:03 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/23

tofu-infra: define neutron routers

CodeReviewBot added a comment.Jul 24 2024, 10:42 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/24

tofu-infra: put all networking data in the same yaml file

aborrero added a subtask: T320750: Support managing Cloud VPS project membership via OpenTofu.Jul 24 2024, 2:16 PM
CodeReviewBot added a comment.Jul 25 2024, 8:24 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/25

tofu-infra: refactor imports

CodeReviewBot added a comment.Jul 25 2024, 8:42 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/25

tofu-infra: refactor imports

CodeReviewBot added a comment.Jul 25 2024, 9:32 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/23

tofu-infra: define neutron routers

CodeReviewBot added a comment.Jul 25 2024, 10:47 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/26

data/: add routers for eqiad1

CodeReviewBot added a comment.Jul 25 2024, 11:03 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/26

data/: add routers for eqiad1

CodeReviewBot added a comment.Jul 25 2024, 11:04 AM

aborrero closed https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/24

Draft: tofu-infra: put all networking data in the same yaml file

Maintenance_bot removed a project: Patch-For-Review.Jul 25 2024, 11:30 AM
CodeReviewBot added a project: Patch-For-Review.Jul 25 2024, 12:55 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/27

routers: consolidate router_interfaces into the same module

CodeReviewBot added a comment.Jul 29 2024, 9:58 AM

aborrero closed https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/27

routers: consolidate router_interfaces into the same module

Maintenance_bot removed a project: Patch-For-Review.Jul 29 2024, 10:30 AM
aborrero closed subtask T370414: tofu-infra: create a cookbook automation to run tofu as Resolved.Sep 2 2024, 9:33 AM
aborrero changed the status of subtask T374338: tofu-infra: extend coverage to Designate DNS data from Open to In Progress.Sep 9 2024, 8:43 AM
aborrero removed a parent task: T364725: Migrate Cloud VPS instances to VXLAN based networks.Sep 16 2024, 9:22 AM
aborrero changed the status of subtask T374835: cloud: tofu-infra: support neutron security groups from Open to In Progress.Sep 16 2024, 12:48 PM
aborrero changed the status of subtask T375283: tofu-infra: refactor repo structure from Open to In Progress.Sep 23 2024, 12:45 PM
aborrero closed subtask T374835: cloud: tofu-infra: support neutron security groups as Resolved.Sep 24 2024, 2:36 PM
aborrero closed subtask T374338: tofu-infra: extend coverage to Designate DNS data as Resolved.Sep 24 2024, 3:57 PM
aborrero moved this task from Doing to Next on the User-aborrero board.
aborrero changed the task status from In Progress to Open.Sep 27 2024, 5:56 AM
aborrero closed subtask T376705: tofu-infra: update to openstack provider 3.x as Resolved.Oct 8 2024, 2:53 PM
fnegri mentioned this in T376802: tf-infra-test fails creating dbs and k8s cluster.Oct 10 2024, 3:35 PM
aborrero closed subtask T379141: tofu-infra: conflict with tf-infra-test as Invalid.Nov 6 2024, 10:24 AM
fnegri changed the status of subtask T375283: tofu-infra: refactor repo structure from In Progress to Stalled.Jan 21 2025, 11:40 AM
aborrero mentioned this in T385604: Decision Request - How openstack projects relate to tofu-infra.Feb 4 2025, 5:08 PM
aborrero added a subtask: T385604: Decision Request - How openstack projects relate to tofu-infra.Feb 5 2025, 12:39 PM
aborrero changed the status of subtask T375283: tofu-infra: refactor repo structure from Stalled to In Progress.Feb 5 2025, 12:42 PM
fnegri removed a subtask: T320750: Support managing Cloud VPS project membership via OpenTofu.Feb 5 2025, 5:22 PM
aborrero changed the status of subtask T375283: tofu-infra: refactor repo structure from In Progress to Stalled.Mar 19 2025, 1:17 PM
aborrero closed subtask T375283: tofu-infra: refactor repo structure as Resolved.Mar 24 2025, 11:53 AM
aborrero closed subtask T374022: tofu-infra: the cookbook should use a different git tree copy than the main one as Resolved.Mar 25 2025, 10:58 AM
aborrero moved this task from Next to Blocked/waiting on the User-aborrero board.Mar 26 2025, 12:25 PM
aborrero moved this task from Blocked/waiting to Radar/observer on the User-aborrero board.
dcaro reopened subtask T375283: tofu-infra: refactor repo structure as Open.Apr 14 2025, 1:41 PM
fnegri closed subtask T375283: tofu-infra: refactor repo structure as Resolved.Jun 16 2025, 9:20 AM
fnegri removed aborrero as the assignee of this task.Jun 24 2025, 10:53 AM
taavi closed subtask T370652: tofu-infra: introduce additional gitlab-ci automation as Declined.Jul 31 2025, 12:06 PM
fnegri moved this task from Inbox to Epics on the cloud-services-team board.Sep 5 2025, 8:42 AM
akosiaris subscribed.Sep 18 2025, 3:16 PM
dcaro changed the status of subtask T385604: Decision Request - How openstack projects relate to tofu-infra from Open to Stalled.Sep 18 2025, 3:56 PM
Andrew added a subscriber: fgiunchedi.Oct 22 2025, 5:08 PM

