Goal
Cross-reference and ordering only: the AWS substrate stays Terraform, and the
imperative AWS reconciliation backlog must land before GitOps adoption. This
issue does not add GitOps work; it tracks the dependency. Plan:
docs/plans/gitops-adoption.md (section 6.3). Source backlog:
docs/as-built/80-iac-vs-imperative.md.
Ordering
- Terraform first. Fold the imperative backlog into Terraform: standard EKS (drop Auto Mode), the
mng node group and usgov-coderdemo-mngnode role, the four EKS addons and the EBS CSI IRSA role, the gp3-backing addon, the Route53 alias records, the ECR repos, and the IRSA roles GitOps depends on.
- Then the GitOps control plane bootstrap (sibling plan).
- Then per-workload adoption (the other issues in this label).
Tasks (Terraform side)
Note
This is an ordering dependency, not new GitOps work. See docs/as-built/80-iac-vs-imperative.md for the full ledger and the complete reconciliation backlog.
Generated by Coder Agents.
Goal
Cross-reference and ordering only: the AWS substrate stays Terraform, and the
imperative AWS reconciliation backlog must land before GitOps adoption. This
issue does not add GitOps work; it tracks the dependency. Plan:
docs/plans/gitops-adoption.md(section 6.3). Source backlog:docs/as-built/80-iac-vs-imperative.md.Ordering
mngnode group andusgov-coderdemo-mngnoderole, the four EKS addons and the EBS CSI IRSA role, thegp3-backing addon, the Route53 alias records, the ECR repos, and the IRSA roles GitOps depends on.Tasks (Terraform side)
usgov-coderdemo-external-secretsinto Terraform state before apply (it was created via CLI; recreating it breaks ESO auth).dev,auth,gitlab,*) into Terraform without delete/recreate so DNS never drops.terraform/secrets-hardening.tf); orthogonal to GitOps, does not block adoption.Note
This is an ordering dependency, not new GitOps work. See
docs/as-built/80-iac-vs-imperative.mdfor the full ledger and the complete reconciliation backlog.Generated by Coder Agents.