I'm a backend developer working with TypeScript and Node.js, and I've taken on the task of transitioning our mono repository to Infrastructure as Code (IaC) using OpenTofu. I have a couple of key questions: (1) When it comes to collaborating on infrastructure changes with OpenTofu, what's the best way to handle code changes, validation of plans, merging, and applying those changes? I've looked at various articles, but I'm still unclear on what the best practices are. Tools like Atlantis seem appealing, but I'm curious about any potential downsides they might have. (2) Why do teams often opt for an external backend service for state management? Is it necessary to store a central state with a third-party service, or can we manage it through CI without dealing with conflicts? I get that secret management is a different story since GitHub's options aren't great for handling secrets across multiple apps and environments. Just to give some context, my team consists of eight developers managing a GitHub mono-repository for four individual web applications hosted on Vercel and using various third-party services. Our goal in implementing IaC is to streamline our SOC2 compliance process by making configuration reviews easier and minimizing untraceable manual changes. It seems the industry standard for IaC is Terraform, and OpenTofu is the current favorite tool. However, I've discovered that teams usually rely on backend services to manage and lock state files for smoother collaboration in GitHub's PR cycles. I'd love to hear your insights on this!
2 Answers
Regarding your first question, the approach generally is to execute plans during your push/make requests (MRs) and apply them only on the main branch. If your team wants to see changes applied beforehand, consider using ephemeral MR environments. That way, you can provision and test resources before finalizing them, but bear in mind that managing dependencies can get complicated as your project expands. As for needing a centralized state, it’s important for the entire team to be aware of the current state of Terraform, especially in group projects. While it’s possible to manage state via CI temporarily, it can become messy as your infrastructure scales. Permanent storage for the state is essential in the long run.
Great question! The 'backend' part you're asking about is referred to as 'state.' Whenever OpenTofu makes changes to your infrastructure, it keeps track of everything in the state file. This allows it to identify changes during the next run. There's also the locking mechanism to prevent two instances from simultaneously altering the infrastructure, which is crucial. While many use S3 and DynamoDB for state and locking, you can actually utilize just S3 these days. It’s smart to familiarize yourself with these concepts before moving ahead—it helps clear up a lot of confusion!
Also, just a tip: the newer versions handle locking with native S3, so if you're still using older ones, it's time for an upgrade. Atlantis is decent, but I wasn’t a huge fan personally.