-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add docs for multi repo pipelines (#1142)
* Add docs for multi repo pipelines * Fix typos * rename section * address PR comments * Add detail on when multi-repo might be useful * more pr comments * fix yml file example
- Loading branch information
Andrew Ellison
authored
Sep 29, 2023
1 parent
0eb05c5
commit 90671c4
Showing
15 changed files
with
227 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Allowing Pipelines Actions in GitHub Actions | ||
|
||
Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions, which are available in the GitHub Actions marketplace. Gruntwork is a Verified Creator of GitHub Actions. | ||
|
||
### GitHub Enterprise | ||
|
||
Gruntwork recommends explicitly allowing Actions required by Gruntwork Pipelines to run in your GitHub organization. See [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. | ||
|
||
You will need to allow the following GitHub Actions for Gruntwork Pipelines to run successfully: | ||
- [gruntwork-io/pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) | ||
- [gruntwork-io/pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) | ||
- [gruntwork-io/pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) | ||
- [gruntwork-io/terragrunt-action](https://github.com/gruntwork-io/terragrunt-action) | ||
- [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | ||
- [Codex-/return-dispatch](https://github.com/Codex-/return-dispatch) | ||
- [Codex-/await-remote-run](https://github.com/Codex-/await-remote-run) | ||
- [dsaltares/fetch-gh-release-asset](https://github.com/dsaltares/fetch-gh-release-asset) | ||
- [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | ||
|
||
Gruntwork recommends using a tagged version of the `gruntwork-io` actions and a wildcard for the non-Gruntwork actions, as the non-Gruntwork actions are wrapped in the Gruntwork actions. This will require less administrative work to keep policies up to date with versions being used by Gruntwork actions. An example policy can be found below. | ||
|
||
```txt | ||
gruntwork-io/pipelines-dispatch@<newest release>, | ||
gruntwork-io/pipelines-orchestrate@<newest release>, | ||
gruntwork-io/pipelines-execute@<newest release>, | ||
gruntwork-io/terragrunt-action@<newest release>, | ||
aws-actions/configure-aws-credentials@*, | ||
Codex-/return-dispatch@*, | ||
Codex-/await-remote-run@*, | ||
dsaltares/fetch-gh-release-asset@*, | ||
peter-evans/create-pull-request@* | ||
``` | ||
|
||
Navigate to each Gruntwork repository to retrieve the latest tagged release for each action. | ||
|
||
### GitHub Team and Pro | ||
|
||
Currently GitHub Actions does not support selecting specific repos outside of your own GitHub organization for the team and pro tier. To use Gruntwork Pipelines you must select the **Allow all actions and reusable workflows** option in the Actions general settings at the Organization level. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Multiple Infrastructure-Live Repos | ||
|
||
We recommend using a single `infrastructure-live` git repository for managing your organization's infrastructure. | ||
Sometimes, this isn't possible due to team structure, security requirements, or other limitations. | ||
You may choose to use multiple `infrastructure-live` repos to: | ||
|
||
1. Facilitate more granular access controls | ||
1. Separate concerns that do not require shared configuration | ||
1. Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to `main`) | ||
|
||
Note that when using multiple repositories, it is more difficult to share a infrastructure configuration across environments, | ||
so think carefully about your specific use case before making the decision. | ||
|
||
|
||
## Create Additional Repos | ||
|
||
New `infrastructure-live` repositories can be created using the same process described in the | ||
[Hello World](../hello-world#setting-up-the-repositories) documentation. | ||
|
||
:::info | ||
Once the repository is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, | ||
or one created specifically for this purpose. See [Machine Users](machine-users) for more information. | ||
::: | ||
|
||
No special configuration is required for the new `infrastructure-live` repository, | ||
the Pipelines Dispatch job will identify the source repository and pass that information | ||
to the shared `infrastructure-pipelines` repository. | ||
|
||
## Enable Additional Repos | ||
|
||
:::warning | ||
Once a repository is enabled for pipelines, any code pushed to the `main` branch of that repository will be eligible to access your | ||
AWS account using OIDC. Ensure you have the [recommended settings](branch-protection) for branch protection configured before adding the new | ||
repository to the allowlist. | ||
::: | ||
|
||
To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, | ||
an allowlist of `infrastructure-live` repositories exists in the `.gruntwork/config.yml` file in the `infrastructure-pipelines` repository. | ||
To allow resources to be deployed by your new repository, | ||
add the repository to the `repo-allow-list` section of `.gruntwork/config.yml`. | ||
|
||
The new resource should match the name of your repository **exactly** in the format | ||
`github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: | ||
|
||
```yml title=infrastructure-pipelines/.gruntwork/config.yml | ||
# The git repos that have permissions to invoke Pipelines jobs | ||
repo-allow-list: | ||
- acme/team-1-infrastructure-live | ||
- acme/team-2-infrastructure-live | ||
``` | ||
:::info | ||
The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` repository must have content read & write access to all repositories in the allowlist. | ||
::: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Allowing Pipelines Actions in GitHub Actions | ||
|
||
Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions, which are available in the GitHub Actions marketplace. Gruntwork is a Verified Creator of GitHub Actions. | ||
|
||
### GitHub Enterprise | ||
|
||
Gruntwork recommends explicitly allowing Actions required by Gruntwork Pipelines to run in your GitHub organization. See [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. | ||
|
||
You will need to allow the following GitHub Actions for Gruntwork Pipelines to run successfully: | ||
- [gruntwork-io/pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) | ||
- [gruntwork-io/pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) | ||
- [gruntwork-io/pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) | ||
- [gruntwork-io/terragrunt-action](https://github.com/gruntwork-io/terragrunt-action) | ||
- [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | ||
- [Codex-/return-dispatch](https://github.com/Codex-/return-dispatch) | ||
- [Codex-/await-remote-run](https://github.com/Codex-/await-remote-run) | ||
- [dsaltares/fetch-gh-release-asset](https://github.com/dsaltares/fetch-gh-release-asset) | ||
- [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | ||
|
||
Gruntwork recommends using a tagged version of the `gruntwork-io` actions and a wildcard for the non-Gruntwork actions, as the non-Gruntwork actions are wrapped in the Gruntwork actions. This will require less administrative work to keep policies up to date with versions being used by Gruntwork actions. An example policy can be found below. | ||
|
||
```txt | ||
gruntwork-io/pipelines-dispatch@<newest release>, | ||
gruntwork-io/pipelines-orchestrate@<newest release>, | ||
gruntwork-io/pipelines-execute@<newest release>, | ||
gruntwork-io/terragrunt-action@<newest release>, | ||
aws-actions/configure-aws-credentials@*, | ||
Codex-/return-dispatch@*, | ||
Codex-/await-remote-run@*, | ||
dsaltares/fetch-gh-release-asset@*, | ||
peter-evans/create-pull-request@* | ||
``` | ||
|
||
Navigate to each Gruntwork repository to retrieve the latest tagged release for each action. | ||
|
||
### GitHub Team and Pro | ||
|
||
Currently GitHub Actions does not support selecting specific repos outside of your own GitHub organization for the team and pro tier. To use Gruntwork Pipelines you must select the **Allow all actions and reusable workflows** option in the Actions general settings at the Organization level. | ||
|
||
|
||
|
||
<!-- ##DOCS-SOURCER-START | ||
{ | ||
"sourcePlugin": "local-copier", | ||
"hash": "cc71dbd996bb0349ed2c57e4d726d656" | ||
} | ||
##DOCS-SOURCER-END --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.