feat: add git status warning and environment config documentation

josecelano · josecelano · commit bc9a9e2948af · 2025-07-28T15:32:34.000+01:00
- Add comprehensive README to infrastructure/config/environments/ explaining git archive deployment behavior
- Add git status check to deployment script that warns about uncommitted changes
- Explains why E2E tests might fail when template changes aren't committed
- Documents git archive benefits for production safety and reproducibility
- Provides troubleshooting guide for configuration deployment issues
- Includes best practices for development and production workflows
diff --git a/infrastructure/config/environments/README.md b/infrastructure/config/environments/README.md
@@ -0,0 +1,208 @@
+# Environment Configuration Templates
+
+This directory contains environment-specific configuration templates that are processed
+during deployment to generate the final configuration files.
+
+## Files
+
+- `local.env.tpl` - Local development environment template
+- `production.env.tpl` - Production environment template (requires manual setup)
+
+## Template Processing
+
+Templates use environment variable substitution (`envsubst`) to generate final
+configuration files:
+
+```bash
+# Templates are processed like this:
+envsubst < local.env.tpl > local.env
+envsubst < production.env.tpl > production.env  # (after manual setup)
+```
+
+## Critical Deployment Behavior
+
+### The Git Archive Issue
+
+**IMPORTANT:** When you modify templates in this folder and run E2E tests, the tests
+might fail if they depend on the new values. This happens due to how the application
+deployment process works:
+
+1. **Infrastructure Provisioning**: New VM is created
+2. **Code Deployment**: Git archive is copied to VM (`git archive HEAD`)
+3. **Configuration Generation**: Templates are processed on the VM
+
+### The Problem
+
+**`git archive` only includes committed changes, not your working tree changes.**
+
+This means:
+
+- ✅ If you modify templates and **commit** them, E2E tests will use the new values
+- ❌ If you modify templates but **don't commit** them, E2E tests will use the old
+  committed values
+
+### Example Scenario
+
+```bash
+# 1. You modify local.env.tpl to change TRACKER_ADMIN_TOKEN
+vim infrastructure/config/environments/local.env.tpl
+
+# 2. You run E2E tests without committing
+make test-e2e  # ❌ FAILS - Uses old token from git archive
+
+# 3. You commit your changes
+git add infrastructure/config/environments/local.env.tpl
+git commit -m "update token"
+
+# 4. You run E2E tests again
+make test-e2e  # ✅ PASSES - Uses new token from git archive
+```
+
+## Why Git Archive?
+
+The deployment process uses `git archive` for several important reasons:
+
+### Development Benefits
+
+- **Clean Deployment**: Only committed, tested changes are deployed
+- **Excludes Local Files**: Doesn't copy `.env` files, build artifacts, or local storage
+- **Reproducible**: Same git commit always produces the same deployment
+- **Fast**: Compressed archive transfer is faster than full directory sync
+
+### Production Safety
+
+- **Version Control**: Only committed code reaches production
+- **No Accidental Deployments**: Prevents deploying uncommitted debug code or secrets
+- **Audit Trail**: Clear link between deployments and git commits
+- **Rollback Capability**: Easy to redeploy any previous commit
+
+## Best Practices
+
+### For Development (E2E Testing)
+
+1. **Always commit template changes before running E2E tests**:
+
+   ```bash
+   git add infrastructure/config/environments/
+   git commit -m "update configuration templates"
+   make test-e2e
+   ```
+
+2. **Check git status before testing**:
+
+   ```bash
+   git status  # Should show "working tree clean"
+   make test-e2e
+   ```
+
+### For Production Deployment
+
+1. **Never modify templates directly in production**
+2. **Always test changes in development first**
+3. **Use proper git workflow** (feature branches, reviews, etc.)
+4. **Verify configuration after deployment**
+
+## Alternative Approaches Considered
+
+### Option 1: Copy Working Tree
+
+```bash
+# Instead of: git archive HEAD | tar -xz
+rsync -av --exclude='.git' . vm:/path/
+```
+
+**Pros**: Includes uncommitted changes
+
+**Cons**:
+
+- Copies local secrets and build artifacts
+- No version control guarantee
+- Inconsistent between development and production
+- Larger transfer size
+
+### Option 2: Separate Config Management
+
+```bash
+# Keep templates separate from code deployment
+scp infrastructure/config/environments/*.tpl vm:/path/
+```
+
+**Pros**: Templates can be updated independently
+
+**Cons**:
+
+- More complex deployment process
+- Configuration and code can get out of sync
+- Additional deployment step to fail
+
+## Current Choice: Git Archive
+
+We chose to keep `git archive` because:
+
+1. **Production Safety**: Ensures only committed code is deployed
+2. **Consistency**: Same process for development and production
+3. **Simplicity**: Single deployment artifact
+4. **Version Control**: Clear audit trail of what was deployed
+
+The trade-off is that **developers must commit template changes before E2E testing**,
+but this is actually a good practice that ensures:
+
+- Template changes are reviewed and tested
+- No accidental deployment of uncommitted changes
+- Clear history of configuration changes
+
+## Troubleshooting
+
+### E2E Tests Fail After Template Changes
+
+1. **Check if changes are committed**:
+
+   ```bash
+   git status infrastructure/config/environments/
+   ```
+
+2. **If uncommitted, commit them**:
+
+   ```bash
+   git add infrastructure/config/environments/
+   git commit -m "update: configuration templates for testing"
+   ```
+
+3. **Re-run tests**:
+
+   ```bash
+   make test-e2e
+   ```
+
+### Configuration Not Updated After Deployment
+
+1. **Verify the git archive contains your changes**:
+
+   ```bash
+   git archive HEAD -- infrastructure/config/environments/ | tar -tz
+   ```
+
+2. **Check template processing on VM**:
+
+   ```bash
+   ssh torrust@$VM_IP 'cd torrust-tracker-demo && cat infrastructure/config/environments/local.env'
+   ```
+
+3. **Verify generated configuration**:
+
+   ```bash
+   ssh torrust@$VM_IP 'cd torrust-tracker-demo && cat application/.env'
+   ```
+
+## Security Notes
+
+- **Never commit production secrets** - Use placeholder values in templates
+- **Review template changes** - Configuration changes can affect security
+- **Test thoroughly** - Configuration errors can break the entire application
+- **Backup production configs** - Before deploying configuration changes
+
+## Related Documentation
+
+- [Deployment Guide](../../../docs/guides/integration-testing-guide.md)
+- [Twelve-Factor App Methodology](../../../docs/guides/integration-testing-guide.md#twelve-factor-compliance)
+- [Configuration Management ADR](../../../docs/adr/004-configuration-approach-files-vs-environment-variables.md)
diff --git a/infrastructure/scripts/deploy-app.sh b/infrastructure/scripts/deploy-app.sh
@@ -46,6 +46,66 @@ get_vm_ip() {
     echo "${vm_ip}"
 }
 
