search

Azure / ALZ-PowerShell-Module

The Azure Landing Zones Accelerators PowerShell module
https://www.powershellgallery.com/packages/ALZ/
MIT License
79 stars 39 forks source link

Feature Request: Enhanced upgrade process and state management #229

Open jaredfholgate opened 1 month ago

jaredfholgate commented 1 month ago

Is there an existing issue for this?

Infrastructure as Code Type? (Required)

both

Starter Module? (Required)

not relevant

Use Case (Required)

As a user of the ALZ Accelerator, I want the bootstrap state to be managed and the update / upgrade process to handle that.

Proposed Solution (Required)

Options include:

  1. Send it up to the storage account we create in the bootstrap.
    • This storage account can have a private end point and restricted access. Adding a break out for this would be less than ideal.
  2. Create a new storage account with public networking specifically for this purpose. Specify accounts / groups with access

In both cases we need to:

  1. Spit out a backend file for the bootstrap.
  2. Store and version the input files in blob storage too?
    • Would need to make it mandatory to supply sensitive inputs via env var?

Needs some more thought...

Once we have something in place, the upgrade / update process should be able to support remote state.

Important Factoids (Optional)

No response

References (Optional)

No response

mikejonestechno commented 1 month ago

Please prioritize - we need an upgrade path without having to create our own bootstrap for the bootstrap!

In my use case I want to use azure devops with bicep and need to try different bootstrap options and starter options over the upcoming weeks. Even though iac_type = bicep I still want remote backend to persist the initial bootstrap tf state and avoid keeping persistent bootstrap state files on my laptop.

Would need to make it mandatory to supply sensitive inputs via env var? Nice to have but not required, at least for first iteration of bootstrap state storage. Just update doco and sample configs telling user that setting token values in config or inputs.yaml is insecure and should be set using local environment variables. TF_VAR_azure_devops_personal_access_token='<token-1>' TF_VAR_azure_devops_agents_personal_access_token='<token-2>'