Discord Bot Pipeline - Making Terraform Changes
This post is part 6 of a 10 part series:
- Part 1 - Discord Bot Pipeline - Intro
- Part 2 - Discord Bot Pipeline - GCP Setup
- Part 3 - Discord Bot Pipeline - GitHub Setup
- Part 4 - Discord Bot Pipeline - Terraform Setup
- Part 5 - Discord Bot Pipeline - GitHub Actions Setup
- Part 6 - Discord Bot Pipeline - Making Terraform Changes (This Post)
- Part 7 - Discord Bot Pipeline - Discord Specific Terraform Setup
- Part 8 - Discord Bot Pipeline - More Setup
- Part 9 - Discord Bot Pipeline - Creating The Bot
- Part 10 - Discord Bot Pipeline - Conclusion
With our new GCP project created, the next logical step is to learn how to make changes to it. Using the standard “Click Ops” model, we can easily make changes directly using the GCP management console site by clicking through GCP’s graphical frontend (hence “Click Ops”). However, as we have covered earlier, this is prone to issues, including irreversibility and lack of review process or auditability oversight.
Viewing the project
If you navigate to the GCP Console page, you can find an organization/project drop down in the top menu:
Select your newly created discord-bots
project:
One of the first things you may notice is that if you attempt to view any part of the project you will see an insufficient permissions error. For example, if we try to look at Compute resources (which we’d expect to be empty), you’ll see the following image:
This is because we did not set any permissions in our Terraform configs! Let’s remedy that, which will also showcase the process for using GitHub to propose, check, and make changes to our Terraform configs.
Making Terraform changes
First let’s make sure that we’ve fetched the latest git branches, since the
previous step resulted in a new remote branch, discord-bots_deploy
, being
created.
# Pull everything from remote
git fetch
# Set yourself on top of the discord-bots_deploy branch
git checkout origin/discord-bots_deploy
# Create a new working branch
git checkout -b viewer
Let’s go ahead and make a few changes to terraform/project.tf
:
- Add a few more GCP services
- Cloud Build
- Container Registry
- Cloud Run
- Add a google_project_iam_member role (roles/viewer)
This looks like the following diff:
Once you’ve made the change locally, changing the user to yourself of course, commit it and push it to GitHub:
git add terraform/project.tf
git commit -m "Add services. Make self a viewer."
git push
Navigate to your GitHub Terraform repo, and you’ll see the following:
Go ahead and click the “Compare & Pull Request” button. It will bring up the
GitHub Pull Request page. Set the base
branch to discord-bots_deploy
. Our
Workflows are configured to run on branches ending in _deploy
, so it’s
critical that the base
branch is the project you want to update:
Click Create pull request
, which will route you to a new Pull Request page:
The Pull Request page will show the check for Terraform Plan is still in progress. The GitHub Workflow was set up to automatically comment on the Pull Request once it finishes. An example comment is shown below:
Some of these checks, like Terraform Format
, are optional, but checks like
Terraform Plan
will fail the GitHub Workflow if they do not succeed. Expand
the Show plan
accordion to see Terraform’s output:
Notice that the output shows correctly that we’re adding 3 new GCP services and
the roles/viewer
role to yourself. Merge the Pull Request. This will kick off
another GitHub Workflow for Terraform Apply
that you can view similar to how
you viewed it for project creation. Verify it succeeded, and once it has, you
can now navigate back to the GCP Console page and refresh it:
Adding branch protections
One thing that you may have noticed is that you could have merged the Pull
Request prior to having Terraform Plan
run. This is not desired, so let’s fix
that. Go to your repo’s Settings
page and select Branches
. There will be an
option to Add branch protection rule
:
I use the following configuration, but feel free to modify it as you see fit. In particular, you may want to require a review, especially if you have multiple collaborators on the project. If it’s just you, feel free to not require it, as you cannot review your own Pull Requests:
Apply the branch protection rule, and it will affect all _deploy
branches for
this project and any future ones you create.
Next up
Congratulations! You’ve now performed the entire GitHub based workflow for applying Terraform to your Cloud Infrastructure! In the next section we’ll create some Discord bot specific Terraform configurations. Stay tuned!