From aa15471f8b23956723cdbe563233988d7766f192 Mon Sep 17 00:00:00 2001 From: richardblack-Harness Date: Wed, 20 Aug 2025 15:22:00 +0100 Subject: [PATCH 1/4] IAC-4377 Update Best Practices with gotchas --- .../iacm-best-practices.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/docs/infra-as-code-management/iacm-best-practices.md b/docs/infra-as-code-management/iacm-best-practices.md index b8ac1e4af86..bcdd3a95f6b 100644 --- a/docs/infra-as-code-management/iacm-best-practices.md +++ b/docs/infra-as-code-management/iacm-best-practices.md @@ -5,9 +5,11 @@ description: Learn about IaCM onboarding and best practices. import HarnessApiData from '/src/components/HarnessApiData/index.tsx'; -Harness Infrastructure as Code allows you to define, deploy, and manage infrastructure across environments, ensuring compliance and control. Key features include cost estimation, approval steps, PR automation, policy enforcement, and drift detection, which can integrate seamlessly with other Harness modules and third-party services, enhancing your DevOps lifecycle. +Harness Infrastructure as Code allows you to **define**, **deploy**, and **manage infrastructure across environments**, ensuring compliance and control. -This document provides a set of best practices and guidelines aimed at helping teams implement and manage IaCM effectively. It serves as a reference to navigate the complexities of infrastructure management, offering clear, actionable recommendations to optimize performance, enhance security, and prevent common pitfalls. +Key features include [cost estimation](/docs/infra-as-code-management/workspaces/cost-estimation), [approval steps](/docs/infra-as-code-management/pipelines/operations/approval-step), [PR automation](/docs/infra-as-code-management/pipelines/operations/pr-automation), [policy enforcement](/docs/infra-as-code-management/policies-governance/opa-workspace), and [drift detection](/docs/infra-as-code-management/pipelines/operations/drift-detection). These integrate seamlessly with other Harness modules and third-party services, enhancing your DevOps lifecycle. + +This document provides best practices and guidelines to help you implement and manage IaCM effectively. It offers clear, actionable recommendations to optimize performance, strengthen security, and avoid common pitfalls. ## Workflow hierarchy @@ -31,7 +33,7 @@ Harness IaCM currently supports integration with all **OpenTofu** versions ### Trade-offs and considerations -Harness seamlessly integrates with third-party services like external code repositories and secret managers, providing flexibility in tool choice. However, using Harness’s native services like [Harness Code Repository](https://developer.harness.io/docs/code-repository/) and [Harness Secret Manager](https://developer.harness.io/docs/platform/secrets/secrets-management/harness-secret-manager-overview/) can offer key performance and operational benefits. +Harness seamlessly integrates with third-party services like external code repositories and secret managers, providing flexibility in tool choice. However, using Harness’s native services like [Harness Code Repository](docs/code-repository/) and [Harness Secret Manager](docs/platform/secrets/secrets-management/harness-secret-manager-overview/) can offer key performance and operational benefits. - **Reduced Latency:** Avoids external API calls, leading to faster execution and reduced overhead. - **Simplified Authentication:** Minimizes multiple authentication mechanisms, reducing complexity and potential security risks. @@ -63,10 +65,16 @@ Harness seamlessly integrates with third-party services like external code repos - **Enhanced Visibility:** Provides a single point of control for auditing and policy enforcement. - **Reduced Dependencies:** Lowers reliance on external services, increasing system resilience. +## Limitations & Gotchas +Be aware of the following when working with IaCM: +- **AWS Connector via Delegates:** IAM role inheritance from delegates is not supported. If you need to assume roles, configure them directly in the connector. +- **Feature-flagged functionality:** Some features are released behind feature flags. Pages covering these features should include a **Pending Release** banner until the feature is fully available in production. +- **Delegate version requirements:** Certain features (such as module registry sync) may fail silently if your delegate is outdated. Always confirm you are running the latest delegate version to ensure support for new capabilities. + ## Security -- **Access Controls:** [Role-based access control (RBAC)](https://developer.harness.io/docs/platform/role-based-access-control/rbac-in-harness/) lets you control who can access your resources and what actions they can perform on the resources. To do this, a Harness account administrator assigns resource-related permissions to members of user groups. -- **Secret Management:** Go to the [secret management page](https://developer.harness.io/docs/category/secrets-management) to see all supported secret management option