I recently started a new job and I'm in the process of importing all our cloud resources into Infrastructure as Code (IaC). The plan is to adjust the Terraform variables and deploy everything to production, but we don't have a production environment set up yet. We currently have PostgreSQL and Keycloak deployed. I'm considering managing the PostgreSQL databases and users through Ansible along with Keycloak configurations. Additionally, I'm thinking about reducing the permissions for developers in PostgreSQL and Keycloak so that they can only create resources by submitting pull requests (PRs) that I would review. I wanted to see if there are any downsides to this approach or if this is a good practice overall. Any thoughts?
3 Answers
Transitioning your infrastructure to IaC is definitely a positive move, but routing everything—like database users and Keycloak configurations—through PRs can create a bottleneck. While it helps with control and auditability, it could hinder day-to-day operations. An effective strategy is to keep essential infrastructure and configurations in IaC, allow some controlled access for app-level adjustments, and use roles and permissions instead of completely locking down PRs. Otherwise, you might find yourself acting as a gatekeeper for every small modification.
Using IaC is great, but having one person approve every change can be problematic. It's important to implement guardrails and ownership rather than just gatekeeping. Are you using Terraform Enterprise along with Ansible Tower?
Honestly, managing the configurations for PostgreSQL and Keycloak through IaC and PRs is a solid approach for maintaining auditability and consistency. The downside is that it might slow down developers for minor changes. Some teams keep the critical infrastructure locked under IaC but offer limited access for everyday tasks to avoid bottlenecks. You could even consider using tools like Runable to make PR-based changes less cumbersome.
I get where you’re coming from. Since we're a small team, I think it's manageable. I just want to ensure the admin tasks for the database and Keycloak remain with me, especially since I've seen some security concerns in the past.