Enabling CloudBank to safely manage their own cluster infrastructure
We recently enabled CloudBank to run Terraform changes for their cluster without needing to wait on 2i2c engineers for each request. They run 50+ hubs for various community colleges, and we want to enable them to self serve as much of that as possible. When we introduced home directory quotas, they were no longer able to set up hubs by themselves without help from 2i2c engineers. Our goal was to empower them to be able to set up new hubs in a safe way while still benefiting from the home directory limits work.
To do this safely, we needed to avoid granting access to shared Terraform state that could impact other communities. Following
Yuvi’s suggestion, we migrated CloudBank’s Terraform state to CloudBank’s own GCP project so that infrastructure changes from the CloudBank team are isolated to their cluster only, making this safe to try. This unblocks CloudBank to run changes like terraform plan and terraform apply themselves, meaning that CloudBank can deploy and update a hub without 2i2c engineers in the loop.
This is a good example of how we aim to balance community autonomy with infrastructure safety. CloudBank can now self-serve routine operations while our broader infrastructure remains protected.
Learn more #
Acknowledgements #
- Thanks to Sean Morris and the CloudBank team at UC Berkeley for collaborating on this workflow.
Thanks for reading! If you'd like to follow our work, join our mailing list or subscribe to our blog. You can read our community hub documentation or learn about membership.
