Context:
- I want to provision the basis of a GCP project.
- operator should be able to add resources
I have my code base, with terraform stuff in there. I store the state file to the GCP project.
Is there a way that operators, from another code stack, without me sharing my code, add infrastructure to the projectt?
Should they be importing all existing infra?
Should they just have a second statefile? (but how does it work when infra needs to be shared, or they want to change existing infra?
what is the way forward here?
State design is always a little tricky. IMO, it will be easiest if you have one or more layers for some of the foundational resources where the state and code are visible for everyone.
Aside from that, I think you can lay out state in a way that makes sense (for example, similar resources together, or all things related to a specific application / tool together), in which case, as long as each thing is only in your state or their state with no overlap, there’s no specific need to share state. You may still want to make the state files for your resources readable by them and vice-versa, if security considerations permit, to allow referencing remote state items (if you don’t want to do this, you or they may need to define data resources for dependencies in other states instead of referring to remote state data resources directly).
All that said, if you want this level of separation, you might also consider segregating things a little at the GCP project level (you could still use shared VPC and share networks).