Automatically apply changes
Closed this issue · 1 comments
- run
terraform apply - run
go testto verify the integrity of the state in GitHub
Will need to securely configure a GitHub token with effectively org admin permissions.
Though there is an obvious temptation to use Concourse for this, it's probably worth considering GitHub Actions just to keep the scope of this narrow.
All done! GitHub actions ended up working pretty well for this. It keeps the credential somewhere that it can't even be read, and I was even able to (ab)use actions/cache so that I don't need to store the terraform.tfstate anywhere. This should be fine because all state is on GitHub and can just be imported in the even that the cache is lost.
There is one caveat: if something (e.g. a repo) is removed and the cache is lost, the Import step won't import it, so it won't be destroyed. I have mitigated this by configuring the workflow to run daily, which should keep the cache from expiring, or at least narrow the window of the cache not existing. Running periodically is a good thing to do anyway - it's how we can detect drift and make sure things are staying in sync with the source of truth (this repo).
Another workaround could be to have Import work based on the actual state (e.g. all repos in the org) instead of the desired state (all repos in the repo), but that's a little hardcore; it would mean anything not created through this repo would be destroyed or archived.
For posterity: