Proposal to transfer UlisesGascon/cloudflare-terraform repo into the Node.js organization

[UlisesGascon]

TL;DR:

I want to migrate my repository UlisesGascon/cloudflare-terraform to the Node.js org, in order to start using Terrafrom to manage the DNS changes in Cloudflare.

I will need to be admin in this repo (if possible) as I need to change the repo settings (Tokens, branch protection rules, etc...).

This repository should be migrated as private repository

Note

The repo UlisesGascon/cloudflare-terraform is currently private until we decide if the DNS records or other Cloudflare information is sensitive.

Full context

This issue is related to nodejs/build#3270 (comment). Once nodejs/build#3370 (comment) and #800 (comment) were completed I started to work on this repository.

The repository includes the Terraform setup (including Terrafom Cloud remote state management), Github Actions (to review/promote changes in Cloudflare) and the DNS records currently used in Cloudflare (migrated with cf-terraforming).

The repo is using READ ONLY tokens, so there is no current risk to trigger any change in the Cloudflare settings.

In the meantime @nodejs/build and @ovflowd let me know if you want me to add you to UlisesGascon/cloudflare-terraform 😄

[mhdawson]

This may be a silly question but does it need to be a separate repo or could the content be in a subdirectory of the existing build repo? I guess that might depend on if we think the info is sensitive or not, but ignoring that concern I'm still interested if it might be possible to manage in the existing repo.

[UlisesGascon]

The integration is posible and should be easy to be done in nodejs/build. I prefer that option too, but it will require to open the content. Should we check the content first and then decide? I think that probably is fine to open the content 🙂

[UlisesGascon]

@mhdawson I sent you an invite to the repo.

[AshCripps]

if the content is secret should this not be moved inside a folder inside the secrets repo? having another repo for this is a bit silly and takes away a benefit of terraform being able to have seperate workflows in the same root directory

[UlisesGascon]

I had a great discussion with @mhdawson, and we have a final plan 🎉

Conclusions

After some research and with the support from the OWASP Community, I came to the conclusion that we can make the content repository available since the DNS record information is already accessible as public information. For example, nodejs.org records and iojs.org records.

Therefore, since the information can be public, there is no reason to create or migrate to a private repository. Additionally, there is no need for a separate repository for this. So, the Terraform POC logic will be ported to the nodejs/build repository.

Next steps

• Close this issue.
• Make UlisesGascon/cloudflare-terraform public, archive it, and rename it as UlisesGascon/poc-nodejs-cloudflare-terraform.
• Create a PR to the nodejs/build repository to port the logic from UlisesGascon/poc-nodejs-cloudflare-terraform. Terraforming Cloudflare for DNS records build#3391