Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

have a way to test Terraform changes more safely #830

Closed
1 task done
Tracked by #905
afeld opened this issue Jul 26, 2022 · 6 comments · Fixed by #1074
Closed
1 task done
Tracked by #905

have a way to test Terraform changes more safely #830

afeld opened this issue Jul 26, 2022 · 6 comments · Fixed by #1074
Assignees
@afeld
Labels
chore Chores and tasks for code cleanup, dev experience, etc. infrastructure Terraform, Azure, etc. security Changes to improve or maintain the availability and resilience of the app
Milestone
Reliability [eng]

Comments

@afeld
Copy link
Contributor

afeld commented Jul 26, 2022
edited
Loading

Currently, our different environments are set up as App Service slots. This means infrastructure (a.k.a. Terraform) changes outside of slots apply to all of them, meaning there isn't an easy way to test those changes beyond a plan.

I propose we use a dedicated Resource Group (maybe also a dedicated subscription?) to create a full staging environment, perhaps with some features like the Monitors disabled. We might want to go all the way and make one for dev, and get rid of our use of slots. Open to feedback here.

cc @cal-itp/cdt-devsecops

Acceptance Criteria

  • Changes can be made to Terraform tested without concern that production will be impacted

Additional context

This would have helped prevent the 7/21 downtime.
@afeld afeld added chore Chores and tasks for code cleanup, dev experience, etc. security Changes to improve or maintain the availability and resilience of the app infrastructure Terraform, Azure, etc. labels Jul 26, 2022
@afeld afeld changed the title create isolated staging environment have a way to test Terraform changes more safely Jul 26, 2022
@afeld afeld mentioned this issue Jul 26, 2022
Closed
@thekaveman thekaveman moved this to Backlog in Digital Services Aug 1, 2022
@afeld afeld mentioned this issue Sep 9, 2022
Closed
23 tasks
@thekaveman thekaveman added this to the Production Resiliency milestone Sep 22, 2022
@afeld afeld moved this from Backlog to This Sprint (Month) in Digital Services Oct 13, 2022
@afeld afeld mentioned this issue Oct 13, 2022
Closed
@afeld afeld self-assigned this Oct 13, 2022
@afeld afeld mentioned this issue Oct 13, 2022
Closed
@afeld afeld moved this from This Sprint (Month) to In Progress in Digital Services Oct 20, 2022
@afeld
Copy link
Contributor Author

afeld commented Oct 20, 2022
edited
Loading

More support for this, from the official docs:

notably, you shouldn't use a single Terraform workspace to manage everything that makes up your production or staging environment

https://developer.hashicorp.com/terraform/cloud-docs/recommended-practices/part1#one-workspace-per-environment-per-terraform-configuration

This was referenced Oct 20, 2022
Merged
Closed
@thekaveman thekaveman mentioned this issue Dec 6, 2022
Closed
1 task
@afeld
Copy link
Contributor Author

afeld commented Dec 12, 2022

Have a question out to @cal-itp/cdt-devsecops about whether we need to use two Subscriptions, as that complicates the Pipeline. (From what I can tell, the service connection name is read at "compile time", which restricts what logic can be used to determine it.) Waiting on their answer before continuing, one way or another.

@afeld afeld moved this from In Progress to Blocked in Digital Services Dec 12, 2022
@afeld afeld mentioned this issue Dec 15, 2022
Closed
9 tasks
Repository owner moved this from Blocked to Done in Digital Services Dec 22, 2022
@afeld
Copy link
Contributor Author

afeld commented Dec 22, 2022

Still ongoing as we propagate the changes up.

@afeld afeld reopened this Dec 22, 2022
Repository owner moved this from Done to In Progress in Digital Services Dec 22, 2022
@afeld
Copy link
Contributor Author

afeld commented Dec 22, 2022

The new dev and test app service instances are live and well. The custom domains (dev-benefits.calitp.org and test-benefits.calitp.org) are still pointing to the old slots via Front Door, now waiting on @cal-itp/cdt-devsecops to update those. Once that's done, we can deploy to production, which will delete the old slots etc.

cc #1170

@afeld
Copy link
Contributor Author

afeld commented Jan 4, 2023

The new dev and test app service instances are live and well. Next, we'll deploy to production, which will delete the old slots etc.

cc #1170

@afeld
Copy link
Contributor Author

afeld commented Jan 4, 2023

While we're still working on the cleanup of production, this task is technically done.

@afeld afeld closed this as completed Jan 4, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in Digital Services Jan 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afeld afeld

Labels
chore Chores and tasks for code cleanup, dev experience, etc. infrastructure Terraform, Azure, etc. security Changes to improve or maintain the availability and resilience of the app
Projects
Digital Services
Archived in project
Milestone
Reliability [eng]
Development

Successfully merging a pull request may close this issue.

separate infrastructure environments cal-itp/benefits
2 participants
@afeld @thekaveman