feature: GitHub component #2
Conversation
There was a problem hiding this comment.
I like the dynamic "list of repos" approach but then our call to the underlying module is so much of this = each.this which seems like a waste of key presses (even if copilot does all the heavy lifting)
Also conglomerating every repo into one state file is probably harmless but large blast radius.. I dunno I think it is best for us to essentially call the mineiros repo (forked with SOPS mixin) many times instead of calling it in a loop
github/main.tf
Outdated
| source = "mineiros-io/repository/github" | ||
| version = "0.18.0" | ||
|
|
||
| for_each = var.repos |
github/providers.tf
Outdated
| provider "github" { | ||
| base_url = var.gh_base_url | ||
| owner = var.gh_owner | ||
|
|
||
| token = local.gh_token_enabled ? local.gh_token : null | ||
|
|
||
| dynamic "app_auth" { | ||
| for_each = local.gh_app_auth_enabled ? ["app_auth"] : [] | ||
| content { | ||
| id = var.gh_app_auth_id | ||
| installation_id = var.gh_app_auth_installation_id | ||
| pem_file = local.gh_app_auth_pem_file | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
This can all be handled in environment variables and that sort of configuration will remain consistent in Spacelift, then we don't have to do the auth method selection logic in locals, but there's also merits to it being explicit in code. Especially because we don't use a chamber sort of environment variable management in local dev loop.
There was a problem hiding this comment.
We rarely use env variables for this type of configuration, so I leaned towards the approach that keeps GH configuration in one place without a need to set up Spacelift stacks (in our case). With this implementation, a token can still be consumed as an env variable if not set via SOPS.
For app_auth we could work on more complex logic in the future if needed.
github/providers.tf
Outdated
| variable "gh_app_auth_id" { | ||
| type = string | ||
| description = "The ID of the GitHub App." | ||
| default = "" | ||
| } | ||
|
|
||
| variable "gh_app_auth_installation_id" { | ||
| type = string | ||
| description = "The ID of the GitHub App installation" | ||
| default = "" | ||
| } | ||
|
|
||
| variable "gh_app_auth_pem_file_secret_name" { | ||
| type = string | ||
| description = <<-EOF | ||
| The name of the secret retrieved by secrets mixin that contains | ||
| the contents of the GitHub App private key PEM file. | ||
| EOF | ||
| default = null | ||
| } | ||
|
|
||
| variable "gh_base_url" { | ||
| type = string | ||
| description = <<-EOF | ||
| (Optional) This is the target GitHub base API endpoint. | ||
| Providing a value is a requirement when working with GitHub Enterprise. | ||
| It is optional to provide this value and it can also be sourced from the GITHUB_BASE_URL environment variable. | ||
| The value must end with a slash, for example: https://terraformtesting-ghe.westus.cloudapp.azure.com/ | ||
| EOF | ||
| default = null | ||
| } | ||
|
|
||
| variable "gh_owner" { | ||
| type = string | ||
| description = <<-EOF | ||
| (Optional) This is the target GitHub organization or individual user account to manage. | ||
| For example, `torvalds` and `github` are valid owners. It is optional to provide this value | ||
| and it can also be sourced from the GITHUB_OWNER environment variable. | ||
| When not provided and a token is available, the individual user account owning the token will be used. | ||
| When not provided and no token is available, the provider may not function correctly. | ||
| EOF | ||
| default = null | ||
| } | ||
|
|
||
| variable "gh_token_secret_name" { | ||
| type = string | ||
| description = <<-EOF | ||
| The name of the secret retrieved by secrets mixin that contains the GitHub personal access token. | ||
| EOF | ||
| default = null | ||
| } |
There was a problem hiding this comment.
I prefer all variables being in variables.tf unless they're specific to a shared mixin
There was a problem hiding this comment.
I was thinking of this as of future mixin, but it's not the case right now, so I've moved it to the variables.tf 👌
github/providers.tf
Outdated
| type = string | ||
| description = <<-EOF | ||
| The name of the secret retrieved by secrets mixin that contains the GitHub personal access token. | ||
| EOF |
There was a problem hiding this comment.
This EOF (and others) should be spaced two forward because I think now the final rendered result will be two spaces forward, b/c this line is the one with least indentation
https://developer.hashicorp.com/terraform/language/expressions/strings#indented-heredocs
There was a problem hiding this comment.
Looking at it closer I might be wrong. If you have a sec to verify let me know
There was a problem hiding this comment.
Yeah, Terraform analyses the lines in the sequence to find the one with the smallest number of leading spaces, and then trims that many spaces from the beginning of all of the lines.
Since there is no diff in space numbers for these vars, it renders fine. However I've updated the description format to use the expected number of spaces.
There was a problem hiding this comment.
Ok I wasn't sure if it would also analyze the spaces before your EOF marker
| @@ -5,14 +5,16 @@ | |||
| *.tfstate | |||
| *.tfstate.* | |||
|
|
|||
| # Terraform lock files | |||
| .terraform.lock.hcl | |||
There was a problem hiding this comment.
The components are intended to be used as child modules, and the root module should have it's own lock file anyway. What's the reason we might want to keep it here?
There was a problem hiding this comment.
I think this component is already at root module level for a consumer. The most we would do is just copy it into sts-devops, no? to wrap it an additional time and write another variable = var.variable ... block seems like too much
There was a problem hiding this comment.
additionally I see no opinions online that lockfiles should not be included in child modules and don't see a reason not to.
There was a problem hiding this comment.
It's just not used by Terraform, no init is run on this level.
There was a problem hiding this comment.
I think this component is already at root module level for a consumer. The most we would do is just copy it into
sts-devops, no? to wrap it an additional time and write anothervariable = var.variable ...block seems like too much
Not sure. Let's discuss on a call.
github/main.tf
Outdated
| deploy_keys = each.value.deploy_keys | ||
| deploy_keys_computed = each.value.deploy_keys_computed | ||
|
|
||
| # Branch Protections v3 Configuration |
There was a problem hiding this comment.
Can we remove V3 config so we can avoid potentially using it since it sounds like it's now legacy?
There was a problem hiding this comment.
Makes sense, especially considering it may conflict with v4 branch protections if used for the same branch. Removed.
There was a problem hiding this comment.
@gberenice I didn't check all those inputs as I imagine that's just a for_each over ALL of the vars in the child module, yeah? That seems great to me and this looks solid. One or two requests below and I'll approve when you get back to me on those!
|
@kevcube saw this comment and wanted to share thoughts:
This is a legit point of view and I could see going either way on it depending on size. Two size perspectives that are worth considering:
I'm a bit torn on it when typing it out. I think I gravitate towards the |
|
@Gowiem I see your point that "auto-approve vs. one mega-state file, both have issues" but I think I feel more comfortable with auto-approve. Frankly the risk with either is minimal, but if someone is making changes from local then auto-approve is irrelevant and the mega-state is still a risk. Honestly I think auto-approve everywhere should be a goal of ours (maybe with plan outputs printed to PRs and reviewed as a part of PR) |
Yes (god bless copilot and chatgpt). |
|
@Gowiem @kevcube to me, the main question is - what this component is about and how we're layering the resources. Forking the repo raises the question of sync between the projects. I bet we'll be lazy and have some changes pushed to our repo only (classic). The original repo doesn't seem to be active at the moment, but I've already noticed some minor issues worth contributing. |
Info
This adds a Github component. For now, we're able to manage repositories configuration.