This is a Seed Control Repository specific to the onboarded workload (read: APM code). It was created by the terraform-bns-init module via the seed control repo template.
This is a control repository to allow a local application operations team the ability to centrally manage all required resources via approvied operational patterns.
There are two types of 'operational model' patterns supported currently:
| Pattern | Enforcement Module | Description |
|---|---|---|
| VCS Workflow | bns-infra/terraform-bns-vcsworkflow | This module enforces key resource configurations adhering to the Bank approved Tenant Workflow as per the Foundational Enhancements TDD from Google. |
| Github Workflow | bns-infra/terraform-bns-githubflow | This module enforces key resource configurations adhering to the Bank approved Artifact Workflow as per the Foundational Enhancements TDD from Google. |
Important: this repository is cloud-provider agnostic and should remain so.
Creating an instance of the VCS Workflow operational model is as simple as configuring the vcs_workflow_instances variable within the locals block as follows:
locals {
vcs_workflow_instances = [
greenfield : {}
]
}This will give you the control repository (Github Enterprise), workspaces per region and environment (Terraform Cloud) and relevant WIF bindings (Google Cloud) to the project set provisioned by the parent Seed Onboarding workflow.
When instantiating our resource set we can ensure that our control repository is based off our a repository template associated with a key resource pattern:
locals {
vcs_workflow_instances = [
simple_gce : {
resource_pattern = "gce_with_pub_sub"
}
]
}Where gce_with_pub_sub would map to a repository template in Github Enterprise called bns-infra/tfw-pattern-gce_with_pub_sub.
A key requirement was to ensure that a team wants to manage multiple resource patterns within a single project they should be able to do so:
locals {
vcs_workflow_instances = [
simple_gce : {
resource_pattern = "gce_with_pub_sub"
}
atlas_cluster : {
resource_pattern = "atlas_cluster"
}
]
}Where gce_with_pub_sub and atlas_cluster are repository templates in Github Enterprise.
If teams are running multiple VCS workflow instances within a project we should not assume they will have the same environment set nor run in the same regions:
locals {
vcs_workflow_instances = [
simple_gce : {
resource_pattern = "gce_with_pub_sub"
workload_context = {
np : {
dev: [ "northamerica-northeast1"]
sit: [ "northamerica-northeast1"]
uat: [ "northamerica-northeast1"]
},
pr : {
prd: [ "northamerica-northeast1", "northamerica-northeast2"]
}
}
}
atlas_cluster : {
resource_pattern = "atlas_cluster"
workload_context = {
np : {
stg: [ "northamerica-northeast1"]
},
pr : {
prd: [ "northamerica-northeast1", "northamerica-northeast2"]
}
}
]
}Thus application operators avoid any "lock in" around environmental or regional requirements.
Creating an instance of the GithubFlow operational model is as simple as configuring the githubflow_instances variable within the locals block as follows:
locals {
githubflow_instances = [
repoA : {
repository_type = "terraform_module"
repository_name = "terraform_abc_moduleA"
}
repoB : {
repository_type = "config_sync"
repository_name = "config_sync_moduleB"
repository_gar = "<gar instance id>"
}
]
}
This will create the repositories and ensure an authentication strategy is in place for validation and publication workflows.Example input to module would looks as follows:
# -----------------------------------------------------------------------
# All Input Variables are to be provided from the calling Seed Workspace.
# -----------------------------------------------------------------------
# TODO: update "ad_group" value
ad_group = null
# TODO: update "gcp_wif" value
gcp_wif = null
# TODO: update "tfe_ghain" value
tfe_ghain = null
# TODO: update "vault_enterprise_address" value
vault_enterprise_address = null
# TODO: update "vault_enterprise_auth_path" value
vault_enterprise_auth_path = null
# TODO: update "vault_enterprise_binding_claim_org" value
vault_enterprise_binding_claim_org = null
# TODO: update "vault_enterprise_namespace" value
vault_enterprise_namespace = null
# TODO: update "workload_id" value
workload_id = nullNo requirements.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ad_group | The common AD group across the services in scope. | string |
n/a | yes |
| gcp_wif | The ensures project creation at the service tier with bindings to the appropriate WIF pool per service. | map(object({ |
n/a | yes |
| tfe_ghain | The TFC Github Application Installation. | string |
n/a | yes |
| vault_enterprise_address | The TFC Vault Address. | string |
n/a | yes |
| vault_enterprise_auth_path | The TFC Vault Authentication Path. | string |
n/a | yes |
| vault_enterprise_binding_claim_org | The Terraform Enterprise organization to be used in JWT Auth Role Bindings. | string |
n/a | yes |
| vault_enterprise_namespace | The TFC Vault Namespace. | string |
n/a | yes |
| workload_id | The Application Portfolio Management (APM) Code for the workload. | string |
n/a | yes |
No outputs.
| Name | Source | Version |
|---|---|---|
| githubflow | app.terraform.io/bankofnovascotia/terraform-bns-githubworkflow/bns | >= 0.0.1 |
| vcsworkflow | app.terraform.io/bankofnovascotia/terraform-bns-vcsworkflow/bns | >= 0.0.1 |
No resources.