Question: IAM roles in CloudFormation

[niallthomson]

Is there a reason why we guide the user to create the IAM roles manually versus using the CloudFormation template used to create the S3 bucket etc?

[mreferre]

I think there is value in having users to go through some of these steps manually to better appreciate how this works and the principles behind it. IAM users and policies are a big part that needs to be understood/appreciated in the context of this solution because they deviate from the traditional Proton model (i.e. devs can't deploy environments) and I figured that having customers go through the config explicitly would make it more clear than burying it under a CFN template and basically telling them "we configured it for you, don't worry". In other words the reason is more "educational" than out of necessity. To that point I also think the existing CFN template buries important stuff they should understand but my assumption there is that they know how a Terraform deploy works and so we are short-cutting it.

Having this said I don't have strong opinions and I am happy to change my mind if we want to automate this further.

[niallthomson]

I don't really have strong feelings either, and your reasoning makes sense.

At least personally I'm more likely to try out content that is all automated. If it has manual steps I know I'm generally too lazy to clean it up. I feel comfortable using the automation and inspecting the configuration to learn whats happening. I appreciate not all customers may be proficient enough with IaC etc. to perhaps interpret it the this can be mitigated by the content itself calling out snippets that are critical for learning outcomes.