Parameterise group names

FormidableLabs / terraform-aws-serverless

Infrastructure support for Serverless framework apps, done the right way

https://registry.terraform.io/modules/FormidableLabs/serverless/aws

MIT License

144 stars 19 forks source link

Parameterise group names #25

Closed declension closed 5 years ago

declension commented 5 years ago

Hi, thanks for what looks like a very useful project!

The existing admin, developer, ci are fairly good / safe names, but it would be good if users could customise (or: translate!) these.

For example, I'd like our ci ~user~ group to be called something else on account of an existing ci environment (~=stage here I guess), leading to weird tf-service-name-ci-ci names.

ryan-roemer commented 5 years ago

The user name is totally arbitrary and you choice -- you can attach the IAM groups to any user either manually in the AWS console or via custom Terraform, etc.

So you'd like to have the IAM group names be customizable to something beyond "${local.tf_service_name}-${local.stage}-(admin|developer|ci)"? We could potentially add that option to terraform-aws-serverless module... If that is the case would you need the policy name (or any other resource) changeable to or is IAM group enough?

declension commented 5 years ago

So you'd like to have the IAM group names be customizable to something beyond "${local.tf_service_name}-${local.stage}-(admin|developer|ci)"?

:+1:

If that is the case would you need the policy name (or any other resource) changeable to or is IAM group enough?

Hmm, good question. I assumed that everything hangs off the group name, so if developer became foo then we'd get serverless.aws_iam_policy.foo and similar attachements (as well as serverless.aws_iam_group.foo of course).

So I guess - just the group name is customisable, so long as everything remains constructed as you'd expect (for our use case at least).

Thanks

ryan-roemer commented 5 years ago

Right now, the underlying policies all assume the developer|admin|ci names, but nothing is outputted. And actually, the groups aren't outputted either. We're doing the minimum to start and will add outputs to terraform-aws-serverless as user scenarios arise. (Makes versioning easier, but we definitely do expect to have some outputs for normal integration.)

Back to right now, most extensions to the IAM groups would be based on something like:

resource "aws_iam_group_policy_attachment" "SOME_NAME" {
  group      = "${GROUP NAME FROM terraform-aws-serverless}"
  policy_arn = "${aws_iam_policy.USER_EXTENSION.arn}"
}

So AFAICT no-one integrating the TF would ever see the existing policies which should still have developer|admin|ci names because right now you wouldn't be ever touching them, just doing additional attachments to IAM group with new policies. But maybe there's some other scenario I'm missing?

Thanks!

declension commented 5 years ago

I think I'm now confused about what you mean, but perhaps I need to follow through with the implementation a bit first.

Outputs aside (which I'm sure would be useful, though as you say in the docs, we can just assign these roles manually for now), the issue is more auditing our AWS setup itself, with the naming present there, with AWS names like tf-my-service-ci-ci etc...

ryan-roemer commented 5 years ago

Yeah, auditing would favor having the change permeate everything and not just the specific group names. I’ll see what I can work up...