Page MenuHomePhabricator
Create Task
Maniphest T370652

tofu-infra: introduce additional gitlab-ci automation
Closed, DeclinedPublic
Actions

Description

We have discussed the possibility of introducing some gitlab-ci automation for tofu-infra.

In this early stage, we are mostly interested in tofu plan. We have detected an upstream gitlab integration for opentofu that we could reuse/adapt to our own (but not just mirror because that is only possible with GitLab Premium).

As a first step, we should consider generating a new set of credentials for novaobserver to run "tofu plan" from gitlab ci in read-only mode. The credentials will also need to access the Object Storage bucket containing the Tofu state file, so maybe we will need a separate user?

Other ideas to explore:

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
tofu-infra: introduce gitlab CI/CD workflowrepos/cloud/cloud-vps/tofu-infra!236aborreroarturo-266-tofu-infra-introducmain
Customize query in GitLab

Related Objects
Search...

Event Timeline

aborrero created this task.Jul 22 2024, 3:14 PM
fnegri updated the task description. (Show Details)Jul 22 2024, 3:36 PM
aborrero moved this task from Backlog to Radar/observer on the User-aborrero board.Jul 24 2024, 2:59 PM
fnegri mentioned this in T370414: tofu-infra: create a cookbook automation to run tofu.Jul 29 2024, 9:47 AM
fnegri updated the task description. (Show Details)Jul 31 2024, 3:28 PM
joanna_borun triaged this task as Low priority.Aug 21 2024, 2:14 PM
aborrero added a comment.EditedOct 2 2024, 3:02 PM

See:

aborrero added a comment.Oct 2 2024, 3:18 PM
In T370652#10196276, @aborrero wrote:

See:

One limitation I found with that CI automation: they can't run plan for MR branches, because secrets are required, and they could leak.

dcaro added a comment.Oct 7 2024, 12:17 PM
In T370652#10196313, @aborrero wrote:
In T370652#10196276, @aborrero wrote:

See:

One limitation I found with that CI automation: they can't run plan for MR branches, because secrets are required, and they could leak.

I think that for repos/cloud you can limit the secrets exposure to MRs of branches within the repo, so it gets limited to members of the cloud team (we do so in toolforge to push images/charts to toolsbeta-harbor)

aborrero mentioned this in T391467: gitlab ci: validate secrets settings in pipeline for tofu integration.Apr 9 2025, 12:13 PM
aborrero added a subtask: T391467: gitlab ci: validate secrets settings in pipeline for tofu integration.
aborrero added a comment.Apr 10 2025, 8:30 AM

Another example repository with a full workflow based on gitlab CI/CD: https://gitlab.wikimedia.org/repos/cloud/cloud-vps/networktests-tofu-provisioning

The tofu apply step is marked as "manual" in the pipeline, so it requires a human clicking the button for infrastructure changes to happen.

aborrero added a comment.Apr 10 2025, 3:32 PM

see also: https://docs.gitlab.com/user/infrastructure/iac/mr_integration/#manually-configure-opentofu-report-artifacts

fnegri closed subtask T391467: gitlab ci: validate secrets settings in pipeline for tofu integration as Resolved.May 6 2025, 2:13 PM
CodeReviewBot added a project: Patch-For-Review.May 19 2025, 12:16 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/236

tofu-infra: introduce gitlab CI/CD workflow

CodeReviewBot added a comment.Jul 31 2025, 12:05 PM

taavi closed https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/236

tofu-infra: introduce gitlab CI/CD workflow

taavi closed this task as Declined.Jul 31 2025, 12:06 PM
taavi subscribed.

I don't think we're interested in pursuing this now.

Maintenance_bot removed a project: Patch-For-Review.Jul 31 2025, 12:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits