feoh
commented
9 months ago Current status from @Ardiea:
Outstanding questions / concerns / thought
- Database + AWS creds seem to change every run / preview and old ones are not expired when that happens (yuck). Requires further investigation.
- There is a different way to get the aws creds builtin to pulumi but I can’t seem to get it to work. 403 IAM permission issue that I can’t figure out. Tried the obvious things to get past it. Code to do it is commented out.
- Haven’t figured out how to do consul lookups yet. Presumably possible. Zero thought given to the issue so far though. There are two needed for this app.
- Few things marked TODO that can become stack references calls instead of statically populated.
- About half the secrets could be obtained easy-mode the other half required async incantations to pull from vault. I think maybe for purity the easy-mode ones should be changed to async incantations. Complicated and requires figuring out json nuances with get_secret_output() function.
- Need to carefully compare and contrast with vars in salt to make sure all is as it should be.
- Need to document how to find the app_id from heroku. It is a “secret” in that heroku won’t nicely tell you what it is.
Description/Context
We are retiring SaltStack for all uses. The most critical one that it is still responsible for is managing application configuration for our Heroku applications. To replace that functionality we will start using the Heroku provider for Pulumi to control the application settings.
Plan/Design
Copy the current Pillar settings from SaltStack for each application and translate it to Python/Pulumi code using the
heroku.app.ConfigAssociationresource. This code will be located in the already existing Pulumi projects for the respective applications which already manages the creation of the RDS databases and S3 buckets.Heroku Application Configurations Migrated