-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QoL updates ✅ #24
base: main
Are you sure you want to change the base?
QoL updates ✅ #24
Conversation
f46d10d
to
a2f5711
Compare
1a8f2f9
to
4749dd5
Compare
4749dd5
to
0798ca3
Compare
16cbd35
to
f1d3625
Compare
65b96f5
to
be9551c
Compare
cadbd71
to
80ae92e
Compare
80ae92e
to
e0393f9
Compare
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
description: 'The environment to deploy to' | ||
workspace: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-breaking note: this will be a point of divergence from the Azure repositories, as that side does not leverage TF workspaces as a feature. There should be documentation to explain the discrepancy or choice of architecture somewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do think we should consider a discussion on whether workspaces or discrete folders are preferred. I tend to be wholly against workspaces for some of the reasons that Hashicorp outlines here: https://developer.hashicorp.com/terraform/cli/workspaces#use-cases If the partners you're speaking with overwhelmingly use workspaces, then we shouldn't reinvent the wheel...but, I would be very resistant to using this same approach with Azure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😬 This repo has used workspaces from the beginning; these changes are just around language to eliminate confusion, which seems successful! We should set up a call to discuss this.
@@ -1,29 +1,35 @@ | |||
name: Deploy to ECS | |||
name: Terraform (Plan||Apply) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel extremely squidgy about putting plan and apply together in the same action. If we mess up a conditional somewhere, damage can result. Is there a reason why these actions are not maintained separately, for safety reasons?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't mind separating it out.
@@ -45,23 +51,32 @@ jobs: | |||
with: | |||
role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |||
role-session-name: githubDeploymentWorkflow | |||
aws-region: ${{ env.aws_region }} | |||
aws-region: ${{ secrets.AWS_REGION }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I ask why we're making this a secret? You've given a default value in the documentation already...does obscuring this value provide us any benefit?
@@ -4,6 +4,17 @@ variable "availability_zones" { | |||
default = ["us-east-1a", "us-east-1b", "us-east-1c"] | |||
} | |||
|
|||
variable "internal" { | |||
description = "Internal" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do better for a description. 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching this oversight.
type = bool | ||
description = "Flag to determine if the ALB is public (intended for external access) or private (only intended to be accessed within your AWS VPC)." | ||
description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This description can likely be copy-pasted into the concern I commented on above!
@@ -2,9 +2,9 @@ | |||
# trivy:ignore:AVD-AWS-0053 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this suppression still valid?
@@ -43,7 +43,7 @@ resource "aws_ecs_service" "this" { | |||
name = each.key | |||
cluster = aws_ecs_cluster.dibbs_app_cluster.id | |||
task_definition = each.value.arn | |||
desired_count = local.service_data[each.key].app_count | |||
desired_count = local.service_data[each.key].min_capacity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-blocking...do AWS services support scaling down to 0 with a rapid restart back to 1 if the container is hit? This could save some money, but may have a small performance impact. Just a thought!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, but I can look into it. That would be added in a follow-up PR. Changing to min_capacity is only a bit of setup to get us closer to adding autoscaling.
} | ||
|
||
variable "owner" { | ||
description = "The owner of the project" | ||
type = string | ||
default = "skylight" | ||
validation { | ||
condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) | ||
error_message = "owner must be 8 characters or less, all lowerspace with no special characters or spaces" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"lowercase"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hah, I misunderstood your comment. My thought was, yeah, lowercase... 😆
I'll fix the typo.
default = "skylight" | ||
validation { | ||
condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) | ||
error_message = "owner must be 8 characters/numbers or less, all lowerspace with no special characters or spaces" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"lowercase"?
DEVOPS PULL REQUEST
Related Issue
Changes Proposed
environment
to useworkspace
instead to keep things consistent with jargon used by terraformtfstate
related terraform into a module to better encapsulate those resourcesinternal
variable to better setup resources in private subnets and prevent the creation of certain VPC resourcesservice_data
to includemin_capacity
andmax_capacity
so that we can handle autoscaling