The GitHub Control repository manages the InfraHouse GitHub organization. The repository uses GitHub Terraform provider to define organization settings, repositories, and everything else supported by the provider. It is the configuration source of truth. If anything needs to be changed, including adding a new repository, the change should be made in this repository. Changes made outside of the repository may be reverted. Continuous Integration and Deployment (CI/CD) is configured for this repository.
See also
A cookiecutter template is available to create a Terraform repository with CI/CD to manage a GitHub organization.
A GutHub user infrahouse8 and the InfraHouse organization are separated from each other. infrahouse8 is an owner of the InfraHouse organizations. The GitHub Control repository is hosted under infrahouse8. This way ensures the out-of-band management of the organization. Only infrahouse8 has admin privileges in the InfraHouse organization. All other members of the organization will have "member" privileges only.
Relationship between infrahouse8 user and InfraHouse organization.
When a user wants to make a change in InfraHouse GitHub configuration they should submit a pull request into the main branch.
Once the pull request is created, GitHub Actions worker will run a set of checks.
The checks include executing terraform plan, linter, and other tests that are included now or will be included in future.
A failed check will block the pull request from merging.
Once the pull request is merged, GitHub Actions runs terraform apply to implement new changes.
Repository workflow.
The repo needs a set of inputs available for in the pull request stage as well as for deployment.
Defined in https://github.com/infrahouse8/github-control/settings/secrets/actions.
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_DEFAULT_REGIONAWS credentials of a user that has privileges to work with a Terraform state in S3. Minimal privileges required [1]:
ListBucketGetObjectPutObjectDeleteObject
GH_TOKEN- Personal token of a user infrahouse8. Created in https://github.com/settings/tokens.
| [1] | The repository doesn't use Terraform state locking at the moment. If it did, additional privileges would be needed to work with a DynamoDB table. |