Skip to main content
The Self-service repository allows you to provision access to the organization, manage installations, and create infrastructure through a GitOps workflow.

How to use Self-Service

1

Create a Branch

Create a new branch and modify the self-service.tfvars file. This file represents the desired state of your infrastructure.
git checkout -b feat/new-agent-repo
2

Open a Pull Request

Open a Pull Request (PR) targeting the main branch.
3

Review Plan

Wait for the pipeline to comment with the Terraform plan. Review the proposed changes.
4

Merge

Merge the PR. The pipeline will apply the changes and provision the infrastructure.
Need a quick start? See Create Your First Agent for a full walkthrough from repo creation to deployment.

User Account Management

You can manage user access by updating the team_members section in self-service.tfvars.
User emails must be used as unique identifiers.

Configuration Example

team_members = {
  "[email protected]" = {
    grandcentral = {
      roles   = ["dev-rw", "dev-ro", "apim-dev-rw"]
    }
    github = {
      github_teams  = ["self-service", "development", "applications-live"]
    },
    datadog = {
      roles = ["dev-rw", "dev-ro"]
    }
  },
  "[email protected]" = {
    github = {
      github_teams  = ["development"]
    }
  }
}

GitHub Permissions

Available teams for github_teams:
TeamDescriptionRecommended For
self-serviceApprovers for self-service PRs.Project Managers, Owners
applications-liveWrite access to applications-live.System Engineers, Developers
developmentWrite access to all development repositories.Developers
development-adminAdmin access to all development repositories.Lead Developers

Azure Roles

Common roles for the grandcentral section:
RoleDescription
dev-rw / stg-rwFull access/Contributor rights for the runtime (Kubernetes cluster writer).
dev-ro / stg-roRead-only access for the runtime (Kubernetes cluster reader).
dev-apim-rwContributor access to API Management.
dev-apim-roReader access to API Management.
dev-apim-subs-rwManage APIM subscriptions (keys, approvals).
dev-apim-cred-managerManage credential manager (OAuth configurations).

Observability Access

You can provision access to DataDog and Grafana by assigning roles in their respective sections (requires the user to be present in Azure).
  • DataDog Roles: dev-ro, dev-rw, stg-ro, stg-rw
  • Grafana Roles: dev-ro, dev-rw, stg-ro, stg-rw
DevOps Lite Users: You can create DataDog-only users who do not consume a GitHub seat by defining only the datadog section.

Repository Management

Add new repositories by extending the repositories definition in self-service.tfvars. 
repositories = {
  new_service_repo = {
    enable_branch_protection = true
    protected_branches = ["main", "develop"]
    required_status_checks = ["sonarcloud", "test-check"]
  }
  
  # Create from template
  templated_repo = {
    repository_template = {
      owner      = "bb-ecos-agbs"
      repository = "starter-agent-template-agno"
    }
  }
}

Key Options

  • is_template: Mark repository as a template.
  • repository_template: Create from an existing template.
  • repository_init_from_zip: Initialize with content from a ZIP file (Backbase Accelerator).
  • enable_branch_protection: Enable default protection rules (Require PR, Code Owner review).
  • repository_archived: Archive a repository (recommended over deletion).

Application Reviewers

By default, the applications-live team is assigned as reviewers. You can override this behavior.

Override Default Reviewers

runtime_codeowners_override = {
  prd = ["[email protected]", "[email protected]"]
  tst = ["[email protected]"]
}

Auto-Approve

To allow bot auto-approval for specific runtimes (e.g., development): 
auto_approve_runtimes = [
   "dev",
]
Auto-approve will not work in conjunction with Codeowners override. Codeowners will be removed to allow auto-approve to function.

PR Title Standards

The repository enforces Conventional Commits with a required Jira project scope. Format: type(SCOPE-ID): Subject Example: feat(ECOPFM-1234): Update platform configuration You can configure valid scopes in self-service.tfvars: 
pr_title_scopes = ["ECOPFM", "GC", "PI"]