Bowbaq
commented
6 years ago This is separate from the CI issue I think. What we want here is to separate the states for the infrastructure / data storage components and the services running on top of that infrastructure.
This way the infrastructure, which should change infrequently and requires high levels of permissions to modify, can be isolated from day-to-day updates to services by developers.
The way to do this is to have a separate main.tf for the infrastructure and one for the services. The services layer can use a terraform_remote_state data source to import any needed outputs from the infrastructure layer.
This would also allow us to use much more restricted IAM roles to interact with the service layer since the set of operations to do there is much smaller.
re: CI, if we want to use terraform to deploy new versions of services, we should target only the resources needed to do that rather than running a blanket terraform apply -auto-approve in CI so we can limit the risks of unintentionally applying other changes
In order for CI to not do a blanket apply, but only update the services. Have a separate apply for other infrastructure
@Bowbaq @dminnear @bishtawi @allensallinger can you advise or point to the relevant documentation for how this is accomplished