Closed JohannesRudolph closed 1 month ago
some BBs will have a very advanced backplane, e.g. the connectivity block requires the hub deployed from azure/kit/connectivity - should we go the trouble of always defining a dedicated backplane even if we could reuse the bootstraped SPN?
I'd say yes, we should always have dedicated backplanes. See https://github.com/meshcloud/collie-hub/issues/109 which would mean that the kit modules in collie-hub up to CFMM L2 don't come with an automation solution. Building Blocks are certainly an implementation of CFMM L3 Modular Landing Zones. We can therefore reasonably expect putting SPNs etc. on the learning curve for a CFT.
Summary of an internal design session we've had with @florianow and @felixzieger
Decisions
terraform/opentofu test
for "unit testing" building blocks. We may introduce a dedicated collie foundation test
command to simplify this workflowlikvid-cloudfoundation
and if that MVP is successful transplant this to collie-hubWe have successfully landed a buildingblock design pattern in likvid-cloudfoundation that we are fairly happy with
This issue collects various improvements for a simple and consistent workflow to deal with assembling tenants from buildingblocks using a pure IaC workflow using collie. Common examples of building blocks needed in a stage 2 (CFMM) cloudfoundation are a tenant building block (think subscription/account/project) that enforces tags + IAM role model, a budget alert (simple) and a hub+spoke vnet (complex).
The goals for the approach we want to support with collie are
Concept: Building Blocks
In terragrunt parlance, building blocks are "shared service modules"
Concept: Backplanes
Backplanes add what's necessary to successfully deploy a building block to a tenant in your landing zones. From the perspective of an application team, a building block provides some sort of capability to their application's cloud environment, e.g. an on-prem connected spoke VNet. This spoke VNet however is only the "tip of the iceberg". Application teams can't (and should not have to care about) all of the mechanics that make this spoke VNet work, like the hub network, WAN connection, IPAM and firewall rules.
We will call everything that makes the application-team visible part of the building block work the "backplane". The backplane always includes
Packaging Building Blocks in collie-hub
We will settle for the following structure for packaging building blocks in collie-hub
kit/$platform/buildingblocks/$block/backplane/{README.md, main.tf, ...}
building block backplanes will be normal kit moduleskit/$platform/buildingblocks/$block/buildingblock/{README.md, main.tf, ...}
building block modules will be plain terraform modulesconfig_tf
output. This output should containprovider
and (optionally?)backend
configuration block. This is the "missing" configuration required to deploy a building block and can be injected e.g. by terragrunt or other terraform automation[x] collie-cli must learn to ignore
**/buildingblock/README.md
files when trying to parse configuration objects from the repo or learn to treat buildingblocks as its own concept[x] some BBs will have a very advanced backplane, e.g. the connectivity block requires the hub deployed from
azure/kit/connectivity
- should we go the trouble of always defining a dedicated backplane even if we could reuse the bootstraped SPN?Deploying Building Blocks
Deploying building blocks to a cloud tenant becomes a simple terraform composition in a
main.tf
that invokes the building blocks as plain terraform modules likeTesting Building Blocks
Once we have deployed a building block backplane, it's very useful to ensure that this backplane can successfully deploy the building block in isolation. This can be achieved with
terraform test
and terragrunt like soopen issues
config.tf
which works very well here, but is not similar to collie-style tenant composition (see above)Note: some of what's discussed in this issue here (especially the design principles) should end up on the collie documentation