Summary
The purpose of this doc is to provide summary information that will help new team members get up to speed a bit more easily. I’m starting this as an FAQ page until/unless I come up with a better format.
Who are we?
- You may see some refer to us as ACE-Infra
- We are colloquially referred to as the DevOps team or DevSecOps team
- We are part of a larger team called ACE (AI Cloud Engineering)
- You may also see reference to
gCOREwhich is a term that predates most members of the current team and we’d all like to see go away.
How do we communicate?
- We communicate in Slack.
- Our DevOps team channel is gred-ace-infra
- Our larger team channel is ace
Where’s the infrastructure?
All of our infrastructure is in AWS. We have two accounts:
- Production: https://gred-ace-prod.signin.aws.amazon.com/console
- Sandbox: https://gred-ace-dev.signin.aws.amazon.com/console
Some key points about these accounts and how we use them
- Sandbox is completely isolated from Roche/Genentech. It’s an isolated sandbox environment with no VPN access, no system configuration management (SCM) regime and no business data.
- Sandbox is useful if you want a completely safe environment to test provisioning code, AWS features, etc.
- Sandbox is not very useful for testing a “real-world” integration because you won’t have access to any company resources.
- Production has a site-to-site VPN connecting it to Roche Corporate Network (RCN), thereby enabling you to spin up infrastructure with private IPs and connect to them.
- Production is often used for non-prod purposes and you’ll find infrastructure with their
Environmenttag set totestfor this reason.
How do we provision and configure infrastructure?
- Today, the DevOps team uses Terraform for infrastructure provisioning and Ansible for server configuration management (SCM).
- Prior to my arrival, we used home grown provisioning scripts for provisioning and Ansible for SCM.
- Some of the infrastructure as been imported into Terraform state, but not all of it. See the next section for more on all of this.
Where is the code?
All of our code resides in Gitlab, in subgroups and projects that reside under the parent project, ACE. See the table below for URLs and explanations.
Before providing a table highlighting our repos let me provide a bit of context so you understand why our infrastructure code is in the disarray that we find it today.
- When I got here I started putting code in the existing monorepo: gcore-platform.
- I started working on some CI/CD and the monorepo was creating an impediment so I created a new repository just for infrastructure (Ansible, Packer and Terraform) code: aws-infra-live.
- The vast majority of the code used to provision AWS infrastructure resides in aws-infra-live.
- The aws-infra-live repository was setup for a Terragrunt workflow and I did a bunch of work to modularize Terraform code so that we could use the same codebase for prod and dev accounts.
- On April 30, 2021, we purchased Terraform Cloud (TFCloud). This will pay serious dividends once I’ve set it up, but today it leaves us in a limbo state because we’re NOT going to use Terragrunt with TFCloud.
- In an attempt to make a clean delineation between old and new I’ve created two new Terraform repositories, one for each AWS account
- terraform-aws-dev
- terraform-aws-prod
- Over the next month, as part of my TFCloud rollout, I will be migrating all of the Terraform code from aws-infra-live to these two new accounts.
- I will then move the Ansible and Packer code to their own dedicated repos.
| Name | Type | Purpose |
|---|---|---|
| ACE | Group | AI Cloud Engineering group that houses all ACE projects and subgroups described below. |
| terraform-modules | Subgroup | Houses internally developed Terraform modules named and organized so as to comply with TFCloud’s private registry feature. Anything here is for TFCloud usage only and is still POC. |
| ansible-roles | Subgroup | Houses internally developed Ansible roles that get instantiated in playbooks that (for now) reside in aws-infra-live. |
| roadmap | Project | This is a special project that is solely used for housing (this) Wiki, all of our tickets and our project boards. You’ll find that most other repos have their issues and Wiki features disabled to force folks to use this project for these purposes. |
| terraform-aws-dev | Project | Future home of Terraform code that builds infrastructure in our gred-ace-dev AWS account. |
| terraform-aws-prod | Project | New home of Terraform code that builds infrastructure in our gred-ace-prod AWS account. |
| aws-infra-live | Project | Legacy home for all Ansible playbooks, Packer templates and Terragrunt compliant Terraform modules and resources. Most code resides here today, but will be moving to `terraform-aws-(dev |
| gcore-platform | Project | ”Legacy legacy” monorepo that still houses scripts and legacy ansible-playbook code (pending migration) to manage infrastructure before my arrival. You may find yourself here looking for old code, but you’re advised to not put new infrastructure code here as there are better homes for it. |
| aws-infra-monitoring | Project | This is a dedicated repo that Will used to provision our Prometheus infrastructure without having to integrate with our Terragrunt workflow. The code is active and useful, but needs to be moved to terraform-aws-prod as part of our TFCloud integration, at which point this repo will be deleted. |
| ci | Project | This is where I started parking CI/CD resources for shared usage elsewhere. I still plan to use it when I have time to get back to this project. |
| _gitlab | Project | This is where I planned to park special (hence the _) Gitlab provisioning code that uses the Terraform Gitlab provider to provision Gitlab these groups, subgroups, users, tags and projects. I use Terraform to create all of the projects described above. Please note that I have yet to push the bulk of this code because it’s a bit unruly. I plan to modularize and push it as soon as I have time. If you need access to it before then, let me know and I’ll push it for you. It’s special code and will need special care because it can literally destroy the projects in which all of our code resides. |
How can I get started with Terraform?
Coming soon…
Can I get access to TFCloud?
- I’ll be issuing out credentials for that by end of month May
- We may go live with local credentials, but SSO integration is coming soon.
How can I get started with Ansible?
Coming soon…
Do we have a DevOps, Bastion or SysAdmin server from which to work?
- Not presently, but we need one and I plan to build one as soon as possible.
- Until then, we’re just developing from our workstations.
- If this is problematic for any reason, I have a workaround and can help so just ask.
How is the AWS network setup?
- The good news is that I have a dedicated page for this: AWS Network Architecture.
- The bad news is that I have not yet updated it to reflect our new
ace-transitVPC. - I will resolve that problem ASAP
DNS is weird. Please explain
Coming soon