Closed copelco closed 6 years ago
Opened in Jira as TEQ-27.
I lean slightly towards implementing this. It simplifies removal of no longer active users at the expense (as noted) of increasing the complexity for adding accounts outside of the deployment cycle. Even that isn't as bad as it could be since it is possible to run tequila-common without any of the other roles, making it possible to have an expedited process for adding these accounts.
I haven't had a chance to test this locally, but I'm on board with the proposed direction in #8 and the logic looks good to me 👍
Margarita would explicitly purge users who aren't listed in devs:
https://github.com/caktus/margarita/blame/develop/project/devs.sls#L36-L47
This approach has pros and cons. Pros are that if you remove a user in devs, the next deploy will remove them. Cons include it being difficult to manage outside of the deploy process, e.g. if TS wants to add a user (caktus-backup) and it's not in devs, it'll get removed during the next deploy.
Anyways, opening the issue here since it currently differs from margarita.