modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

SPIKE: Evaluate TF Plans for high risk changes and update review processes

Open richgreen-moj opened this issue 11 months ago • 0 comments

User Story

As a MP Engineer I want to add more unit testing for TF Plans using Conftest or similar technology So that I can either block changes, warn PR reviewers, or request additional reviewers before changes are merged to main

Value / Purpose

Building upon the work in https://github.com/ministryofjustice/modernisation-platform/pull/6281 , this issue would take it further to start evaluating the output of Terraform plans and writing policies/tests that would either prevent or warn reviewers of high risk changes to specific resources.

  • Deleting certain threshold of TF resources
  • Deleting a specific type of resource
  • Updating a major version of a module

The result of these tests could block a change, add more detailed warnings for reviewers or even request another level of review.

It could also look at low risk changes and make it quicker for these kinds of changes to be merged.

One idea could be that we default to changes requiring 2 reviewers but if the changes are deemed low risk then the CI pipeline reduces required reviews to 1.

Useful Contacts

@richgreen-moj

Additional Information

No response

Proposal / Unknowns

No response

Definition of Done

  • [ ] Agree timescale for SPIKE - limit to 3 days
  • [ ] Experiment with writing policies that look for high risk changes to TF resources
  • [ ] Work with team to consider whether a new branch protection rule would be appropriate for high risk change
  • [ ] User docs have been updated
  • [ ] Another team member has reviewed

richgreen-moj avatar Mar 04 '24 19:03 richgreen-moj