available in the Harness Platform and determine what option is best suited for your needs. As mentioned above, Harness offer integration with multiple secret management options but recommend [Harness secret manager](https://developer.harness.io/docs/platform/secrets/secrets-management/harness-secret-manager-overview/) to help offer optimal performance. -- **OPA Policies:** Use [OPA policies](https://developer.harness.io/docs/platform/governance/policy-as-code/harness-governance-overview/) to implement governance and trigger pipeline warnings or failures when policy conditions are not met. +- **Access Controls:** [Role-based access control (RBAC)](docs/platform/role-based-access-control/rbac-in-harness/) lets you control who can access your resources and what actions they can perform on the resources. To do this, a Harness account administrator assigns resource-related permissions to members of user groups. +- **Secret Management:** Go to the [secret management page](docs/category/secrets-management) to see all supported secret management option available in the Harness Platform and determine what option is best suited for your needs. As mentioned above, Harness offer integration with multiple secret management options but recommend [Harness secret manager](docs/platform/secrets/secrets-management/harness-secret-manager-overview/) to help offer optimal performance. +- **OPA Policies:** Use [OPA policies](docs/platform/governance/policy-as-code/harness-governance-overview/) to implement governance and trigger pipeline warnings or failures when policy conditions are not met. ### State Management - **Remote State Storage:** Use remote state backends like AWS S3, GCP Cloud Storage, or Azure Blob Storage for reliable and scalable state management. Ensure state files are stored securely and versioned to prevent accidental data loss or corruption. Go to [OpenTofu backend configuration](https://opentofu.org/docs/language/settings/backends/configuration/) for more information. From 145a06b23f02a156df4192ea39a039c728c046cc Mon Sep 17 00:00:00 2001 From: richardblack-Harness Date: Thu, 21 Aug 2025 10:22:51 +0100 Subject: [PATCH 2/4] IAC-4377 Update broken links --- docs/infra-as-code-management/iacm-best-practices.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/infra-as-code-management/iacm-best-practices.md b/docs/infra-as-code-management/iacm-best-practices.md index bcdd3a95f6b..db5224c232e 100644 --- a/docs/infra-as-code-management/iacm-best-practices.md +++ b/docs/infra-as-code-management/iacm-best-practices.md @@ -50,7 +50,7 @@ For general use cases to reduce unnecessary complexity and to optimize performan Some reusable options can be to: - Create reusable pipelines and set them as default pipelines to trigger quickly from any workspace within a project. -- Use [pipeline variables](https://developer.harness.io/docs/infra-as-code-management/manage-projects/connectors-variables) to ensure consistency. +- Use [pipeline variables](/docs/infra-as-code-management/manage-projects/connectors-variables) to ensure consistency. - Use built-in plugins such as [drift detection](/docs/infra-as-code-management/pipelines/operations/drift-detection), [PR automation](/docs/infra-as-code-management/pipelines/operations/pr-automation) and [IaCM Approval steps](/docs/infra-as-code-management/pipelines/operations/approval-step). - Utilize [built-in OPA policies](/docs/infra-as-code-management/policies-governance/terraform-plan-cost-policy) to add protection and ensure your pipelines warn or fail if certain conditions are not met, e.g. if your total monthly infrastructure costs exceed a specified amount. @@ -72,9 +72,9 @@ Be aware of the following when working with IaCM: - **Delegate version requirements:** Certain features (such as module registry sync) may fail silently if your delegate is outdated. Always confirm you are running the latest delegate version to ensure support for new capabilities. ## Security -- **Access Controls:** [Role-based access control (RBAC)](docs/platform/role-based-access-control/rbac-in-harness/) lets you control who can access your resources and what actions they can perform on the resources. To do this, a Harness account administrator assigns resource-related permissions to members of user groups. -- **Secret Management:** Go to the [secret management page](docs/category/secrets-management) to see all supported secret management option available in the Harness Platform and determine what option is best suited for your needs. As mentioned above, Harness offer integration with multiple secret management options but recommend [Harness secret manager](docs/platform/secrets/secrets-management/harness-secret-manager-overview/) to help offer optimal performance. -- **OPA Policies:** Use [OPA policies](docs/platform/governance/policy-as-code/harness-governance-overview/) to implement governance and trigger pipeline warnings or failures when policy conditions are not met. +- **Access Controls:** [Role-based access control (RBAC)](/docs/platform/role-based-access-control/rbac-in-harness/) lets