I'm thinking this over again, and I'm fairly compelled by the fact that resources managed by tofu are in source control with a history.

That said, I know that @fgiunchedi found the current workflow very confusing. Filippo, can you talk about your experience a bit here? One thing I wonder about is how both deployments (codfw1dev and eqiad1) are currently coupled, so if tofu can't apply in codfw1dev then we also can't change things in eqiad1; I'm pretty sure that needs to be changed.

fnegri added a comment.Oct 24 2025, 9:55 AM

deployments (codfw1dev and eqiad1) are currently coupled, so if tofu can't apply in codfw1dev then we also can't change things in eqiad1; I'm pretty sure that needs to be changed.

+1 for splitting codfw1dev and eqiad1, similarly to what we did in the tofu-provisioning repo (that was created at a later time than the tofu-infra one).

fgiunchedi added a comment.Oct 28 2025, 11:10 AM
In T370037#11299341, @Andrew wrote:

I'm thinking this over again, and I'm fairly compelled by the fact that resources managed by tofu are in source control with a history.

That said, I know that @fgiunchedi found the current workflow very confusing. Filippo, can you talk about your experience a bit here? One thing I wonder about is how both deployments (codfw1dev and eqiad1) are currently coupled, so if tofu can't apply in codfw1dev then we also can't change things in eqiad1; I'm pretty sure that needs to be changed.

Certainly, I stubbed my toe on the interaction between tofu and cookbooks when working on the project NFS server. Specifically, the wmcs.nfs cookbooks can change DNS service records for the NFS server, e.g. when changing networks. This works when DNS records are not managed by tofu of course. When DNS service records are managed by tofu (e.g. tools, toolsbeta) then the cookbook and tofu step on each other toes, making the cookbook work on some projects but not others. This was my main gripe with the current situation at the time. We ended up un-managing NFS service records for tools tofu as a middle ground solution.

I realize the above may be a corner case, though to me it begs the question: in a world where all/most resources are managed by tofu, what is the story with cookbook interaction or other general programmatic changes to resources we want to do?

We do have an example today with creating new instances: the cookbook AIUI sends a merge request for tofu and then operators merge it. I thought about doing the same for the NFS cookbook, though programmatically editing HCL files is not trivial without hacks (e.g. anchors in the file), creating new instances works fine I think because it is an append operation, not editing files in place.

From the task description the scope here is "admin-defined" resources, I take it this is different than tools tofu-provisioning where a project itself is managed by tofu? Or is "projects managed by tofu" in scope here too?

Andrew added a comment.Oct 30 2025, 2:50 PM

"admin-defined" resources

I think that admin-defined just means 'things in cloud-vps managed and supported by staff rather than by random users'.

fnegri added a comment.Wed, Nov 26, 12:07 PM
In T370037#11305611, @fnegri wrote:

deployments (codfw1dev and eqiad1) are currently coupled, so if tofu can't apply in codfw1dev then we also can't change things in eqiad1; I'm pretty sure that needs to be changed.

+1 for splitting codfw1dev and eqiad1, similarly to what we did in the tofu-provisioning repo (that was created at a later time than the tofu-infra one).

I created T411090: [tofu-infra] [wmcs-cookbooks] Allow running "tofu apply" on a single cluster.

fnegri added a subtask: T411090: [tofu-infra] [wmcs-cookbooks] Allow running "tofu apply" on a single cluster.Wed, Nov 26, 2:37 PM
fnegri closed subtask T376704: tofu-infra: update to opentofu 1.8.x as Resolved.Wed, Nov 26, 2:39 PM
fnegri changed the status of subtask T411090: [tofu-infra] [wmcs-cookbooks] Allow running "tofu apply" on a single cluster from Open to In Progress.Wed, Nov 26, 4:35 PM
fnegri closed subtask T411090: [tofu-infra] [wmcs-cookbooks] Allow running "tofu apply" on a single cluster as Resolved.Mon, Dec 1, 5:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits