The explicit, declarative model, using tools that don't need a ton of other things deployed.
Ideally the same tool can be run locally and in CI (with the same invocation commands) so that an Op can run tests locally, and even see the potential diff, before putting it up for review.
The advantage of this approach is you can see a diff, and use standard tooling like git / pr reviews to approve changes in day to day, and when the world is on fire, someone can break the glass and run it locally.
Never underestimate the value of peer review on a change to the infra - there is a reason things like ITIL exist, and we should learn from them.
> The advantage of this approach is you can see a diff, and use standard tooling like git / pr reviews to approve changes in day to day, and when the world is on fire, someone can break the glass and run it locally.
sounds sweet. imagine applying gerrit to infra
> there is a reason things like ITIL exist, and we should learn from them
spot on.
That said, I am unsure if most people here are ITIL aware/certified.
TBH, the primary reason why I am familiar with ITIL is our clients from Accenture days requires certification to win contracts.
Yeah, it is cool - https://opendev.org/ is done that way, as is some of the wikimedia labs infrastructure
I am not certified either - I have just worked in places with ITIL inspired processes, but I can really see a way they can move forward with tools like terraform / pulumi / ansible and git
Ideally the same tool can be run locally and in CI (with the same invocation commands) so that an Op can run tests locally, and even see the potential diff, before putting it up for review.
The advantage of this approach is you can see a diff, and use standard tooling like git / pr reviews to approve changes in day to day, and when the world is on fire, someone can break the glass and run it locally.
Never underestimate the value of peer review on a change to the infra - there is a reason things like ITIL exist, and we should learn from them.