Patrick de Ruiter
2af3ccd989
Some checks failed
Code Quality & Security Scan / TFLint (push) Has been cancelled
Code Quality & Security Scan / Tfsec Security Scan (push) Has been cancelled
Code Quality & Security Scan / Checkov Security Scan (push) Has been cancelled
Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled
Code Quality & Security Scan / Terraform Init (push) Has been cancelled
Code Quality & Security Scan / Terraform Apply (push) Has been cancelled
Code Quality & Security Scan / Terraform Destroy (push) Has been cancelled
Optimizations: - Added Terraform provider caching to terraform-init job - Apply job now reuses cached .terraform directory - Cache persists across workflow runs (keyed by .terraform.lock.hcl) - Significantly faster init times on subsequent runs New terraform-destroy job: - Only triggered on pull requests with 'destroy' label - Requires manual approval via 'destroy-approval' environment - Self-contained with fresh init (no cache for safety) - Clear warnings and authorization verification - Three-step process: verify → plan → execute Security features: - Destroy only runs on labeled pull requests - Requires environment protection approval - Fresh terraform init without cache for verification - Detailed logging of who/what/when/where - Cannot be triggered on direct push to master Usage: 1. Create pull request with proposed destroy changes 2. Add 'destroy' label to the PR 3. Approve via Gitea environment protection 4. Review destroy plan in logs 5. Approve destroy-approval environment to execute Benefits: - Faster apply workflow (cached providers) - Safe destroy process with multiple safeguards - Clear audit trail for destructive operations - Self-contained destroy for maximum safety
Terraform vSphere Resource Groups Module
This Terraform module manages vSphere resource pools (resource groups) with CPU/memory allocation controls and integrated tagging for organization and management.
Purpose
Creates and manages vSphere resource pools with configurable resource allocation policies, reservations, limits, and shares. Includes automated tagging for environment and resource group classification.
What It Does
- Creates resource pools under vSphere cluster
- Configures CPU reservations, limits, and shares
- Configures memory reservations, limits, and shares
- Creates tag categories for Environment and ResourceGroupType
- Applies tags to resource pools for organization
Usage
module "vsphere_resource_groups" {
source = "./terraform-vsphere-resourcegroups"
datacenter = "DC1"
cluster_name = "Cluster01"
environment = "prod"
role_id = var.vault_role_id
secret_id = var.vault_secret_id
resource_groups = {
kubernetes = {
name = "Kubernetes"
cpu_reservation = 4000
cpu_shares = "high"
memory_reservation = 8192
memory_shares = "high"
}
docker = {
name = "Docker"
cpu_shares = "normal"
memory_shares = "normal"
}
infra = {
name = "Infrastructure"
cpu_shares = "low"
memory_shares = "low"
}
}
}
Key Features
- Resource Allocation: CPU and memory reservations, limits, shares
- Shares Mapping: Automatic conversion of low/normal/high to vSphere values (500/1000/2000)
- Tagging System: Environment and resource group type tags
- Flexible Configuration: Optional parameters with sensible defaults
- Expandable Resources: Allow resources to grow beyond reservations
Default Resource Groups
- Kubernetes: For Kubernetes infrastructure
- Docker: For Docker containers
- Infra: For infrastructure services
Prerequisites
- VMware vSphere with compute cluster
- Vault with vSphere credentials
- Terraform >= 0.13