[Preview env] TF Workflow

[vulkoingim]

Description

• Introduce functions + set of scripts to manage TF
• Most basic TF for a Harvester preview env - creates only a namespace in the Harvester cluster to show how it works
• Written in bash, so they can be executed from any environment and have dependency solely on terraform binary being available.
• Standalone scripts for [init, plan, apply, workspace], so they can be executed in any context.

Other PRs will follow with werft job and harvester VM will follow.

Related Issue(s)

Fixes https://github.com/gitpod-io/ops/issues/5093

How to test

TF_VAR_preview_name=temp ./workflow/preview/deploy-harvester.sh

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/kubernetes from the dependency lock file
- Reusing previous version of harvester/harvester from the dependency lock file
- Using previously-installed hashicorp/kubernetes v2.13.1
- Using previously-installed harvester/harvester v0.5.1

Terraform has been successfully initialized!

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # kubernetes_namespace.example will be created
  + resource "kubernetes_namespace" "example" {
      + id = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + name             = "preview-temp"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to apply the plan? [y/n]: y

kubernetes_namespace.example: Creating...
kubernetes_namespace.example: Creation complete after 1s [id=preview-temp]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

TF_VAR_preview_name=temp DESTROY=true ./workflow/preview/deploy-harvester.sh

Initializing the backend...
Terraform has been successfully initialized!

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # kubernetes_namespace.example will be destroyed
  - resource "kubernetes_namespace" "example" {
      - id = "preview-temp" -> null

      - metadata {
          - annotations      = {} -> null
          - generation       = 0 -> null
          - labels           = {} -> null
          - name             = "preview-temp" -> null
          - resource_version = "347998054" -> null
          - uid              = "9939dd8c-bf8c-4456-8e81-b90f28a18707" -> null
        }
    }

Do you want to apply the plan? [y/n]: y

kubernetes_namespace.example: Destroying... [id=preview-temp]
kubernetes_namespace.example: Destruction complete after 8s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

Release Notes

NONE

Documentation

Werft options:

• /werft with-preview

[mads-hartmann]

Really awesome to see the first steps for hits 🎉 I have some high-level comments.

Written in bash, so they can be executed from any environment and have dependency solely on terraform binary being available.

I was really hoping to reduce the amount of bash we have for critical components. I'd be okay having two system dependencies of "go and terraform" just to avoid adding more bash. But that's my personal preference.

I didn't dive into the bash implementation in this review as I wanted to discuss this first ☺️

---

This is currently introducing a new top-level folder named preview. Previously we have put everything related to our "dev experience" in ./dev and we already have a ./dev/preview folder so I'd prefer to move everything there. So that would be:

dev
  preview
      previewctl
      infrastructure
      workflow

[mads-hartmann]

What's 3f4745df? ☺️

[vulkoingim]

It's a random string - bucket names are public and globally unique, so I prefer to add some randomness to each.

[mads-hartmann]

I know we link to the docs in many places, but I find it bit redundant so would prefer to not have them unless there's a specific reason for it.

[vulkoingim]

👍

[mads-hartmann]

How come our pre-commit hook end-of-file-fixer didn't remove these missing newlines? ☺️

[mads-hartmann]

Speaking of pre-commit-hooks it would be nice to add one for terraform fmt https://github.com/antonbabenko/pre-commit-terraform#3-add-configs-and-hooks

[vulkoingim]

Ah I commit with --no-verify by default and usually at the end I run the pre-commit manually to fix anything outstanding 😅 Weird that we don't run the pre-commit as a step in the CI so it fails in cases like this.

I'll add the terraform fmt in another PR with the rest of the TF.

[vulkoingim]

I was really hoping to reduce the amount of bash we have for critical components. I'd be okay having two system dependencies of "go and terraform" just to avoid adding more bash. But that's my personal preference.

IMO wrapping terraform in be it go, or ts, or anything else makes very little (next to none) sense. I've purposefully written it in bash as it's quite a thin layer (albeit a little opinionated), and you can run it from anywhere and requires only terraform to exist. As we discussed, this is also a foundation that we'll be using for access, and ops - and I would probably separate it into a dedicated Action once we get to that point.

This is currently introducing a new top-level folder named preview. Previously we have put everything related to our "dev experience" in ./dev and we already have a ./dev/preview folder so I'd prefer to move everything there. So that would be:

👍 I don't have a strong opinion on that. Will move it in a bit.

[vulkoingim]

👍

[vulkoingim]

Ah I commit with --no-verify by default and usually at the end I run the pre-commit manually to fix anything outstanding 😅 Weird that we don't run the pre-commit as a step in the CI so it fails in cases like this.

I'll add the terraform fmt in another PR with the rest of the TF.

[mads-hartmann]

IMO wrapping terraform in be it go, or ts, or anything else makes very little (next to none) sense. I've purposefully written it in bash as it's quite a thin layer (albeit a little opinionated), and you can run it from anywhere and requires only terraform to exist. As we discussed, this is also a foundation that we'll be using for access, and ops - and I would probably separate it into a dedicated Action once we get to that point.

That's fair, if we don't expect these scripts to grow beyond just invoking a bit of TF I agree it's overkill to start using a "proper language" for it.

[mads-hartmann]

I added the hold label so you can update the CODEOWNERS but otherwise this looks like a great start to me. Would love a demo on during the Platform Sync on Monday.

[mads-hartmann]

We can remove these now that the files have been moved as we already own /dev/preview ☺️

[vulkoingim]

I've updated them, but I would like to keep them explicit, as we would like to separate them in the future.

[mads-hartmann]

@vulkoingim the build is failing so added the hold label