dgraeber
commented
2 weeks ago Hi @jiwachow Thanks for your issue. SeedFarmer (SF) was designed to create dedicated roles with least privilege policies. There are no unused or redundant roles created by SF.
Since IAM is global per account, there will be:
- one toolchain role in the account that acts as the toolchain
- one deployment role in each account that modules are deployed in
- one role per module per deployment in each account
The toolchain roles and deployment roles are nominal in count (they do not scale up). But, there is a one-to-one role mapping per module created. That means if you have a deployment that has 20 modules, there will be 20 roles created. If you then use that same manifest and change the deployment name and deploy again (a unique deployment) you will have 20 more roles created. They delete on module destroy.
You can filter on the roles in the account in IAM as all seedfarmer roles tied to modules have a distinct pattern:
- seedfarmer-
-toolchain-role - seedfarmer-
-deployment-role -
- - -* for all the roles that modules leverage for deployment This is only for SF deployments, if there are roles that the modules themselves create SF is not aware of nor manages them (the actual modules create them and manage them). We discourage the practice of having a module reuse a role for deployment. If a module leverages the `modulestack.yaml` that gets attached at runtime, that policy should be limited in privileges to only what that module needs to deploy. If we begin to combine the permissions (say create an uber-role) that defeats the security profile design. If you are hitting role limits in a single account, perhaps consider another AWS account to use in parallel (SF supports multi-account deployments). Also, you may want to look at your design and determine if a single module is doing the proper level of infrastructure management (ie. could functionality spread across 3 modules be condensed to 1).
If you are working with AWS ProServe in an engagement, please reach out to the AWS lead at the engagement, and they will be able to contact us directly so we can further provide recommendations.
Hello,
We are using Seedfarmer extensively across multiple environments. Recently, we have encountered issues related to the maximum number of roles being created, which has necessitated increasing our role limits.
Our Situation:
We are hitting the maximum role limits in some environments. We need to understand how to better manage the number of roles that are created, needed, managed, and potentially unused by Seedfarmer. Our Questions:
What are the best practices for managing the number of roles created by Seedfarmer to avoid hitting the role limit? Are there any specific strategies or configurations within Seedfarmer that can help reduce the number of roles created? How can we identify and manage unused or redundant roles that are generated by Seedfarmer? Are there any tools or scripts recommended for auditing and managing roles in Seedfarmer environments? Any other suggestions or guidance to help us efficiently manage roles in our Seedfarmer deployments? Thank you in advance for your assistance.