QoL updates ✅ #24
QoL updates ✅ #24
Conversation
alismx
force-pushed
the
alis/private_subnet_updates
branch
2 times, most recently
from
f46d10d
to
a2f5711
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
3 times, most recently
from
1a8f2f9
to
4749dd5
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
from
4749dd5
to
0798ca3
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
5 times, most recently
from
16cbd35
to
f1d3625
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
6 times, most recently
from
65b96f5
to
be9551c
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
2 times, most recently
from
cadbd71
to
80ae92e
Compare
alismx
force-pushed
the
alis/private_subnet_updates
branch
from
80ae92e
to
e0393f9
Compare
alismx
changed the title
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| environment: | ||
| description: 'The environment to deploy to' | ||
| workspace: |
There was a problem hiding this comment.
Non-breaking note: this will be a point of divergence from the Azure repositories, as that side does not leverage TF workspaces as a feature. There should be documentation to explain the discrepancy or choice of architecture somewhere.
There was a problem hiding this comment.
I do think we should consider a discussion on whether workspaces or discrete folders are preferred. I tend to be wholly against workspaces for some of the reasons that Hashicorp outlines here: https://developer.hashicorp.com/terraform/cli/workspaces#use-cases If the partners you're speaking with overwhelmingly use workspaces, then we shouldn't reinvent the wheel...but, I would be very resistant to using this same approach with Azure.
There was a problem hiding this comment.
😬 This repo has used workspaces from the beginning; these changes are just around language to eliminate confusion, which seems successful! We should set up a call to discuss this.
| @@ -1,29 +1,35 @@ | |||
| name: Deploy to ECS | |||
| name: Terraform (Plan||Apply) | |||
There was a problem hiding this comment.
I feel extremely squidgy about putting plan and apply together in the same action. If we mess up a conditional somewhere, damage can result. Is there a reason why these actions are not maintained separately, for safety reasons?
There was a problem hiding this comment.
I don't mind separating it out.
| @@ -45,23 +51,32 @@ jobs: | |||
| with: | |||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |||
| role-session-name: githubDeploymentWorkflow | |||
| aws-region: ${{ env.aws_region }} | |||
| aws-region: ${{ secrets.AWS_REGION }} | |||
There was a problem hiding this comment.
Can I ask why we're making this a secret? You've given a default value in the documentation already...does obscuring this value provide us any benefit?
| @@ -4,6 +4,17 @@ variable "availability_zones" { | |||
| default = ["us-east-1a", "us-east-1b", "us-east-1c"] | |||
| } | |||
|
|
|||
| variable "internal" { | |||
| description = "Internal" | |||
There was a problem hiding this comment.
We can do better for a description. 🙂
There was a problem hiding this comment.
Thanks for catching this oversight.
| type = bool | ||
| description = "Flag to determine if the ALB is public (intended for external access) or private (only intended to be accessed within your AWS VPC)." | ||
| description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)." |
There was a problem hiding this comment.
This description can likely be copy-pasted into the concern I commented on above!
| @@ -2,9 +2,9 @@ | |||
| # trivy:ignore:AVD-AWS-0053 | |||
There was a problem hiding this comment.
Is this suppression still valid?
| @@ -43,7 +43,7 @@ resource "aws_ecs_service" "this" { | |||
| name = each.key | |||
| cluster = aws_ecs_cluster.dibbs_app_cluster.id | |||
| task_definition = each.value.arn | |||
| desired_count = local.service_data[each.key].app_count | |||
| desired_count = local.service_data[each.key].min_capacity | |||
There was a problem hiding this comment.
Non-blocking...do AWS services support scaling down to 0 with a rapid restart back to 1 if the container is hit? This could save some money, but may have a small performance impact. Just a thought!
There was a problem hiding this comment.
I'm not sure, but I can look into it. That would be added in a follow-up PR. Changing to min_capacity is only a bit of setup to get us closer to adding autoscaling.
| } | ||
|
|
||
| variable "owner" { | ||
| description = "The owner of the project" | ||
| type = string | ||
| default = "skylight" | ||
| validation { | ||
| condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) | ||
| error_message = "owner must be 8 characters or less, all lowerspace with no special characters or spaces" |
There was a problem hiding this comment.
Hah, I misunderstood your comment. My thought was, yeah, lowercase... 😆
I'll fix the typo.
| default = "skylight" | ||
| validation { | ||
| condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) | ||
| error_message = "owner must be 8 characters/numbers or less, all lowerspace with no special characters or spaces" |
DEVOPS PULL REQUEST
Related Issue
Changes Proposed
environmentto useworkspaceinstead to keep things consistent with jargon used by terraformtfstaterelated terraform into a module to better encapsulate those resourcesinternalvariable to better setup resources in private subnets and prevent the creation of certain VPC resourcesservice_datato includemin_capacityandmax_capacityso that we can handle autoscaling