+# Check git repository status and warn about uncommitted changes
+check_git_status() {
+    log_info "Checking git repository status..."
+    
+    cd "${PROJECT_ROOT}"
+    
+    # Check if we're in a git repository
+    if ! git rev-parse --git-dir >/dev/null 2>&1; then
+        log_warning "Not in a git repository - deployment will use current directory state"
+        return 0
+    fi
+    
+    # Check for uncommitted changes in configuration templates
+    local config_changes
+    config_changes=$(git status --porcelain infrastructure/config/environments/ 2>/dev/null || echo "")
+    
+    if [[ -n "${config_changes}" ]]; then
+        log_warning "==============================================="
+        log_warning "⚠️  UNCOMMITTED CONFIGURATION CHANGES DETECTED"
+        log_warning "==============================================="
+        log_warning "The following configuration template files have uncommitted changes:"
+        echo "${config_changes}" | while IFS= read -r line; do
+            log_warning "  ${line}"
+        done
+        log_warning ""
+        log_warning "IMPORTANT: Deployment uses 'git archive' which only includes committed files."
+        log_warning "Your uncommitted changes will NOT be deployed to the VM."
+        log_warning ""
+        log_warning "To include these changes in deployment:"
+        log_warning "  1. git add infrastructure/config/environments/"
+        log_warning "  2. git commit -m 'update: configuration templates'"
+        log_warning "  3. Re-run deployment"
+        log_warning ""
+        log_warning "To continue without committing (deployment will use last committed version):"
+        log_warning "  Press ENTER to continue or Ctrl+C to abort"
+        log_warning "==============================================="
+        read -r
+    fi
+    
+    # Check for any other uncommitted changes (informational)
+    local all_changes
+    all_changes=$(git status --porcelain 2>/dev/null | wc -l)
+    
+    if [[ "${all_changes}" -gt 0 ]]; then
+        local git_status
+        git_status=$(git status --short 2>/dev/null || echo "")
+        log_info "Repository has ${all_changes} uncommitted changes (git archive will use committed version)"
+        if [[ "${all_changes}" -le 10 ]]; then
+            log_info "Uncommitted files:"
+            echo "${git_status}" | while IFS= read -r line; do
+                log_info "  ${line}"
+            done
+        else
+            log_info "Run 'git status' to see all uncommitted changes"
+        fi
+    else
+        log_success "Repository working tree is clean - deployment will match current state"
+    fi
+}
+
 # Test SSH connectivity and wait for system readiness
 test_ssh_connection() {
     local vm_ip="$1"
@@ -542,6 +602,9 @@ main() {
     log_info "Starting application deployment (Twelve-Factor Release + Run Stages)"
     log_info "Environment: ${ENVIRONMENT}"
 
+    # Check git status and warn about uncommitted changes
+    check_git_status
+
     local vm_ip
     vm_ip=$(get_vm_ip)
 
