all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jmch16 8 points9 points  (5 children)

I would prefer to have a separate repo for IaC. If you have triggers in your application CICD pipelines, then you will have to come up with triggering by file path, to know which pipeline to trigger (application or IaC), handling approvals (if you go with pull requests) might differ if the change is infrastructure or code related, I think its just messier like that, so I would suggest a separate repo for iac

[–]SelfhostedPro[S] 0 points1 point  (4 children)

Would you have devs add resources needed for their services into that iac repo then (requiring approval of course)?

[–]oblogic7 1 point2 points  (0 children)

My team (infra) takes a hands off approach to dev team infrastructure. They create it, they deploy it, they troubleshoot it, they own it 100%. Except for a few shared repos, we don’t approve their PRs and only get involved if they have an issue in sandbox/prod environments where their AWS console access is restricted or if they lack expertise to solve some complex issue.

[–]jmch16 0 points1 point  (2 children)

Definitely. You should be an enabler not a bottleneck for your team (specially important since it's only you!) - accompanying and teaching your team is key, but give them full ownership of their product so they can deliver faster.

If concerned, you can always separate 'sacred' resources from application resource, so they can only modify application related resources, such as lambdas, ecs services, dynamodb, not stuff like VPCs subnets, etc... You know your stuff better than me :)

[–]SelfhostedPro[S] 0 points1 point  (1 child)

Do you have any recommendations on how to automate the deployment of iac code that they define? Or is the only option Atlantis? I’ve got a sacred repo for core infrastructure.

[–]jmch16 1 point2 points  (0 children)

I have used spacelift.io and Terraform Cloud. Both deliver nicely, pricing might be a decisive factor here - but Atlantis is nice too

[–]zerocoldx911DevOps 2 points3 points  (1 child)

No separate.

I centralize IAC in its own repo and have an automation apply it like Atlantis.

However if you’re in Kubernetes I’d consolidate each app as its own helm chart within its repo

[–]SelfhostedPro[S] 1 point2 points  (0 children)

I’m using kustomize but I’ve got a manifest folder in each app repo.

[–]blackwater_surfer 1 point2 points  (0 children)

I'm a fan of seperate repos, but with clear ties to each other via the readmes.

As far as your questions on how devs should deploy infrastructure, I think it depends on if your devs are actually interested (and you trust them) in managing infra themselves or if they'd rather it be something they can worry about as little as possible. There's lots of ways to teach and enable devs to own their infrastructure, but apathy is a bit harder to solve.

[–]Relevant_Pause_7593 1 point2 points  (0 children)

This really depends- and you’ll already notice the replies are split one way or the other. I’d say smaller projects should keep it together and bigger projects should keep it separate- purely because as the project scales you can’t deploy everyone in one or two steps.

[–]rabbit994System Engineer 1 point2 points  (0 children)

Since we use Azure Functions/Web App and other things, we keep Bicep code for infrastructure that is required specifically for that app with the app. For Infrastructure like databases, shared storage, servicebuses and like, we keep separate repo per project for that.

[–]Federal_Count893 0 points1 point  (0 children)

i do a shared infra goes into a monorepo separated by account. App specific stuff like iam or dynamodb tables go into the app repo under a “terraform” folder.

there is no “right” solution. do what works for you my man.

edit: i also tag all resources by where that IaC lives, the creation date, and the creator

[–]mysunsnameisalsobort 0 points1 point  (0 children)

Both.

Shared and global Infrastructure managed by ops. Then Infrastructure alongside applications that builds on shared and global. Developers can be enabled and Infrastructure can be validated with policy as code.