Consider improving central files management

[samuelallan72]

Terraform is great for managing the repositories and repository metadata (we're using it effectively for maintaining the repository settings, branch protection, collaborator rules, repository description, etc.).

From my recent experience it's really awkward currently for managing the centrally managed files (CODEOWNERS, and workflow yaml files currently);

• template variables can't be differing types (must be all strings, or all lists of strings, or all bool, etc.) - makes it difficult for more complex templating
• template variables don't support defaults
• templates are limited compared to something like jinja
• the terraform logic is awkward (it's not designed for this kind of thing really)
• we can't see a diff before the PR is merged and automated PR created
• iterating is really slow and the development workflow is awkward, as you really need to open draft changes as a PR directly on the target repository, and then move it to the automation repository - we don't currently have a way to test against the target repository until a PR here merges.

I propose we replace the terraform that manages the centrally managed files with a script and workflow that does something like this when a PR is opened here:

# when PR is opened here:
for repo in target repositories:
    load config for $repo
    checkout $repo
    template all configured files into $repo
    if changes:
        print a diff of the changes
        open a draft PR to $repo with the changes

# when the PR is updated here:
for repo in target repositories:
    repeat the above, but also update the draft PR to $repo

# when the PR is merged:
for repo in target repositories:
    change the draft PR to 'ready for review'?
    or maybe close the draft PRs and open a new (or update an existing) PR since it's now main branch?

We'd want something to help us avoid merging PRs that are from feature branches, and also to avoid merging outdated PRs to target repositories.

[samuelallan72]

Any comments, thoughts, feedback appreciated. :) The above is simply a suggested improvement based on my recent experiences and pain points.

[samuelallan72]

Another motivation for this that I discovered today: it makes it verbose to manage files across multiple branches. For example for snap-tempest we maintain multiple stable branches ( https://github.com/canonical/snap-tempest/branches/active ), and we want the same codeowners and workflows on each branch. Currently this means a separate terraform config for the repo for each branch, duplicating repo name, description, etc.

EDIT: Although some things, like branch protection rules, we actually do want to be per-branch. :thinking: