Depends on if you are expecting self-service users to know and understand how to build, own, and operate infrastructure. If the answer is, “they’re supposed to because DevOps”, something like TF Cloud (with sentinel) or atlantis with org-level policies is nice from an IaC perspective.
If you’re looking to provide self-service, infra as a service, that’s a little bit more involved, though TF Cloud/Enterprise is moving this direction. A few ways my teams have done this in the past:
• Atlantis + TF modules + Backstage
◦ Create the templates for teams to use so it’s a simple form, they instantiate your TF modules, then Atlantis owns the execution
◦ Paired with org policies to prevent bad things, like non-golden images, untagged resources, bad ports, etc
• API-Driven Infrastructure
◦ Endpoints to provision and manage the lifecycle of cloud resources
◦ Typically bundled the “hard” or often not-thought of infra (like security groups and rules, which vpcs do i need to use, which iam role, etc)
◦ Can additionally tie in resources that TF doesn’t natively handle, like cloud foundry, internal APIs, etc
◦ Can make it event-driven or part of an event-driven workflow, including change requests, automated or manual approvals, etc
◦ Call via curl, programming lang, postman, create a form in backstage
◦ More development work is a con and it’s sometimes hard to keep up
Lots of other options too, but I’ve seen these two be successful. I was going to give a poster presentation at PyCon 2020 about this, actually 😒imple_smile: It was canceled, but here’s the proposal I put together:
https://github.com/rorynscott/pycon-proposal-2020/blob/master/proposal.md