you control who can access your resources and what actions they can perform on the resources. To do this, a Harness account administrator assigns resource-related permissions to members of user groups. +- **Secret Management:** Go to the [secret management page](/docs/category/secrets-management) to see all supported secret management option available in the Harness Platform and determine what option is best suited for your needs. As mentioned above, Harness offer integration with multiple secret management options but recommend [Harness secret manager](/docs/platform/secrets/secrets-management/harness-secret-manager-overview/) to help offer optimal performance. +- **OPA Policies:** Use [OPA policies](/docs/platform/governance/policy-as-code/harness-governance-overview/) to implement governance and trigger pipeline warnings or failures when policy conditions are not met. ### State Management - **Remote State Storage:** Use remote state backends like AWS S3, GCP Cloud Storage, or Azure Blob Storage for reliable and scalable state management. Ensure state files are stored securely and versioned to prevent accidental data loss or corruption. Go to [OpenTofu backend configuration](https://opentofu.org/docs/language/settings/backends/configuration/) for more information. From 5430a56227d15bd719ded8855875b850047b7391 Mon Sep 17 00:00:00 2001 From: richardblack-Harness Date: Tue, 26 Aug 2025 11:19:29 +0100 Subject: [PATCH 3/4] IAC-4377 Removing unnecessary spacing --- docs/infra-as-code-management/iacm-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infra-as-code-management/iacm-best-practices.md b/docs/infra-as-code-management/iacm-best-practices.md index db5224c232e..adff37e1ad7 100644 --- a/docs/infra-as-code-management/iacm-best-practices.md +++ b/docs/infra-as-code-management/iacm-best-practices.md @@ -7,7 +7,7 @@ import HarnessApiData from '/src/components/HarnessApiData/index.tsx'; Harness Infrastructure as Code allows you to **define**, **deploy**, and **manage infrastructure across environments**, ensuring compliance and control. -Key features include [cost estimation](/docs/infra-as-code-management/workspaces/cost-estimation), [approval steps](/docs/infra-as-code-management/pipelines/operations/approval-step), [PR automation](/docs/infra-as-code-management/pipelines/operations/pr-automation), [policy enforcement](/docs/infra-as-code-management/policies-governance/opa-workspace), and [drift detection](/docs/infra-as-code-management/pipelines/operations/drift-detection). These integrate seamlessly with other Harness modules and third-party services, enhancing your DevOps lifecycle. +Key features include [cost estimation](/docs/infra-as-code-management/workspaces/cost-estimation), [approval steps](/docs/infra-as-code-management/pipelines/operations/approval-step), [PR automation](/docs/infra-as-code-management/pipelines/operations/pr-automation), [policy enforcement](/docs/infra-as-code-management/policies-governance/opa-workspace), and [drift detection](/docs/infra-as-code-management/pipelines/operations/drift-detection). These integrate seamlessly with other Harness modules and third-party services, enhancing your DevOps lifecycle. This document provides best practices and guidelines to help you implement and manage IaCM effectively. It offers clear, actionable recommendations to optimize performance, strengthen security, and avoid common pitfalls. From 6faebb8e36b0f61f5ded7ab125037aa9ff44d1c7 Mon Sep 17 00:00:00 2001 From: richardblack-Harness Date: Tue, 26 Aug 2025 11:21:38 +0100 Subject: [PATCH 4/4] IAC-4377 Add / for doc links --- docs/infra-as-code-management/iacm-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infra-as-code-management/iacm-best-practices.md b/docs/infra-as-code-management/iacm-best-practices.md index adff37e1ad7..62a915185c8 100644 --- a/docs/infra-as-code-management/iacm-best-practices.md +++ b/docs/infra-as-code-management/iacm-best-practices.md @@ -57,7 +57,7 @@ Some reusable options can be to: ### Trade-offs and considerations -Harness seamlessly integrates with third-party services like external code repositories and secret managers, providing flexibility in tool choice. However, using Harness’s native services like [Harness Code Repository](docs/code-repository/) and [Harness Secret Manager](docs/platform/secrets/secrets-management/harness-secret-manager-overview/) can offer key performance and operational benefits. +Harness seamlessly integrates with third-party services like external code repositories and secret managers, providing flexibility in tool choice. However, using Harness’s native services like [Harness Code Repository](/docs/code-repository/) and [Harness Secret Manager](/docs/platform/secrets/secrets-management/harness-secret-manager-overview/) can offer key performance and operational benefits. - **Reduced Latency:** Avoids external API calls, leading to faster execution and reduced overhead. - **Simplified Authentication:** Minimizes multiple authentication mechanisms, reducing complexity and potential security risks.