Portal:Toolforge/Admin/tofu-provisioning

This page contains information about how we use opentofu to provision Toolforge and Toolsbeta infrastructure on Cloud VPS.

https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning

Our service accounts are Toolsbeta-tofu for Toolsbeta, and Tools-tofu for Tools. Both accounts have the 'reader' and 'member' roles for their respective projects in order to work.

See Cloud VPS/Admin/Service Accounts for further details and instructions.

The Toolforge Tofu-Provisioning repository serves as the source of truth for provisioning and managing cloud infrastructure for the Toolforge platform. Infrastructure definitions, environments, and resource configurations are maintained and version-controlled here.

• DNS
  • DNS records
• Storage
  • Persistent block storage
• Networking
  • Floating IP allocation
  • Security groups
• Compute resources
  • Virtual machines
• Environment separation
  • Dedicated folders and state backends for Tools and Toolsbeta, ensuring isolated and reproducible deployments.
• State management
  • Remote state backend configured to allow collaboration and prevent drift.
• Modules and reuse
  • Custom reusable modules stored in modules/ to promote consistency across environments.

All infrastructure changes must go through this repository via pull requests and be reviewed before applying to any environment. This ensures infrastructure is declarative, reproducible, and auditable.

Follow the README

1. Create a MR
2. See the pipelines go green. The MR pipeline will include linting and tofu plan
   1. The 2nd stage will return a yellow signal to warn you to verify the changes that Tofu will make, should your MR include infrastructure changes.
3. Double check the tofu plan in the MR pipeline. Make sure the infra changes make sense
4. Merge the MR
5. Let the pipeline in the main branch run
6. Manually run the last step in the main branch pipeline: tofu apply

• Portal:Cloud_VPS/Admin/OpenTofu -- how Opentofu is used by the WMCS team in Cloud VPS.