[todo(@bartsmykla)]: Remember to write section with suggestion to rewrite
k/k8s.io/groupsto custom terraform provider
I strongly believe in rule that before you'll start solving the problem with the code you should understand well what is the problem and solve it conceptualy first.
[IMPORTANT!] As you can assume, I've spent some time working on this document. I come to some conclusions and have some thoughts and ideas but they are just MY conclusions and just MY foughts and ideas. PLEASE don't feel obliged to agree with me just because I spent my time working on it. If you think I'm wrong or/and you think we could improve it PLEASE write about it. Even if it would completely scrap my ideas/suggestions/plans. Let's treat it as a working document and have fruitful discussion.
One could ask why this much effort to analyse all this components by hand and not to just use audit and take them drom there. This is a great question and the answer is I wanted to compare if all components from audit are being created by our tooling.
What I don't like is there are places like CIP Auditor which need some scripts being run in a specified sequence for it to be able to correctly provision resources. We need to make it more atomic.
- CIP Auditor
- Conformance Storage
- GSuite
- Main Project
- Namespaces
- Prod Storage
- Prod Storage GCLB
- Release Projects
- Releng
- Staging Storage
- @listx:
-
- G1 The name of components and structure of Yaml was used in conjuction to terraform components
- G2 Remember the IAM Binding resources used are authoritative (they will remove all other IAM Bindings from the resource) and are used here just as an example (they are easier to read). When components needed in our infrastructure will be described with different archetypes in mind ("project" will be an archetype instead of i.e. "prod storage") we should write terraform modules in that maner, that by default archetypes will get some IAMs granted by authoritative IAM Bindings and if archetype needs unusuall ones they will by granted by IAM Member resources which are non-authoritative. (for more information you can look for example at notes of Terraform's Google Storage Bucket IAM resource documentation.