PHPBoyScout

TL;DR: Two small bugs from building the infrastructure toolchain, each the same shape: the tool has a rule you did not know, and its error does not tell you the rule. A GitLab CI job with no rules: block silently skips merge-request pipelines. An OpenTofu import block only works in... [Read More]

TL;DR: The dangerous moment in infrastructure-as-code is the gap between the plan a human reviewed and the change that actually runs. The infra repo closes it two ways: it applies the exact plan that was reviewed, saved as an artifact, rather than a fresh re-plan; and it makes applying a... [Read More]

TL;DR: Once an infrastructure repo has several concerns — account hardening, the security baseline, the eventual signing stack — there is pressure to split them into separate stacks with separate state, wired together with remote-state lookups or Terragrunt. The infra repo keeps them in one OpenTofu graph instead. The reason:... [Read More]

TL;DR: Every infrastructure repo runs the same CI: lint the OpenTofu, scan it, validate it, plan, apply. Copy-paste that .gitlab-ci.yml between repos and you have the same drift problem in your pipeline that you would have anywhere else. The cicd repo is the fix: a library of reusable GitLab CI/CD... [Read More]

TL;DR: The CI gate jobs across the infrastructure repos all need the same pile of tools — OpenTofu, tflint, trivy, checkov, gitleaks, terraform-docs, the AWS CLI. Installing them per job is slow and unpinned. infra-tools is one container image with all of them, and one source of truth for their... [Read More]