Developer Guide

We use a GitOps-based strategy to apply the Terraform config in this repo, but it happens in an Atlantis instance (TODO: change link when this is merged into Phalanx), rather than in GitHub actions. The credentials and authentication that are described here are actually configured in the Atlantis instance, and not the GitHub Actions config for the repository. There are also regular GitHub Actions workflows to lint the Terraform config and build the docs.

Sentry Authentication

Prodromos needs broad permissions in the Sentry organization. We manually created a Sentry internal integration with these permissions. The Atlantis instance is configured with the auth token from this integration. The Sentry provider blocks should be configured to take the auth token from the SENTRY_AUTH_TOKEN environment variable (which is the default if no auth token is specified in the provider block).

The Atlantis instance is configured with this SENTRY_AUTH_TOKEN environment variable.

Google Cloud Authentication

Atlantis service account permissions

The Terraform state for all Terraform config in the repo is stored in a Google Cloud bucket. The Atlantis instance is deployed with access to this bucket via Workload Identity Federation for GKE. This federated service account must also have monitoring.admin in every project that Google Cloud Monitoring resources are provisioned in.

Google Cloud Monitoring Slack app

You need to create a Slack application with a bot token for Google Cloud to use to send Slack notifications.

  1. Go to https://api.slack.com/apps and click Create New App, then From Scratch.

  2. Name the app something like “Google Cloud Monitoring” and choose your workspace.

  3. Click on OAuth & Permissions in the left sidebar. In the Bot Token Scopes section, click Add an OAuth Scope.

  4. Choose these scopes: chat:write, chat:write.customize, and chat:write.public.

  5. On that same page, in the OAuth Tokens section, click Install to <your workspace.

  6. A Bot User OAuth Token should appear. This should be added as the google-cloud-monitoring-slack-token secret in the Atlantis app in Phalanx.

Helper Dependencies

The environment module needs the Sentry CLI so it can send events to Sentry to create environments. This must be installed and on the path wherever the Terraform is applied, which in this case is on the Atlantis instance.

GitHub Repo

The Prodromos GitHub repo is private. This is because Atlantis is controlled by GitHub comments, which anyone in the universe can submit. Atlantis is configured to require PR approval before atlantis apply can be run, and Atlantis will not apply any config that is not in the PR itself, but bad folks could at least perform denial-of-service attacks on our Atlantis instance by repeatedly submitting atlantis plan comments.

The repo is integrated with Atlantis by inviting the lsst-sqre Atlantis GitHub app (TODO: change this to the non-dev app when it get deployed).