OVH project dedicated to production


At the moment {forum,lab,weblate} are deployed in the GRA3 region of an OpenStack project provided by OVH. In the OVH parlance, a project is like having a different account name: two projects share nothing, only they are billed to the same person. We conduct all our testing with molecule on separate regions (DE1 for @fpoulain, WAW1 for myself) so we don’t risk accidentally destroying a production VM when we mess up.

This separation is good but it makes me nervous. When we deploy weblate using ansible, OS_REGION_NAME=GRA3 molecule destroy could wipe out the entire production. This is not intended but we’re one environment variable away from Armageddon and it does not feel right.

I propose we use a separate OVH project for production. It means that credentials we use for testing do not have access to production. Destroying production by accident would be more difficult: one would have to run molecule destroy after setting the credentials used for production. It still is a risk but not so easy to make.

What do you think ?

1 Like

I think it is a good idea to brake interventions on prod environment. We could also add a a kind of molyguard in the infrastructure molecule role, asking for confirmation if the current region is not tagged as “insignificant”.