Developer Guide¶
We use a GitOps-based strategy to apply the Terraform config in this repo, but it happens in an Atlantis instance (TODO: change link when this is merged into Phalanx), rather than in GitHub actions. The credentials and authentication that are described here are actually configured in the Atlantis instance, and not the GitHub Actions config for the repository. There are also regular GitHub Actions workflows to lint the Terraform config and build the docs.
Sentry Authentication¶
Prodromos needs broad permissions in the Sentry organization.
We manually created a Sentry internal integration with these permissions.
The Atlantis instance is configured with the auth token from this integration.
The Sentry provider blocks should be configured to take the auth token from the SENTRY_AUTH_TOKEN environment variable (which is the default if no auth token is specified in the provider block).
The Atlantis instance is configured with this SENTRY_AUTH_TOKEN environment variable.
Google Cloud Authentication¶
The Terraform state for all Terraform config in the repo is stored in a Google Cloud bucket (TODO: More details when the bucket PR is merged to idf_deploy).
The Atlantis instance is deployed with access to this bucket via Workload Identity Federation for GKE.
Helper Dependencies¶
The environment module needs the Sentry CLI so it can send events to Sentry to create environments. This must be installed and on the path wherever the Terraform is applied, which in this case is on the Atlantis instance.
GitHub Repo¶
The Prodromos GitHub repo is private.
This is because Atlantis is controlled by GitHub comments, which anyone in the universe can submit.
Atlantis is configured to require PR approval before atlantis apply can be run, and Atlantis will not apply any config that is not in the PR itself, but bad folks could at least perform denial-of-service attacks on our Atlantis instance by repeatedly submitting atlantis plan comments.
The repo is integrated with Atlantis by inviting the lsst-sqre Atlantis GitHub app (TODO: change this to the non-dev app when it get deployed).